Apple sandbox entitlements
A valid XML plist can look something like this: Plist files exist in a bunch of different forms, but the only two that you’ll realistically see in an Apple ecosystem are the “bplist” binary format that are out of scope for this post, and the XML-based format. You have arrays, dictionaries with key -> value pairs, strings, numbers, etc. Now building on XML, we have “property list”, or “plist” for short: yet another general-purpose format for storing serialised data. This makes XML a format that’s excruciatingly hard to parse correctly, which will become relevant in a bit. So yeah, you can construct matched,, even, the list simply doesn’t end. Now, XML is horrible to parse for reasons this XKCD illustrates beautifully:
#APPLE SANDBOX ENTITLEMENTS FULL#
The full XML specification contains a lot more, but a) that’s irrelevant to us, and b) nobody should ever be forced to read that.
#APPLE SANDBOX ENTITLEMENTS CODE#
I do expect you however to loosely know what XML, public key encryption and hashes are, and understanding C code is certainly a big advantage. In that spirit, I’ll also try and write this post in a manner that assumes no iOS- or exploitation-specific knowledge. In contrast to virtually any other bug and any other exploit I’ve had to do with, this one should be understandable without any background knowledge in iOS and/or exploitation. I dubbed it “psychic paper” because, just like the item by that name that Doctor Who likes to carry, it allows you get past security checks and make others believe you have a wide range of credentials that you shouldn’t have. So simple, in fact, that the PoC I tweeted out looks like an absolute joke. Not necessarily for how much it gives you, but certainly for how much I’ve used it for, and also for how ridiculously simple it is. It wasn’t just any bug though, it was the first 0day I had ever found. Yesterday Apple released iOS 13.5 beta 3 (seemingly renaming iOS 13.4.5 to 13.5 there), and that killed one of my bugs. These aren’t the droids you’re looking for.