9 comments

[ 3.8 ms ] story [ 28.0 ms ] thread
Note that this is not a jail-broken iPhone. This is a regular iPhone with latest OS with code signing.
I enjoy the idea of return oriented programming, piecing together an exploit from your host app's binary.

Worth noting that they didn't break out of the sandbox, an app downloaded from the App Store could get access to the same data they did.

Did they ROP the iPhone, or was is a straight-up ret2libc? Ret2libc is an ancient technique.
More details here http://blog.zynamics.com/ tomorrow - doesn't sound like it is straight up, depends what they mean by "chained".
Ok, it sounds like Halvar is just rejecting the term ROP, and you're right, that's what it is.
Not so much hijacked as it was downloaded to the server...
But hey, at least Apple saved a few bounds checks before memory writes!
I almost skipped this article assuming it was one of these "hacks that's not a hack" kind of things. This is a pretty major security issue, especially since the hack is claimed to potentially expose email as well. The Exchange server integration means some pretty sophisticated phishing could be done to get access to confidential info. Hope Apple patches this flaw fast.