The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Talk:ARM7 Go
Vulnerability vs. Exploit and Credits
@Chronic: I'm fine with you adding that you found it independently, but you have to be careful with the wording in general. It seems there are a great deal of misusages of the word "exploit" vs. vulnerability in this community. So if you don't mind, I'd like to clarify:
A vulnerability is the actual bug/security hole, whereas an exploit is the actual implementation which allows one to exploit the vulnerability.
For instance in the following sentence from the wiki: "The actual exploit is that, in the iPod Touch 2G 2.1.1 firmware, they left behind two commands: arm7_stop and arm7_go", the word "exploit" is not used properly. You are here talking about the vulnerability, not the exploit.
In my opinion, credits for vulnerability and exploit should be separated in general (I'm not talking about this one in particular, but I'm talking about vuln/exploit in general). One can find a vulnerability without exploiting it (because he doesn't want to, doesn't have the time, or it's too complicated and he doesn't manage actually to exploit it), and likewise someone can implement an actual exploit without discovering the initial vulnerability. IMHO, most of the time, the exploit is where the skills really are, because it's one thing to understand why something is a security vulnerability, it's often another to make it actually real with a POC code (because of sanity checks, checking, filters and so on). Although sometimes, I do agree that finding the vulnerability itself requires mad skillz (as an example, prop' to Bleichenbacher for finding his RSA attack), it is my belief that most of the time, the exploit is where the difficulty lies.
Anyway, I think this page contains misusage of the word exploit, and other pages too, and I just wanted to point it.
Theres one thing to be said for finding a vuln and seeing it crash, sure, thats usually not where the skill is and I'm not sure how much credit it deserves. But after an exploit is out using the vuln, it's a lot easier to get yourself to write another exploit since you have confirmation that the vuln is exploitable. The iBoot envvar one happened to be reasonably easy to find yet reasonably hard to exploit. If you really had your exploit working pre ra1n then props. But if you wrote an exploit post ra1n it's a lot easier knowing that this vuln can work. --geohot 18:44, 7 July 2009 (UTC)
iZsh, when I wrote this article I was a little less experienced, and have adjusted it a bit. That being said, if you check the chronic dev google code svn, you will see that I did implement it in a payload called "0wnboot". But yes, I did confuse the "exploit" and "vulnerability" definitions. ChronicDev 19:16, 7 July 2009 (UTC)