Here is Charlie Miller describing how a minor bug is exploited to then take advantage of another bug to bypass security. This is how IOS is jailbroken. I think if you ignore what you don’t understand (“state machine”, “end of the buffer”, etc) it’s a great description of how it takes a chain of unlikely things to do these exploits. It testifies to both the cleverness of the people doing the attack and the difficulty in avoiding these problems.
The exploit is delivered via a PDF file, but the underlying vulnerability is in how it parses a font that is embedded in the PDF. This “malicious” font could have been delivered in ways besides PDF files. Anyway, it is a very clever exploit. The bug is in this little state machine that is processing the font. The bug allows the attacker to change where the program thinks the end of the buffer where the state machine is operating is located to beyond where it is supposed to be. Then the state machine can operate on parts of memory it is not supposed to while processing the font. This allows it to corrupt memory (to get control of the process) as well as read and operate on values from memory (which allows it to bypass ASLR, allowing it to find some executable code to use). At that point, it reuses the existing code fragments it wants (this technique is called return oriented programming) to launch a second exploit against a different vulnerability to escape the iOS sandbox, get root, disable code signing, and finally jailbreak the phone. (Emphasis added)
Source: tomshardware.com
