[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] On the iPhone PDF and kernel exploit

Hi!

I took a look at the PDF some days ago, looking for the PDF vuln, you
can see my post  about it here:

http://eternal-todo.com/blog/jailbreakme-pdf-exploit

Anyway, I continue analysing it...


Cheers!


Jose Miguel Esparza
http://eternal-todo.com

El 05/08/10 11:13, Ryan Sears escribió:
> Well I'm no expert but I'm going to see if I can reverse engineer the PDFs 
> used for jailbreaking (obviously I'd need an ARM assembly book or someone who 
> knows it :-P) and figure out exactly what they're doing. I agree with was 
> said earlier, I'm not saying they're doing something malicious, but if I 
> wanted to backdoor thousands of phones this is how I'D do it. 
>
> Either way anyone interested in doing the same I've discovered that the 
> webserver (lighthttpd 1.4.19) drops the index if you GET a null byte. 
>
> http://www.jailbreakme.com/%00
>
> *NOTE* Doesn't work in chrome
>
> I'll post if I *do* actually find something interesting, but like I said - 
> I'm no expert on REing PDFs. If anyone has any good tools (I remember there 
> was a PDF analysis framework released a while ago - I just don't remember 
> what it was called) please let me know! 
>
> Also if anyone knows how to get in contact with any of the admins for the 
> site (or anyone who runs it for that matter) please either let me know or let 
> them know. Nobody likes a null byte flaw on thier server - the only reason 
> I'm disclosing this here right now is because as far as I know it only allows 
> indexing of the jailbreak PDFs which could aid the community in verifying 
> there is nothing malicious going on.
>
> When they do patch it (IF they do) I'll be glad to send you all the PDFs if 
> you're intereted in working on them - just email me. 
>
> For now I've put together a one-liner to grab all of them, I'm sure there's a 
> more elegant way to get them, but this works:
> for i in `curl http://www.jailbreakme.com/%00/ | cut -d '=' -f 3 | grep pdf | 
> cut -b 2- | cut -d '"' -f1`; do wget -nv http://www.jailbreakme.com/%00/$i; 
> done
>
> Ryan Sears
> ----- Original Message -----
> From: "Pablo Ximenes" <pablo@xxxxxxxx>
> To: "Marcello Barnaba (void)" <vjt@xxxxxxxxxx>
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Sent: Wednesday, August 4, 2010 1:56:47 PM GMT -05:00 US/Canada Eastern
> Subject: Re: [Full-disclosure] On the iPhone PDF and kernel exploit
>
>
> I believe Jailbreakme.com is just REsurfacing,as it used to be used back in 
> the days of the first gen iPhone also for jailbreaking. So, it's not excatly 
> the first time this is happening. 
>
> []'s 
>
> Pablo Ximenes 
> (aka brasuco) 
>
>
> 2010/8/4 Marcello Barnaba (void) < vjt@xxxxxxxxxx > 
>
>
> For the first time in my life, a 0-day exploiting remote code execution, 
> sandbox escaping and privilege escalation has been packaged for general 
> user consumption via a web site ( http://jailbreakme.com ). The actual 
> pdf exploit can be downloaded here: http://jailbreakme.com/_/ . 
>
> What puzzles me is.. no notices here on FD, no info on Bugtraq, no CVE, 
> no press release by the CERT, as of now. 
>
> The cat & mouse game played by the iPhone dev team and Apple is done to 
> liberate our devices from useless restrictions, but the whole point for 
> them to exist is because said devices live in a walled garden, that is 
> really useful only to the company behind it. 
>
> I've posted more thougths and the few technical details I was able to 
> gather (from a tweet!) here: 
>
> http://sindro.me/2010/8/4/on-the-iphone-pdf-and-kernel-exploit 
>
> What do you think? Did someone reverse engineer the exploit? 
>
> ~Marcello 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/