Re: On the iPhone PDF and kernel exploit

[Jose Miguel Esparza <josemiguel.esparza () gmail com>]

Hi!

I took a look at the PDF some days ago, looking for the PDF vuln, you
can see my post  about it here:

http://eternal-todo.com/blog/jailbreakme-pdf-exploit

Anyway, I continue analysing it...


Cheers!


Jose Miguel Esparza
http://eternal-todo.com

El 05/08/10 11:13, Ryan Sears escribió:
> Well I'm no expert but I'm going to see if I can reverse engineer the PDFs used for jailbreaking (obviously I'd need 
> an ARM assembly book or someone who knows it :-P) and figure out exactly what they're doing. I agree with was said 
> earlier, I'm not saying they're doing something malicious, but if I wanted to backdoor thousands of phones this is 
> how I'D do it. 
>
> Either way anyone interested in doing the same I've discovered that the webserver (lighthttpd 1.4.19) drops the index 
> if you GET a null byte. 
>
> http://www.jailbreakme.com/%00
>
> *NOTE* Doesn't work in chrome
>
> I'll post if I *do* actually find something interesting, but like I said - I'm no expert on REing PDFs. If anyone has 
> any good tools (I remember there was a PDF analysis framework released a while ago - I just don't remember what it 
> was called) please let me know! 
>
> Also if anyone knows how to get in contact with any of the admins for the site (or anyone who runs it for that 
> matter) please either let me know or let them know. Nobody likes a null byte flaw on thier server - the only reason 
> I'm disclosing this here right now is because as far as I know it only allows indexing of the jailbreak PDFs which 
> could aid the community in verifying there is nothing malicious going on.
>
> When they do patch it (IF they do) I'll be glad to send you all the PDFs if you're intereted in working on them - 
> just email me. 
>
> For now I've put together a one-liner to grab all of them, I'm sure there's a more elegant way to get them, but this 
> works:
> for i in `curl http://www.jailbreakme.com/%00/ | cut -d '=' -f 3 | grep pdf | cut -b 2- | cut -d '"' -f1`; do wget 
> -nv http://www.jailbreakme.com/%00/$i; done
>
> Ryan Sears
> ----- Original Message -----
> From: "Pablo Ximenes" <pablo () ximen es>
> To: "Marcello Barnaba (void)" <vjt () openssl it>
> Cc: full-disclosure () lists grok org uk
> Sent: Wednesday, August 4, 2010 1:56:47 PM GMT -05:00 US/Canada Eastern
> Subject: Re: [Full-disclosure] On the iPhone PDF and kernel exploit
>
>
> I believe Jailbreakme.com is just REsurfacing,as it used to be used back in the days of the first gen iPhone also for 
> jailbreaking. So, it's not excatly the first time this is happening. 
>
> []'s 
>
> Pablo Ximenes 
> (aka brasuco) 
>
>
> 2010/8/4 Marcello Barnaba (void) < vjt () openssl it > 
>
>
> For the first time in my life, a 0-day exploiting remote code execution, 
> sandbox escaping and privilege escalation has been packaged for general 
> user consumption via a web site ( http://jailbreakme.com ). The actual 
> pdf exploit can be downloaded here: http://jailbreakme.com/_/ . 
>
> What puzzles me is.. no notices here on FD, no info on Bugtraq, no CVE, 
> no press release by the CERT, as of now. 
>
> The cat & mouse game played by the iPhone dev team and Apple is done to 
> liberate our devices from useless restrictions, but the whole point for 
> them to exist is because said devices live in a walled garden, that is 
> really useful only to the company behind it. 
>
> I've posted more thougths and the few technical details I was able to 
> gather (from a tweet!) here: 
>
> http://sindro.me/2010/8/4/on-the-iphone-pdf-and-kernel-exploit 
>
> What do you think? Did someone reverse engineer the exploit? 
>
> ~Marcello 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/