Full Disclosure mailing list archives

Re: On the iPhone PDF and kernel exploit

From: Benji <me () b3nji com>
Date: Thu, 5 Aug 2010 12:01:59 +0100

.. surely if this was the index of webroot we'd see faq.html etc? are
we sure that this isnt infact a purpose made folder?

On Thu, Aug 5, 2010 at 11:59 AM, Mario Vilas <mvilas () gmail com> wrote:

http://jailbreakme.com/_/ gives me a 404 Not Found error.

There were a few vulnerabilities in lighthttpd related to the %00 character
but after googling a while I couldn't find this particular one. I guess it's
worth reporting if this still works in the current version (1.5.0).
On Thu, Aug 5, 2010 at 12:04 PM, Sabahattin Gucukoglu
<mail () sabahattin-gucukoglu com> wrote:


On 5 Aug 2010, at 10:13, Ryan Sears wrote:
Well I'm no expert but I'm going to see if I can reverse engineer the PDFs
used for jailbreaking (obviously I'd need an ARM assembly book or someone
who knows it :-P) and figure out exactly what they're doing. I agree with
was said earlier, I'm not saying they're doing something malicious, but if I
wanted to backdoor thousands of phones this is how I'D do it.

It didn't work for me.  I use VoiceOver, which didn't like the (fake)
slider implemented in javascript, so I had to spoof the UA on a Mac, grab
the source, inspect it, grab the PDF, email it to myself ... it didn't work.
:-(  iPhone 3GS = 2,1, yes?

Either way anyone interested in doing the same I've discovered that the
webserver (lighthttpd 1.4.19) drops the index if you GET a null byte.

http://www.jailbreakme.com/%00


Nice, did you just try it in case it might work, or does this constitute a
vuln that wants fixing in current lighttpd?  It's just that indexing happens
to be enabled on http://jailbreakme.com/_/ too.


Also if anyone knows how to get in contact with any of the admins for
the site (or anyone who runs it for that matter) please either let me know
or let them know.


Ditto, thanks.

Cheers,
Sabahattin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
HONEY: I want to… put some powder on my nose.
GEORGE: Martha, won’t you show her where we keep the euphemism?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

On the iPhone PDF and kernel exploit Marcello Barnaba (void) (Aug 04)
- Re: On the iPhone PDF and kernel exploit Zach C (Aug 04)
- Re: On the iPhone PDF and kernel exploit Pablo Ximenes (Aug 04)
  - Re: On the iPhone PDF and kernel exploit Marcello Barnaba (void) (Aug 04)
  - Re: On the iPhone PDF and kernel exploit Ryan Sears (Aug 05)
    - Re: On the iPhone PDF and kernel exploit Sabahattin Gucukoglu (Aug 05)
    - Re: On the iPhone PDF and kernel exploit Mario Vilas (Aug 05)
    - Re: On the iPhone PDF and kernel exploit Benji (Aug 05)
    - Re: On the iPhone PDF and kernel exploit Sagar Belure (Aug 05)
    - Re: On the iPhone PDF and kernel exploit Jose Miguel Esparza (Aug 06)
    - Re: On the iPhone PDF and kernel exploit Robert Święcki (Aug 06)
    - Re: On the iPhone PDF and kernel exploit Jose Miguel Esparza (Aug 06)
    - Re: On the iPhone PDF and kernel exploit Jose Miguel Esparza (Aug 24)