Full Disclosure mailing list archives

Re: On the iPhone PDF and kernel exploit

From: Sagar Belure <sagar.belure () gmail com>
Date: Thu, 5 Aug 2010 16:31:12 +0530

On Thu, Aug 5, 2010 at 2:43 PM, Ryan Sears <rdsears () mtu edu> wrote:

Well I'm no expert but I'm going to see if I can reverse engineer the PDFs
used for jailbreaking (obviously I'd need an ARM assembly book or someone
who knows it :-P) and figure out exactly what they're doing. I agree with
was said earlier, I'm not saying they're doing something malicious, but if I
wanted to backdoor thousands of phones this is how I'D do it.

Either way anyone interested in doing the same I've discovered that the
webserver (lighthttpd 1.4.19) drops the index if you GET a null byte.

http://www.jailbreakme.com/%00

*NOTE* Doesn't work in chrome


Well, it is a "HTTP/1.1 301 Moved Permanently" reply, not a vulnerability.
Server seems to be configured in such a way that any unrecognized characters
after / will redirect to http://www.jailbreakme.com/_/


I'll post if I *do* actually find something interesting, but like I said -
I'm no expert on REing PDFs. If anyone has any good tools (I remember there
was a PDF analysis framework released a while ago - I just don't remember
what it was called) please let me know!


Origami?
http://seclabs.org/origami/


Also if anyone knows how to get in contact with any of the admins for the
site (or anyone who runs it for that matter) please either let me know or
let them know. Nobody likes a null byte flaw on thier server - the only
reason I'm disclosing this here right now is because as far as I know it
only allows indexing of the jailbreak PDFs which could aid the community in
verifying there is nothing malicious going on.

When they do patch it (IF they do) I'll be glad to send you all the PDFs if
you're intereted in working on them - just email me.

For now I've put together a one-liner to grab all of them, I'm sure there's
a more elegant way to get them, but this works:
for i in `curl http://www.jailbreakme.com/%00/ | cut -d '=' -f 3 | grep
pdf | cut -b 2- | cut -d '"' -f1`; do wget -nv
http://www.jailbreakme.com/%00/$i;


wget -r -l 1 http://www.jailbreakme.com/_/

....Done!

-- 
Thanks,
Sagar Belure
Security Analyst
Secfence Technologies
www.secfence.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

On the iPhone PDF and kernel exploit Marcello Barnaba (void) (Aug 04)
- Re: On the iPhone PDF and kernel exploit Zach C (Aug 04)
- Re: On the iPhone PDF and kernel exploit Pablo Ximenes (Aug 04)
  - Re: On the iPhone PDF and kernel exploit Marcello Barnaba (void) (Aug 04)
  - Re: On the iPhone PDF and kernel exploit Ryan Sears (Aug 05)
    - Re: On the iPhone PDF and kernel exploit Sabahattin Gucukoglu (Aug 05)
    - Re: On the iPhone PDF and kernel exploit Mario Vilas (Aug 05)
    - Re: On the iPhone PDF and kernel exploit Benji (Aug 05)
    - Re: On the iPhone PDF and kernel exploit Sagar Belure (Aug 05)
    - Re: On the iPhone PDF and kernel exploit Jose Miguel Esparza (Aug 06)
    - Re: On the iPhone PDF and kernel exploit Robert Święcki (Aug 06)
    - Re: On the iPhone PDF and kernel exploit Jose Miguel Esparza (Aug 06)
    - Re: On the iPhone PDF and kernel exploit Jose Miguel Esparza (Aug 24)