Full Disclosure mailing list archives
Re: On the iPhone PDF and kernel exploit
From: Sagar Belure <sagar.belure () gmail com>
Date: Thu, 5 Aug 2010 16:31:12 +0530
On Thu, Aug 5, 2010 at 2:43 PM, Ryan Sears <rdsears () mtu edu> wrote:
Well I'm no expert but I'm going to see if I can reverse engineer the PDFs used for jailbreaking (obviously I'd need an ARM assembly book or someone who knows it :-P) and figure out exactly what they're doing. I agree with was said earlier, I'm not saying they're doing something malicious, but if I wanted to backdoor thousands of phones this is how I'D do it. Either way anyone interested in doing the same I've discovered that the webserver (lighthttpd 1.4.19) drops the index if you GET a null byte. http://www.jailbreakme.com/%00 *NOTE* Doesn't work in chrome
Well, it is a "HTTP/1.1 301 Moved Permanently" reply, not a vulnerability. Server seems to be configured in such a way that any unrecognized characters after / will redirect to http://www.jailbreakme.com/_/
I'll post if I *do* actually find something interesting, but like I said - I'm no expert on REing PDFs. If anyone has any good tools (I remember there was a PDF analysis framework released a while ago - I just don't remember what it was called) please let me know!
Origami? http://seclabs.org/origami/
Also if anyone knows how to get in contact with any of the admins for the site (or anyone who runs it for that matter) please either let me know or let them know. Nobody likes a null byte flaw on thier server - the only reason I'm disclosing this here right now is because as far as I know it only allows indexing of the jailbreak PDFs which could aid the community in verifying there is nothing malicious going on. When they do patch it (IF they do) I'll be glad to send you all the PDFs if you're intereted in working on them - just email me. For now I've put together a one-liner to grab all of them, I'm sure there's a more elegant way to get them, but this works: for i in `curl http://www.jailbreakme.com/%00/ | cut -d '=' -f 3 | grep pdf | cut -b 2- | cut -d '"' -f1`; do wget -nv http://www.jailbreakme.com/%00/$i;
wget -r -l 1 http://www.jailbreakme.com/_/ ....Done! -- Thanks, Sagar Belure Security Analyst Secfence Technologies www.secfence.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- On the iPhone PDF and kernel exploit Marcello Barnaba (void) (Aug 04)
- Re: On the iPhone PDF and kernel exploit Zach C (Aug 04)
- Re: On the iPhone PDF and kernel exploit Pablo Ximenes (Aug 04)
- Re: On the iPhone PDF and kernel exploit Marcello Barnaba (void) (Aug 04)
- Re: On the iPhone PDF and kernel exploit Ryan Sears (Aug 05)
- Re: On the iPhone PDF and kernel exploit Sabahattin Gucukoglu (Aug 05)
- Re: On the iPhone PDF and kernel exploit Mario Vilas (Aug 05)
- Re: On the iPhone PDF and kernel exploit Benji (Aug 05)
- Re: On the iPhone PDF and kernel exploit Sagar Belure (Aug 05)
- Re: On the iPhone PDF and kernel exploit Jose Miguel Esparza (Aug 06)
- Re: On the iPhone PDF and kernel exploit Robert Święcki (Aug 06)
- Re: On the iPhone PDF and kernel exploit Jose Miguel Esparza (Aug 06)
- Re: On the iPhone PDF and kernel exploit Jose Miguel Esparza (Aug 24)