Hi! I took a look at the PDF some days ago, looking for the PDF vuln, you can see my post about it here:
http://eternal-todo.com/blog/jailbreakme-pdf-exploit Anyway, I continue analysing it... Cheers! Jose Miguel Esparza http://eternal-todo.com El 05/08/10 11:13, Ryan Sears escribió: > Well I'm no expert but I'm going to see if I can reverse engineer the PDFs > used for jailbreaking (obviously I'd need an ARM assembly book or someone who > knows it :-P) and figure out exactly what they're doing. I agree with was > said earlier, I'm not saying they're doing something malicious, but if I > wanted to backdoor thousands of phones this is how I'D do it. > > Either way anyone interested in doing the same I've discovered that the > webserver (lighthttpd 1.4.19) drops the index if you GET a null byte. > > http://www.jailbreakme.com/%00 > > *NOTE* Doesn't work in chrome > > I'll post if I *do* actually find something interesting, but like I said - > I'm no expert on REing PDFs. If anyone has any good tools (I remember there > was a PDF analysis framework released a while ago - I just don't remember > what it was called) please let me know! > > Also if anyone knows how to get in contact with any of the admins for the > site (or anyone who runs it for that matter) please either let me know or let > them know. Nobody likes a null byte flaw on thier server - the only reason > I'm disclosing this here right now is because as far as I know it only allows > indexing of the jailbreak PDFs which could aid the community in verifying > there is nothing malicious going on. > > When they do patch it (IF they do) I'll be glad to send you all the PDFs if > you're intereted in working on them - just email me. > > For now I've put together a one-liner to grab all of them, I'm sure there's a > more elegant way to get them, but this works: > for i in `curl http://www.jailbreakme.com/%00/ | cut -d '=' -f 3 | grep pdf | > cut -b 2- | cut -d '"' -f1`; do wget -nv http://www.jailbreakme.com/%00/$i; > done > > Ryan Sears > ----- Original Message ----- > From: "Pablo Ximenes" <pa...@ximen.es> > To: "Marcello Barnaba (void)" <v...@openssl.it> > Cc: full-disclosure@lists.grok.org.uk > Sent: Wednesday, August 4, 2010 1:56:47 PM GMT -05:00 US/Canada Eastern > Subject: Re: [Full-disclosure] On the iPhone PDF and kernel exploit > > > I believe Jailbreakme.com is just REsurfacing,as it used to be used back in > the days of the first gen iPhone also for jailbreaking. So, it's not excatly > the first time this is happening. > > []'s > > Pablo Ximenes > (aka brasuco) > > > 2010/8/4 Marcello Barnaba (void) < v...@openssl.it > > > > For the first time in my life, a 0-day exploiting remote code execution, > sandbox escaping and privilege escalation has been packaged for general > user consumption via a web site ( http://jailbreakme.com ). The actual > pdf exploit can be downloaded here: http://jailbreakme.com/_/ . > > What puzzles me is.. no notices here on FD, no info on Bugtraq, no CVE, > no press release by the CERT, as of now. > > The cat & mouse game played by the iPhone dev team and Apple is done to > liberate our devices from useless restrictions, but the whole point for > them to exist is because said devices live in a walled garden, that is > really useful only to the company behind it. > > I've posted more thougths and the few technical details I was able to > gather (from a tweet!) here: > > http://sindro.me/2010/8/4/on-the-iphone-pdf-and-kernel-exploit > > What do you think? Did someone reverse engineer the exploit? > > ~Marcello _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
