On Thu, Aug 5, 2010 at 2:43 PM, Ryan Sears <[email protected]> wrote: > Well I'm no expert but I'm going to see if I can reverse engineer the PDFs > used for jailbreaking (obviously I'd need an ARM assembly book or someone > who knows it :-P) and figure out exactly what they're doing. I agree with > was said earlier, I'm not saying they're doing something malicious, but if I > wanted to backdoor thousands of phones this is how I'D do it. > > Either way anyone interested in doing the same I've discovered that the > webserver (lighthttpd 1.4.19) drops the index if you GET a null byte. > > http://www.jailbreakme.com/%00 > > *NOTE* Doesn't work in chrome >
Well, it is a "HTTP/1.1 301 Moved Permanently" reply, not a vulnerability. Server seems to be configured in such a way that any unrecognized characters after / will redirect to http://www.jailbreakme.com/_/ > > I'll post if I *do* actually find something interesting, but like I said - > I'm no expert on REing PDFs. If anyone has any good tools (I remember there > was a PDF analysis framework released a while ago - I just don't remember > what it was called) please let me know! > Origami? http://seclabs.org/origami/ > > Also if anyone knows how to get in contact with any of the admins for the > site (or anyone who runs it for that matter) please either let me know or > let them know. Nobody likes a null byte flaw on thier server - the only > reason I'm disclosing this here right now is because as far as I know it > only allows indexing of the jailbreak PDFs which could aid the community in > verifying there is nothing malicious going on. > > When they do patch it (IF they do) I'll be glad to send you all the PDFs if > you're intereted in working on them - just email me. > > For now I've put together a one-liner to grab all of them, I'm sure there's > a more elegant way to get them, but this works: > for i in `curl http://www.jailbreakme.com/%00/ | cut -d '=' -f 3 | grep > pdf | cut -b 2- | cut -d '"' -f1`; do wget -nv > http://www.jailbreakme.com/%00/$i; > wget -r -l 1 http://www.jailbreakme.com/_/ ....Done! -- Thanks, Sagar Belure Security Analyst Secfence Technologies www.secfence.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
