Looks pretty good! I'll give it a quick try on my 2G nano. However, to successfully exploit it, it would be very helpful to know what's exactly going on there, so I need a disassembly of the link parsing code on 5G. What happens when you put in 256 to 267 bytes bytes? Any weird behavior? I would guess they use a 256 byte buffer, that stores an ASCIIZ string.
Taylor Gordon schrieb: > Hello - > > Yes; I am pretty sure it is some type of overflow (either buffer or heap). > > I have tested this personally on a 3g nano - but from what people are > telling me it also works on 5g and all nanos capable of viewing notes in the > extras area. > > Concerning the code: Since the newer firmwares are encrypted - we might need > to take a look at the earlier firmwares like 5g since we know it happens > there. Like I said - I tried to look at the code of the 5g and it makes my > brain hurt ;) I'm guessing it either occurs in strcpy() or malloc(). Here is > what I know for sure right now: > > We are investigating a vulnerability(possibly a buffer overflow) in the ipod > that MIGHT be able to run unsigned code. > It occurs in a text doc in the notes area when you have a link longer than > 268 bytes. > > At this point we have been supplied with the following info: > > > 1.) You need the whole link including the "</a>" at the end for the > ipod/HTML parser to read it as a valid link. > 2.)You need 268 bytes in the <a href"----268 bytes here"> for it to crash > 3.) We can safely assume that Apple is using strcpy() since the ipod stops > parsing the link after NULL 0x00 > > That's all I know so far :) > > Cheers! > > Taylor > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org > _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
