Nope - you have to have 268 bytes or more. *NOTE* - You will need to put the ipod into disk mode to take the file off when you are done or it will keep rebooting :)
We can probably download the firmware of the 5.5 or 5g and RE it am I correct? I don't have any of these tools sorry. On Sat, Feb 14, 2009 at 2:17 PM, The Seven <[email protected]> wrote: > Looks pretty good! > I'll give it a quick try on my 2G nano. > However, to successfully exploit it, it would be very helpful to know > what's exactly going on there, so I need a disassembly of the link > parsing code on 5G. > What happens when you put in 256 to 267 bytes bytes? Any weird behavior? > I would guess they use a 256 byte buffer, that stores an ASCIIZ string. > > Taylor Gordon schrieb: > > Hello - > > > > Yes; I am pretty sure it is some type of overflow (either buffer or > heap). > > > > I have tested this personally on a 3g nano - but from what people are > > telling me it also works on 5g and all nanos capable of viewing notes in > the > > extras area. > > > > Concerning the code: Since the newer firmwares are encrypted - we might > need > > to take a look at the earlier firmwares like 5g since we know it happens > > there. Like I said - I tried to look at the code of the 5g and it makes > my > > brain hurt ;) I'm guessing it either occurs in strcpy() or malloc(). Here > is > > what I know for sure right now: > > > > We are investigating a vulnerability(possibly a buffer overflow) in the > ipod > > that MIGHT be able to run unsigned code. > > It occurs in a text doc in the notes area when you have a link longer > than > > 268 bytes. > > > > At this point we have been supplied with the following info: > > > > > > 1.) You need the whole link including the "</a>" at the end for the > > ipod/HTML parser to read it as a valid link. > > 2.)You need 268 bytes in the <a href"----268 bytes here"> for it to > crash > > 3.) We can safely assume that Apple is using strcpy() since the ipod > stops > > parsing the link after NULL 0x00 > > > > That's all I know so far :) > > > > Cheers! > > > > Taylor > > _______________________________________________ > > Linux4nano-dev mailing list > > [email protected] > > https://mail.gna.org/listinfo/linux4nano-dev > > http://www.linux4nano.org > > > > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org > _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
