lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 5 Aug 2010 16:31:12 +0530
From: Sagar Belure <sagar.belure@...il.com>
To: Ryan Sears <rdsears@....edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: On the iPhone PDF and kernel exploit

On Thu, Aug 5, 2010 at 2:43 PM, Ryan Sears <rdsears@....edu> wrote:

> Well I'm no expert but I'm going to see if I can reverse engineer the PDFs
> used for jailbreaking (obviously I'd need an ARM assembly book or someone
> who knows it :-P) and figure out exactly what they're doing. I agree with
> was said earlier, I'm not saying they're doing something malicious, but if I
> wanted to backdoor thousands of phones this is how I'D do it.
>
> Either way anyone interested in doing the same I've discovered that the
> webserver (lighthttpd 1.4.19) drops the index if you GET a null byte.
>
> http://www.jailbreakme.com/%00
>
> *NOTE* Doesn't work in chrome
>

Well, it is a "HTTP/1.1 301 Moved Permanently" reply, not a vulnerability.
Server seems to be configured in such a way that any unrecognized characters
after / will redirect to http://www.jailbreakme.com/_/


>
> I'll post if I *do* actually find something interesting, but like I said -
> I'm no expert on REing PDFs. If anyone has any good tools (I remember there
> was a PDF analysis framework released a while ago - I just don't remember
> what it was called) please let me know!
>

Origami?
http://seclabs.org/origami/


>
> Also if anyone knows how to get in contact with any of the admins for the
> site (or anyone who runs it for that matter) please either let me know or
> let them know. Nobody likes a null byte flaw on thier server - the only
> reason I'm disclosing this here right now is because as far as I know it
> only allows indexing of the jailbreak PDFs which could aid the community in
> verifying there is nothing malicious going on.
>
> When they do patch it (IF they do) I'll be glad to send you all the PDFs if
> you're intereted in working on them - just email me.
>
> For now I've put together a one-liner to grab all of them, I'm sure there's
> a more elegant way to get them, but this works:
> for i in `curl http://www.jailbreakme.com/%00/ | cut -d '=' -f 3 | grep
> pdf | cut -b 2- | cut -d '"' -f1`; do wget -nv
> http://www.jailbreakme.com/%00/$i;
>

wget -r -l 1 http://www.jailbreakme.com/_/

....Done!

-- 
Thanks,
Sagar Belure
Security Analyst
Secfence Technologies
www.secfence.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ