Forgot your password?
typodupeerror
Iphone OS X Security Apple

iPhone Jailbreak Uses a PDF Display Vulnerability 289

Posted by kdawson
from the get-out-of-jail-free dept.
adeelarshad82 writes "Latest reports indicate that the website that 'jailbreaks' iPhones, iPads, and iPod Touches does so by means of a PDF-based vulnerability in OS X. PDF parsing and rendering is a core feature of OS X, and there have been several other vulnerabilities in the past in iOS CoreGraphics PDF components." As Gruber points out, the proper term for this is not "jailbreak," but "remote code exploit in the wild."
This discussion has been archived. No new comments can be posted.

iPhone Jailbreak Uses a PDF Display Vulnerability

Comments Filter:
  • PDF (Score:4, Funny)

    by ae1294 (1547521) on Tuesday August 03, 2010 @06:12PM (#33131214) Journal

    I forget can some one remind me what P.D.F. stands for again?

  • by chaboud (231590) on Tuesday August 03, 2010 @06:12PM (#33131218) Homepage Journal

    Didn't you know that Apple is more secure?

    As soon as I saw "computer-free jailbreak, straight from your browser" I thought "oh man.. here we go."

    • by magsol (1406749) on Tuesday August 03, 2010 @06:16PM (#33131268) Homepage Journal
      "It just works!...even though it's not actually supposed to!"
      • by Nerdfest (867930)
        I thought "It Just Works" was describing iOS 4 on the 3G ...
    • It's a feature... (Score:2, Insightful)

      by Anonymous Coward

      It's really funny to see how this is treated by the mass media. They make it sound like it's a feature...

    • No no no, you see, its not a Jailbreak, its a Remote Code Exploit... straight from your browser.

    • Re: (Score:3, Insightful)

      by tibit (1762298)

      You have to admit though, that the whole thing is extremely user-friendly even when jailbreaking. No stupid yellow pop-up ActiveX warnings, just tap here, slide there, and off you go. I wonder how much Apple influence was there when the UI was designed for this jailbreak. Compare how nice it looks next to most PC-based cracks/hacks that one can download. I'm half-serious here.

  • by Anonymous Coward

    Is it really so hard to write a document viewer that can not crash? These aren't small companies. We're talking about Apple, Adobe, Microsoft here. Can't they at least get the core functionality right? I'll settle for safe if getting it right is too much to ask for.

    • by plover (150551) * on Tuesday August 03, 2010 @06:38PM (#33131570) Homepage Journal

      I saw a brilliant slide at Blackhat last week that sums it up perfectly (same vendor, different product)

      Native Security Functionality of Adobe Flash

      [ This slide intentionally left blank ]

    • Re: (Score:3, Insightful)

      by beelsebob (529313)

      In the computing world we live in, where performance is everything, and correctness merely nice to have, yes, yes it is that hard. Until we start using highly abstracted, highly statically checked languages, and implementing proofs that things like buffer overruns happen, this is the sad reality we live in.

  • So many exploits and spy wares, you'd think more stuff would end up in wikileaks. I guess it all goes to various groups private wikileaks, known as intelligence or something similar..
    • Re: (Score:2, Insightful)

      by ThePengwin (934031)

      Its actually not hard to read the entire exploit yourself from the site. Change your browsers useragent to an iPhone like string, and inspect the javascript on the page. i scoffed when i found the function that makes the url to the exploit file:

      function get_page() {
              return model == null ? null : ("/_/" + model + "_" + firmware + ".pdf")
      }'

  • LOL (Score:5, Funny)

    by Spazntwich (208070) on Tuesday August 03, 2010 @06:26PM (#33131422)

    "Just don't render it that way." - Adobe

  • Jailbreak WARNING!!! (Score:4, Informative)

    by daveywest (937112) on Tuesday August 03, 2010 @06:33PM (#33131502)
    Everyone's so excited about how easy this jailbreak is, the tech blogs are neglecting to report the problems with the current jailbreaks. Homescreen bookmarks no longer work on any iOS 4 devices after applying this patch. This is a known bug that's been in public knowledge for weeks, yet I've seen no tech blogs reporting the problems. Frankly, this jailbreak created more problems then solutions.
    • by Anonymous Coward on Tuesday August 03, 2010 @06:36PM (#33131542)

      BREAKING NEWS!

      Your attention please. We have a very important announcement to make. Listen carefully, because what we have to say MAY SAVE YOUR LIFE!

      Today's top story: Hacks can have unintended consequences.

      That is all.

    • You must have bad luck. Neither I, nor anybody I know with jailbroken phones, has any bookmark issues. I have heard of MMS and FaceTime issues, but I don't really use either.

      Frankly, though, the jailbreaks are less necessary for me than they were on 2.0/3.0. Multitasking, copy/paste, Bluetooth keyboards etc are all built in now, and done better than the unofficial apps (as professional as they are). I was browsing through Cydia the other day and while I installed the usual MobileTerminal, ssh, etc - that I

    • If you are having trouble with the homescreen, there's a new jailbreak using a youtube video that should work:

      http://www.youtube.com/watch?v=Tg4u7ko333U [youtube.com]

  • PDF? (Score:2, Insightful)

    by Exitar (809068)

    It's Adobe's revenge!

    • No. Didn’t you read TFS? The PDF renderer is a native part of OS X. Adobe had nothing to do with it.

      • Re:PDF? (Score:5, Informative)

        by cbhacking (979169) <<moc.oohay> <ta> ... isiurc_tuo_neeb>> on Tuesday August 03, 2010 @07:54PM (#33132350) Homepage Journal

        Not only is it native, it's really, really insecure. A security researcher named Charlie Miller wrote a 5-line Python script to generate fuzzed (slightly corrupted) PDF files from valid templates. He created roughly 2.8 million of these, and then ran them through Apple's Preview program, and through Adobe Reader. His findings:

        0.09% crash rate on Reader, and 4 exploitable bugs found.
        5.6% crash rate (52x as many), and 61 exploitable bugs found (15x as many).
        When your security is more than an order of magnitude worse than Adobe's, you've got a major problem.

        By the way, this is the guy who won an iPhone at Pwn2Own. He's presented at CanSecWest and Blackhat, and possibly elsewhere. He knows his stuff.

  • by mewsenews (251487) on Tuesday August 03, 2010 @06:37PM (#33131566) Homepage

    I came into the office this morning and noticed that a forums thread I monitor on jailbreaking had exploded over my long weekend. I checked the iPhone dev team blog and they explained that there is a new jailbreak that you can visit with the browser on your phone.

    I navigated to the page on my phone and it said "swipe here to jailbreak".

    I swiped.

    It took about 5 minutes to jailbreak my phone and install the Cydia unofficial app store.

    Simply amazing work. Once I had Cydia I installed ultrasn0w from the repository and now my phone is carrier unlocked.

    Great job, hackers!

    • by roman_mir (125474) on Tuesday August 03, 2010 @06:46PM (#33131644) Homepage Journal

      Yes, excellent job. Now you just ran an app on your hand held computer that rooted it from a browser. Amazing work of the hackers aside, are you certain you now know for sure your phone is not spying on you and is not going to be used for something you do not want, like someone else using your connection for long distance calls or for spam or DDOS attacks or just a part of some cellular botnet?

      Amazing job - someone rooting your phone through a PDF.

      • Re: (Score:2, Informative)

        by jazzmans (622827)

        Uhm, if you read on the jailbreak page, after the phone is jailbroken, and Cydia installed, they (the hackers who wrote the exploit) then fix the flaw in safari so that no more code can be run to root the phone.

        So, yes. It is a benefit, since there is obviously a serious flaw in the os & jailbreaking it fixes the flaw.

        Oh yeah, and no mms or bookmark issues for me either. It Just Works.

        jaz

      • by Jay L (74152) *

        What?

        The iPhone is vulnerable to rooting attacks via its PDF handler by any web page. If and when someone writes a -malicious- exploit for that, wouldn't they just hide it in a page that gets LOTS more views, like porn? Why would they go to the trouble of putting it in a useful-but-geeky jailbreakme site?

    • Re: (Score:3, Funny)

      by cbhacking (979169)

      That's the Apple stance on kernel-level remote code execution exploits: It Just Works!

  • It says that it's caused by a PDF vulnerability in iOS, but is it in Apple's PDF viewer or in PDF itself?
    • It says that it's caused by a PDF vulnerability in iOS, but is it in Apple's PDF viewer or in PDF itself?

      Its obviously in Apple's PDF viewer, whether or not its a result of that viewer being a direct implementation of the spec.

      But I'll be surprised if anyone can point to anything in any version of the PDF spec which requires a conforming implementation to allow unrestricted access to the underlying OS. It may require that certain APIs be available, but I'd be very surprised if it didn't allow those APIs to

      • by cbhacking (979169) <<moc.oohay> <ta> ... isiurc_tuo_neeb>> on Tuesday August 03, 2010 @07:35PM (#33132180) Homepage Journal

        It's a bug in the font rendering component, which apparently lives in kernel space. PDFs are allowed to embed fonts, and apparently Preview doesn't verify the font data before tossing it to the renderer. Apparently the renderer doesn't verify it either, because instead of rejecting the data as invalid, it gives the attacker completely unrestricted control over the software.

        PDFs having embedded fonts is a very useful and entirely reasonable feature. It would help if Preview validated the fonts, but that's not entirely required (you could validate somewhere further down the pipeline, so long as you don't try to process the unvalidated data). There are several other ways to remotely load fonts, ranging from other document formats to the Web Open Font Format (http://www.w3.org/Submission/2010/03/) and some CSS in a web page. There's a decent chance that at least a few others are vulnerable to this exploit. However, there's been considerable research recently into Apple's PDF reader, with one researcher finding 60 different exploitable bugs in the software (though most of them probably aren't kernel). By comparison, the same testing data found three exploitable bugs in Adobe Reader.

        Having font rendering/rasterizing in the kernel is... not brilliant, but not inherently a critical security flaw. It's certainly possible to do in userland, and probably safer, but displaying text is something that almost every app will need to do at some point, and putting it in the kernel will minimize memory footprint and maximize performance. The real WTF here is that the data isn't being validated extremely carefully as soon as it enters the kernel, and possibly before. When kernel-mode code starts parsing unvalidated data, the best you can really hope for is that you get a kernel-mode crash and are forced to do a hard reboot (on Windows, this would be a BSOD).

      • But I'll be surprised if anyone can point to anything in any version of the PDF spec which requires a conforming implementation to allow unrestricted access to the underlying OS. It may require that certain APIs be available, but I'd be very surprised if it didn't allow those APIs to return errors if code running in a PDF document attempted to use them in a way which would violate the basic integrity of the underlying OS.

        There was a PDF vulnerability about a year ago that allowed execution of code [eweek.com]. This was a design feature in PDF to run other things like media. For Windows that allowed the running of code and not just media. It didn't affect just Adobe's PDF viewer; it affected any PDF viewer on Windows. It didn't affect OS X at the time.

  • Now we just need the jailbreak team to release a Safari/Preview patch to fix the hole. That way, we won't have to go to 4.0.2 in order to be safe from the PDF exploit, thus locking us out from the jailbreak.

  • Interesting... (Score:2, Insightful)

    by Anonymous Coward

    That Tavis Ormandy is torn apart for releasing a more complicated vulnerability, but jailbreaking your phone just by clicking a url is widely celebrated. How difficult is it really gonna be to weaponize this jailbreak...

  • Why is this phone not running user mode for this stuff? System mode for services only, why is PDF parsing being handled in system mode? All this stuff, non-executable stacks/data, memory protection etc ought to be set to the max. On the one hand its exciting to see these hacks, on another its depressing since in my own life as an ARM fw programmer, I would have been shown the door 10 yrs ago for that type of coding oversight.

  • For a good while now the size of drives has been mostly meaningless to me. I don't store any movies or music. My current XP installation, with MS Office and Eclipse, takes up about 10 GB. I'm much more interested in "fast" than I am "big".
  • The original jailbreakme.com exploit, the iPhone 1.1.1 one that Woz demo'd on video, cleaned up after itself by patching the graphics bug that it used. Does anyone know if this exploit does the same thing?

Machines that have broken down will work perfectly when the repairman arrives.

Working...