Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Jailbreak Uses a PDF Display Vulnerability

Posted by kdawson on from the get-out-of-jail-free dept.

adeelarshad82 writes "Latest reports indicate that the website that 'jailbreaks' iPhones, iPads, and iPod Touches does so by means of a PDF-based vulnerability in OS X. PDF parsing and rendering is a core feature of OS X, and there have been several other vulnerabilities in the past in iOS CoreGraphics PDF components." As Gruber points out, the proper term for this is not "jailbreak," but "remote code exploit in the wild."

33 of 289 comments (clear)

  1. PDF by ae1294 · · Score: 3, Funny

    I forget can some one remind me what P.D.F. stands for again?

    1. Re:PDF by Monkeedude1212 · · Score: 4, Insightful

      Poor Dumb *Explicit*s

    2. Re:PDF by Culture20 · · Score: 4, Insightful

      I forget can some one remind me what P.D.F. stands for again?

      Programmable Digital-executable Format
      And they've almost got every means of binary execution crammed in.

    3. Re:PDF by Anonymous Coward · · Score: 4, Funny

      P. D. F = P0wn Da Fone?

    4. Re:PDF by selven · · Score: 3, Insightful

      The joke is that this so-called "document format" is going way outside its original scope and now supports so much scripting that it might as well be a library for executable files.

    5. Re:PDF by ae1294 · · Score: 5, Funny

      The joke is that this so-called "document format" is going way outside its original scope and now supports so much scripting that it might as well be a library for executable files.

      I'm going to start sending out all my resumes in dll format... I think it's safer that way...

  2. Does not compute... by chaboud · · Score: 4, Funny

    Didn't you know that Apple is more secure?

    As soon as I saw "computer-free jailbreak, straight from your browser" I thought "oh man.. here we go."

    1. Re:Does not compute... by magsol · · Score: 5, Funny

      "It just works!...even though it's not actually supposed to!"

      --
      "I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw
    2. Re:Does not compute... by crossword.bob · · Score: 5, Insightful

      Genuine question, no sarcasm tag required: How do those who berate Apple's walled-garden approach feel about games consoles? It genuinely puzzles me why we don't hear nearly so many complaints about the lack of open access to consoles, while a similar (to my mind; feel free to put me right) approach to a phone is evil.

      As for the exploit that makes this jailbreaking possible, I sympathize with people who wish to jailbreak their phone, but I hope this particular exploit is closed as soon as possible. I've heard there are some unscrupulous types in tha intarweb who might consider using such a thing for less than altruistic purposes.

      OK, maybe a touch of sarcasm after all.

    3. Re:Does not compute... by gorzek · · Score: 4, Insightful

      I think the difference is that to many people, a phone is an important part of everyday life. You use it to track appointments, keep in touch with people, read email, surf the web, get information, etc. It's a very personal device.

      On the other hand, a game console isn't very personal. While you can personalize it in some ways, it never really rises above the straightforward tasks of playing games and other media. And since you don't (usually) take it with you, a game console is just not going to be as integral to your everyday life as a phone.

      So, when it seems like someone else has control over your phone, it's much more unsettling. You think of it and everything on it as "yours," and every time you're reminded that someone else holds all the keys to it, that illusion is dispelled a little bit more.

      --
      Check out my world simulator thingy.
  3. Say it with me... by warrax_666 · · Score: 5, Funny

    It stands for PeDoFile.

    --
    HAND.
  4. LOL by Spazntwich · · Score: 5, Funny

    "Just don't render it that way." - Adobe

    1. Re:LOL by Monkeedude1212 · · Score: 3, Interesting

      No the REAL LOL is the advertisement on this page.

      Vulnerability Management for Dummies

      Whatever Slashdot uses for it's adserver, I applaud.

  5. Not a virus by SuperKendall · · Score: 4, Informative

    Macs (and the iPhone) do not yet have any active viruses in the wild.

    It does not mean they cannot get them; there just are none.

    This jailbreak thing is indeed a real live exploit running in the wild, but it's a trojan (kind of) since you are asking it to do one thing (display a PDF) and it does another (jailbreak the phone).

    In a way it should be labeled Malware, but that hardly seems an appropriate label since it's doing the user a favor...

    So there is in fact a known exploit (this PDF bug) and one instance of something that exercises it. Very likely Apple will have this patched in pretty short order - what is really interesting to see is if there will be any "real" (read: malignant) exploits. My guess is probably not, since mobile platforms do not make great zombie systems to control the way desktops do.

    If it were a real virus vector the story would be different as the lure of quickly taking over millions of devices would be very strong...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Not a virus by Monkeedude1212 · · Score: 3, Informative

      If you don't consider a WORM a virus - than there isn't much in lines for Windows Viruses either these days. Almost everything else could be classified as trojan, worm, spyware, or other non-virus malware. I haven't had to clean a virus in a LONG time.

  6. Jailbreak WARNING!!! by daveywest · · Score: 3, Informative

    Everyone's so excited about how easy this jailbreak is, the tech blogs are neglecting to report the problems with the current jailbreaks. Homescreen bookmarks no longer work on any iOS 4 devices after applying this patch. This is a known bug that's been in public knowledge for weeks, yet I've seen no tech blogs reporting the problems. Frankly, this jailbreak created more problems then solutions.

    1. Re:Jailbreak WARNING!!! by Anonymous Coward · · Score: 5, Funny

      BREAKING NEWS!

      Your attention please. We have a very important announcement to make. Listen carefully, because what we have to say MAY SAVE YOUR LIFE!

      Today's top story: Hacks can have unintended consequences.

      That is all.

  7. The new jailbreak is amazing by mewsenews · · Score: 3, Informative

    I came into the office this morning and noticed that a forums thread I monitor on jailbreaking had exploded over my long weekend. I checked the iPhone dev team blog and they explained that there is a new jailbreak that you can visit with the browser on your phone.

    I navigated to the page on my phone and it said "swipe here to jailbreak".

    I swiped.

    It took about 5 minutes to jailbreak my phone and install the Cydia unofficial app store.

    Simply amazing work. Once I had Cydia I installed ultrasn0w from the repository and now my phone is carrier unlocked.

    Great job, hackers!

    1. Re:The new jailbreak is amazing by roman_mir · · Score: 5, Insightful

      Yes, excellent job. Now you just ran an app on your hand held computer that rooted it from a browser. Amazing work of the hackers aside, are you certain you now know for sure your phone is not spying on you and is not going to be used for something you do not want, like someone else using your connection for long distance calls or for spam or DDOS attacks or just a part of some cellular botnet?

      Amazing job - someone rooting your phone through a PDF.

      --
      You can't handle the truth.
    2. Re:The new jailbreak is amazing by Anonymous Coward · · Score: 5, Insightful

      Pardon my language, but, what the fuck?

      If my web browser is such that browsing to a page can lead to code execution as root, that's bad. I don't care if the system is open or closed or what government agency might be listening in, it is a serious vulnerability any way you slice it. It should be patched.

      Your comment is entirely irrelevant to the post it is replying to. You're phrasing it as a rebuttal of some kind, but it does not say anything to this point.

    3. Re:The new jailbreak is amazing by roman_mir · · Score: 4, Insightful

      Your comment is ridiculous, yet moderated at +5 Insightful. If your computer can be owned through a web browser by opening a PDF, then your computer is insecure, this is the issue.

      If you buy products from a company that does not release source code that is a different issue completely. Yes, a company can be providing governments with your information. No, it does not make it OK for the phone from that company to be exploitable the way iphone is.

      --
      You can't handle the truth.
  8. Re:This is really tiresome by plover · · Score: 4, Funny

    I saw a brilliant slide at Blackhat last week that sums it up perfectly (same vendor, different product)

    Native Security Functionality of Adobe Flash

    [ This slide intentionally left blank ]

    --
    John
  9. Re:It's a feature... by Darkness404 · · Score: 3, Insightful

    Really says alot about Apple's policies if the mass media is treating this like a feature and a good thing to be able to jailbreak it.

    --
    Taxation is legalized theft, no more, no less.
  10. Re:Adobe Strikes Back! by fuzzyfuzzyfungus · · Score: 4, Insightful

    They may have stopped in later versions(my job description requires supporting XP, and you have to pay me to care about windows, so that is where my knowledge lies); but MS included flash in XP. It is version 6; because base XP is older than dirt; but they did include it.

    More relevant to modern readers, most OEMs seem to ship consumer-focused systems with vaguely up-to-date-but-just-a-bit-behind versions of Flash(and acrobat reader, and other stuff). This isn't strictly microsoft's fault; but it is what you are likely to get out of the box.

  11. PDF is iOS core by SuperKendall · · Score: 4, Insightful

    If you consider jailbreaking the iPhone a favor to the user.

    The users who are doing it would, that's why they are doing it!

    The next site that uses this gaping security hole to install a rootkit, or other malicious piece of software, won't be such a favor. This is a huge security issue for iDevices.

    Oh, I totally agree - it's a pretty bad security flaw, and has nice demonstration code for how to exploit it as well so it's pretty much the worst possible case.

    That's why it's so interesting to see if there are in fact followup malicious attacks.

    The fact that it is a PDF exploit rather than an iOS issue makes it more difficult for Apple to patch since it's not "one of their own".

    No. Apple wrote all the PDF handling code in iOS (and on the Mac). We'd see a lot more attacks like this had they embedded Adobe Reader....

    Clearly it's Apple responsibility to fix this ASAP (and their fault for letting it get into customer's hands), so they better get on it before someone else starts turning things into iP0wns.

    It is 100% on Apple to get a fix out. With 4.1 so close at hand, they may wait on that to finish up... or perhaps it's a sliding scale and the first sign of any real attack will bring down the update hammer if it happens before 4.1 (4.1 beta 3 just came out today and probably fixes this bug).

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  12. Apple does not use Adobe Reader for PDF by melted · · Score: 4, Informative

    Apple does not use Adobe Reader for PDF. I thought everyone knew this by now. Apparently not.

  13. Re:Duh... pointed out ages ago by pclminion · · Score: 4, Informative

    Yeah, I always refer to stuff that happened earlier today as "ages ago."

  14. Re:So what is it exactly? by cbhacking · · Score: 5, Informative

    It's a bug in the font rendering component, which apparently lives in kernel space. PDFs are allowed to embed fonts, and apparently Preview doesn't verify the font data before tossing it to the renderer. Apparently the renderer doesn't verify it either, because instead of rejecting the data as invalid, it gives the attacker completely unrestricted control over the software.

    PDFs having embedded fonts is a very useful and entirely reasonable feature. It would help if Preview validated the fonts, but that's not entirely required (you could validate somewhere further down the pipeline, so long as you don't try to process the unvalidated data). There are several other ways to remotely load fonts, ranging from other document formats to the Web Open Font Format (http://www.w3.org/Submission/2010/03/) and some CSS in a web page. There's a decent chance that at least a few others are vulnerable to this exploit. However, there's been considerable research recently into Apple's PDF reader, with one researcher finding 60 different exploitable bugs in the software (though most of them probably aren't kernel). By comparison, the same testing data found three exploitable bugs in Adobe Reader.

    Having font rendering/rasterizing in the kernel is... not brilliant, but not inherently a critical security flaw. It's certainly possible to do in userland, and probably safer, but displaying text is something that almost every app will need to do at some point, and putting it in the kernel will minimize memory footprint and maximize performance. The real WTF here is that the data isn't being validated extremely carefully as soon as it enters the kernel, and possibly before. When kernel-mode code starts parsing unvalidated data, the best you can really hope for is that you get a kernel-mode crash and are forced to do a hard reboot (on Windows, this would be a BSOD).

    --
    There's no place I could be, since I've found Serenity...
  15. Re:PDF? by cbhacking · · Score: 5, Informative

    Not only is it native, it's really, really insecure. A security researcher named Charlie Miller wrote a 5-line Python script to generate fuzzed (slightly corrupted) PDF files from valid templates. He created roughly 2.8 million of these, and then ran them through Apple's Preview program, and through Adobe Reader. His findings:

    0.09% crash rate on Reader, and 4 exploitable bugs found.
    5.6% crash rate (52x as many), and 61 exploitable bugs found (15x as many).
    When your security is more than an order of magnitude worse than Adobe's, you've got a major problem.

    By the way, this is the guy who won an iPhone at Pwn2Own. He's presented at CanSecWest and Blackhat, and possibly elsewhere. He knows his stuff.

    --
    There's no place I could be, since I've found Serenity...
  16. Re:It's a feature... by zuperduperman · · Score: 5, Insightful

    I looked at the web page for my local newspaper today and it featured two headlines right above one another:

    1. iPhone4 Jailbreak Offers Apps to Millions
    2. Microsoft Windows Flaw Leaves Millions Vulnerable to Hackers and Malware

    I guess we always knew that mass media lives well inside the reality distortion field, but still ...

  17. Re:PDF? by cbhacking · · Score: 3, Informative

    (Sorry to reply to myself, but the second line - the 5.6% crash rate and 61 exploitable bugs - is in Apple's Preview app. I also got the factor wrong (it's closer to 60x as many crashes). Sorry, I really need to stop posting on /. at work; I'm too distracted to double-check before hitting Submit.

    --
    There's no place I could be, since I've found Serenity...
  18. Re:It's a feature... by vijayiyer · · Score: 4, Insightful

    It says nothing about Apple's policies and everything about the mass media.

  19. Re:I hear differently from Users by MechaStreisand · · Score: 3, Insightful

    Regarding 2), I think that would only be correct if virius was that masculine etc etc. But since everyone is talking about viruses, not viriuses, the term "virii" is pure retardation.

    --
    Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.