Slashdot Mirror
iPhone Jailbreak Uses a PDF Display Vulnerability
adeelarshad82 writes "Latest reports indicate that the website that 'jailbreaks' iPhones, iPads, and iPod Touches does so by means of a PDF-based vulnerability in OS X. PDF parsing and rendering is a core feature of OS X, and there have been several other vulnerabilities in the past in iOS CoreGraphics PDF components." As Gruber points out, the proper term for this is not "jailbreak," but "remote code exploit in the wild."
Didn't you know that Apple is more secure?
As soon as I saw "computer-free jailbreak, straight from your browser" I thought "oh man.. here we go."
Poor Dumb *Explicit*s
I forget can some one remind me what P.D.F. stands for again?
Programmable Digital-executable Format
And they've almost got every means of binary execution crammed in.
It stands for PeDoFile.
HAND.
"Just don't render it that way." - Adobe
Macs (and the iPhone) do not yet have any active viruses in the wild.
It does not mean they cannot get them; there just are none.
This jailbreak thing is indeed a real live exploit running in the wild, but it's a trojan (kind of) since you are asking it to do one thing (display a PDF) and it does another (jailbreak the phone).
In a way it should be labeled Malware, but that hardly seems an appropriate label since it's doing the user a favor...
So there is in fact a known exploit (this PDF bug) and one instance of something that exercises it. Very likely Apple will have this patched in pretty short order - what is really interesting to see is if there will be any "real" (read: malignant) exploits. My guess is probably not, since mobile platforms do not make great zombie systems to control the way desktops do.
If it were a real virus vector the story would be different as the lure of quickly taking over millions of devices would be very strong...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
BREAKING NEWS!
Your attention please. We have a very important announcement to make. Listen carefully, because what we have to say MAY SAVE YOUR LIFE!
Today's top story: Hacks can have unintended consequences.
That is all.
I saw a brilliant slide at Blackhat last week that sums it up perfectly (same vendor, different product)
Native Security Functionality of Adobe Flash
[ This slide intentionally left blank ]
John
Yes, excellent job. Now you just ran an app on your hand held computer that rooted it from a browser. Amazing work of the hackers aside, are you certain you now know for sure your phone is not spying on you and is not going to be used for something you do not want, like someone else using your connection for long distance calls or for spam or DDOS attacks or just a part of some cellular botnet?
Amazing job - someone rooting your phone through a PDF.
You can't handle the truth.
P. D. F = P0wn Da Fone?
They may have stopped in later versions(my job description requires supporting XP, and you have to pay me to care about windows, so that is where my knowledge lies); but MS included flash in XP. It is version 6; because base XP is older than dirt; but they did include it.
More relevant to modern readers, most OEMs seem to ship consumer-focused systems with vaguely up-to-date-but-just-a-bit-behind versions of Flash(and acrobat reader, and other stuff). This isn't strictly microsoft's fault; but it is what you are likely to get out of the box.
If you consider jailbreaking the iPhone a favor to the user.
The users who are doing it would, that's why they are doing it!
The next site that uses this gaping security hole to install a rootkit, or other malicious piece of software, won't be such a favor. This is a huge security issue for iDevices.
Oh, I totally agree - it's a pretty bad security flaw, and has nice demonstration code for how to exploit it as well so it's pretty much the worst possible case.
That's why it's so interesting to see if there are in fact followup malicious attacks.
The fact that it is a PDF exploit rather than an iOS issue makes it more difficult for Apple to patch since it's not "one of their own".
No. Apple wrote all the PDF handling code in iOS (and on the Mac). We'd see a lot more attacks like this had they embedded Adobe Reader....
Clearly it's Apple responsibility to fix this ASAP (and their fault for letting it get into customer's hands), so they better get on it before someone else starts turning things into iP0wns.
It is 100% on Apple to get a fix out. With 4.1 so close at hand, they may wait on that to finish up... or perhaps it's a sliding scale and the first sign of any real attack will bring down the update hammer if it happens before 4.1 (4.1 beta 3 just came out today and probably fixes this bug).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Pardon my language, but, what the fuck?
If my web browser is such that browsing to a page can lead to code execution as root, that's bad. I don't care if the system is open or closed or what government agency might be listening in, it is a serious vulnerability any way you slice it. It should be patched.
Your comment is entirely irrelevant to the post it is replying to. You're phrasing it as a rebuttal of some kind, but it does not say anything to this point.
Apple does not use Adobe Reader for PDF. I thought everyone knew this by now. Apparently not.
Your comment is ridiculous, yet moderated at +5 Insightful. If your computer can be owned through a web browser by opening a PDF, then your computer is insecure, this is the issue.
If you buy products from a company that does not release source code that is a different issue completely. Yes, a company can be providing governments with your information. No, it does not make it OK for the phone from that company to be exploitable the way iphone is.
You can't handle the truth.
Yeah, I always refer to stuff that happened earlier today as "ages ago."
It's a bug in the font rendering component, which apparently lives in kernel space. PDFs are allowed to embed fonts, and apparently Preview doesn't verify the font data before tossing it to the renderer. Apparently the renderer doesn't verify it either, because instead of rejecting the data as invalid, it gives the attacker completely unrestricted control over the software.
PDFs having embedded fonts is a very useful and entirely reasonable feature. It would help if Preview validated the fonts, but that's not entirely required (you could validate somewhere further down the pipeline, so long as you don't try to process the unvalidated data). There are several other ways to remotely load fonts, ranging from other document formats to the Web Open Font Format (http://www.w3.org/Submission/2010/03/) and some CSS in a web page. There's a decent chance that at least a few others are vulnerable to this exploit. However, there's been considerable research recently into Apple's PDF reader, with one researcher finding 60 different exploitable bugs in the software (though most of them probably aren't kernel). By comparison, the same testing data found three exploitable bugs in Adobe Reader.
Having font rendering/rasterizing in the kernel is... not brilliant, but not inherently a critical security flaw. It's certainly possible to do in userland, and probably safer, but displaying text is something that almost every app will need to do at some point, and putting it in the kernel will minimize memory footprint and maximize performance. The real WTF here is that the data isn't being validated extremely carefully as soon as it enters the kernel, and possibly before. When kernel-mode code starts parsing unvalidated data, the best you can really hope for is that you get a kernel-mode crash and are forced to do a hard reboot (on Windows, this would be a BSOD).
There's no place I could be, since I've found Serenity...
Not only is it native, it's really, really insecure. A security researcher named Charlie Miller wrote a 5-line Python script to generate fuzzed (slightly corrupted) PDF files from valid templates. He created roughly 2.8 million of these, and then ran them through Apple's Preview program, and through Adobe Reader. His findings:
0.09% crash rate on Reader, and 4 exploitable bugs found.
5.6% crash rate (52x as many), and 61 exploitable bugs found (15x as many).
When your security is more than an order of magnitude worse than Adobe's, you've got a major problem.
By the way, this is the guy who won an iPhone at Pwn2Own. He's presented at CanSecWest and Blackhat, and possibly elsewhere. He knows his stuff.
There's no place I could be, since I've found Serenity...
I looked at the web page for my local newspaper today and it featured two headlines right above one another:
1. iPhone4 Jailbreak Offers Apps to Millions
2. Microsoft Windows Flaw Leaves Millions Vulnerable to Hackers and Malware
I guess we always knew that mass media lives well inside the reality distortion field, but still ...
It says nothing about Apple's policies and everything about the mass media.
The joke is that this so-called "document format" is going way outside its original scope and now supports so much scripting that it might as well be a library for executable files.
I'm going to start sending out all my resumes in dll format... I think it's safer that way...