
IPad 2 JailBreakMe (3.0) now available - Swannie
http://www.jailbreakme.com/#moreinfo
======
StavrosK
After all the trouble Apple went to to secure the boot loader, I expected this
to be a really complicated procedure. I saw the Tweet today and I went on the
site, clicked on "install" and Cydia started installing.

I was blown away. How is this even possible? Did they find another userland
exploit that allows you to write to the boot loader? I am very, very
impressed.

~~~
Swannie
From [http://blog.iphone-dev.org/post/7295551750/jailbreakme-
times...](http://blog.iphone-dev.org/post/7295551750/jailbreakme-times-3)

"Q: Do the holes discovered by @comex put my device at risk? A: Yes. We
recommend installing _PDF Patcher 2_ in Cydia once you’re jailbroken to
eliminate this risk (any firmware version)."

~~~
JonnieCache
PDF really is the most dangerous file format around today.

Did you know the PDF spec includes its own LISP-like language? As well as
basically anything else you can imagine. It is surely impossible to write a
secure, conformant PDF reader.

If I ran any kind of super-sensitive organisation I'd include an outright ban
on PDF renderers in my security policy. If anyone _really_ needed to look at
PDFs, I'd require them to be rendered down to TIFs or something on a
"cleanroom" machine, preferably running some sort of locked-down linux build.

This talk has all the shocking details:
<http://www.youtube.com/watch?v=54XYqsf4JEY>

~~~
rakkhi
How about the Mozilla project to do PDF in js?
[http://blog.mozilla.com/cjones/2011/07/03/pdf-js-first-
miles...](http://blog.mozilla.com/cjones/2011/07/03/pdf-js-first-milestone/)

~~~
JonnieCache
That one wins by not bothering to conform to the PDF spec at all.

The spec is _huge,_ and the insecurity comes from having to faithfully
implement all its utterly insane features, like embedding flash files,
executing javascript, rendering external assets, and so on.

The challenge is to decide which subset of those features you want to
deliberately ignore.

Most of the esoteric ones are likely critical to obscure, in-house business
applications created years ago by corporate coders lacking in sense. Adobe
Reader obviously implements everything, and its the reference implementation,
so it is installed in most businesses.

Unfortunately, business is the area most in need of security.

In summary: OMGWTFPDF!

~~~
pasbesoin
Some rich clients deliberately ignore parts of the format. For example, the
Windows-based Sumatra client did. It seems to have been acquiring more
features in the last few releases, and I'm not sure of its current state. But
in the past it has been useful for example in that it simply doesn't run
embedded Javascript. Or Flash.

That's been my personal approach, such as it is, to the need to deal with some
PDF files from third parties. I look for the environment that does no more
than render the static page content.

Somewhat akin to using NoScript in the browser. I only execute when I need to,
and then from a source for whom I have some trust.

I recently had to clean up some business systems belonging to a relative whose
employee ran an infected PDF. By avoiding execution, I was able to examine the
PDF and show them how it was indeed the source of their problems.

Unfortunately, these "business users" still have limited will to learn the
techniques to avoid such problems. I've made some impression, but the Adobe
PDF format is still a time bomb ticking away in the midst of their
organization.

I'll mention that, for casual browsing, I use an extension that redirects PDF
URL's to Google's Document Viewer (while not signed in to Google). Again, I
get (usually) the static view without having to trust or execute the file on
my own system. Thanks, Goog!

(Note that I don't do the latter with documents containing sensitive/personal
information.)

------
wofser
I never bothered with any Jailbreaks before. I have a 3GS since 2 years back.

Visited the site with my iPhone. Pressed Install. No confirmation or anything.

Now I have a Cydia app on my phone that I can move but not delete. Was that
all it took to jailbreak my phone? (It took like 10 seconds)

~~~
18pfsmt
You should probably change your root password at this point since the default
root password is the same for all devices.

~~~
wofser
Even if I don't install OpenSSH from Cydia?

~~~
Xuzz
No real need if you don't: there's no additional vector added by the jailbreak
to even try entering a password if you don't have sshd installed.

------
demonfly
I used Fiddler to sniff traffic between iPad 2 and Jailbreakme during
jailbreaking but I did not found where the PDF files are located. Could you
help me find out where are PDFs that contains the exploits?

~~~
JonnieCache
There is no PDF file, the pdf is a base64 encoded data-uri in the javascript,
in the page itself, not even in a separate asset.

For those who fancy doing some analysis, here's the curl command with the
required ipad UA string:

    
    
        curl -A "Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5" http://www.jailbreakme.com
    

EDIT: here's the b64 pdf: <http://pastebin.com/69tnPMdV>

the PDF is _very_ invalid, because it never needs to masquerade as a real
document, it doesn't have to pretend to implement the PDF spec correctly. This
makes it somewhat resistant to analysis, it doesn't even have the required
'%%EOF' marker so many tools choke on it immediately.

EDIT: There's an unterminated stream object in there which doesn't have a
type, and it also has a declared length of 61 bytes and an actual length of
well over 400. I think we have a winner... Unfortunately iOS shellcode
analysis is _waaaay_ over my head so I'll have to do something useful instead.

~~~
gary4gar
I decoded base64 & got this: <https://gist.github.com/1067129>

bunch of random gibberish?

~~~
kristofferR
When decoding to ASCII instead of UTF-8 (like you've done) I got this. It
makes a little bit more sense at least, but not much.

<http://pastebin.com/YuPrMhiE>

~~~
gary4gar
I guess the actual shell code starts from line 40 ">>stream..."

It must be using some other encoding, only if we knew which!

~~~
JonnieCache
It's presumably just a lump of binary ARM opcodes.

~~~
demonfly
We need a debugger or a disassmbler like IDA Pro to make reverse engineering
of that code

------
kristofferR
The release of this is probably related to the leak [1]. My guess is that they
intended to save this for iOS5, but had to release it now due to the beta
leak.

[1] [http://www.iphonedownloadblog.com/2011/07/02/jailbreakme-
ipa...](http://www.iphonedownloadblog.com/2011/07/02/jailbreakme-
ipad-2-jailbreak-leaked/)

~~~
Swannie
Indeed, his twitter stream has him complaining about people asking him to
hurry up :P (<http://twitter.com/#!/comex/status/84126363598065664>)

The leak prompted quick action, lest Apple close the bus sized hole.

------
jlongster
It doesn't work on my iPhone on 4.3.3 with that 4.10.01 baseband. The cydia
icon comes up, but when the icon changes to "Installing..." it just
disappears.

------
ianterrell
If Apple made an official jailbreak they'd stop getting all this free
penetration testing.

~~~
glhaynes
Would they? Windows still seems to get lots of free penetration testing...

------
Torn
So I've installed Cydia for the first time on my 3GS, and am wanting to use
the 'PDF Patcher 2' fix to stop other sites doing driveby exploits.

Seems that results for the bigboss repository aren't being returned in Cydia,
and the repo backend isn't responding to requests.
<http://apt.thebigboss.org/onepackage.php?bundleid=pdfpatch2>

Anyone else thinking the bigboss repo (only source of the pdf patcher 2, as
far as I can tell) is being kept down on purpose?

~~~
smackfu
Does anyone know how Cydia licensing actually works? I jailbroke just to
install RetinaPad, and I managed to buy it and install it. Cydia says "Package
Officially Purchased". RetinaPad says "RetinaPad license missing!" and doesn't
work. I guess the license download failed or something (due to high load?) but
I don't see how to fix it.

It really makes me appreciate the Apple App Store, to be honest.

~~~
ryanpetrich
All Cydia Store purchases go through SaurikIT's centralized payment processing
server. When the user attempts installing a store package, the repo that hosts
it queries the central licensing server to see if the device is authorized
before returning the package. Some packages make additional calls after the
package has been installed on the device to download a license.

It is this final step that was failing intermittently on my servers due to the
insane load (~300x usual sales on this package, ~125x traffic load overall).
Please give it a try now, I have verified that it is up.

~~~
smackfu
Thanks! Interesting. It still isn't working, after uninstalling / reinstalling
in Cydia, but I guess I'll give it a day or too. Is the Authorize button in
RetinaPad supposed to actually do something?

------
mrspeaker
I know it's obvious enough and not really scary - but that page is tracking
every jailbreak and failed jailbreak:

    
    
        // track jailbreaks!
        _gaq.push(['_trackEvent', 'jailbreak', 'jailbreak']); 
        timeout = setTimeout(function() {
            _gaq.push(['_trackEvent', 'failed', 'failure']);
            goto('failure');
        }, 5000);

~~~
comex
It's just Google Analytics, with custom events so we can get statistics about
failure.

------
msh
Works fine on my 3GS running 4.3.3

~~~
vizzah
+1. flawless.

------
michh
It works on the iPhone 4 as well (or at least: it did on mine). Was amazed by
how fast and easy that was.

------
schrototo
I hope they fix this fast, this is a _huge_ security risk.

~~~
Swannie
Indeed, and Comex gave them a heads up ~3.5 weeks ago that something was amiss
in PDF. Let's hope they found it and are just going through the last testing
cycles for the new patch?!

------
Aqua_Geek
I'm intrigued how OTA OS updates will affect Apple's response time to exploits
like this.

~~~
xorglorb
Given that they are delta updates, they will probably be able to push a patch
within a few days. Let's hope they take advantage of it.

------
rakkhi
I wrote this when the original Jailbreak for iOS came out. Think mitigations
still apply but not implemented by Apple

[http://www.rakkhis.com/2010/08/can-chrome-learn-from-
iphone-...](http://www.rakkhis.com/2010/08/can-chrome-learn-from-iphone-
jailbreak.html)

------
dublinclontarf
Meh, didn't work for me. iPad.

~~~
kristofferR
Sure you're on 4.3.3 and not 4.3.2/4.3.1?

~~~
dublinclontarf
i think its 4.3.2

Ive not bothered to update yet. iPad 1

~~~
jaz
4.3.2 worked for me (iPad 1). Perhaps you have a previous version?

