

PDF exploit in iOS 4 - andreyf
http://daringfireball.net/linked/2010/08/02/jailbreakme

======
cscotta
It is good to see some analysis turning up on the exploit front. I was (and
still am) surprised that the coverage of this jailbreak has been focused
almost exclusively on the jailbreak itself rather than the attack vector and
its implications.

The fact that a zero-day remote code execution exploit can be triggered so
reliably in every iOS 4 and iPad 3.x device that the creators could drop a
cute "Slide to Jailbreak" widget on a web page is alarming. With nothing more
than a single rogue link and a bit of Objective C, this exploit could easily
be used to produce a worm spread by e-mail or SMS to every contact with a link
to the same rogue code, hopping from device to device as users tap an innocent
link from a friend. In fact, the action of clicking a link could be bypassed
entirely by script injection -- resulting in infection should the user merely
browse to a page serving the rouge JS. Considering that the exploit is PDF-
based, it's likely that it could also be triggered by viewing a document in
Mail.

The prospect of iOS worms is very real, and unless Apple begins to take
security more seriously (note that this is the second remote code execution
exploit accessible from within MobileSafari, and they've yet to even make a
peep about this one), I would not be surprised if we begin to see malware on
the platform.

[ See the original exploit teardown here:
[http://digdog.tumblr.com/post/894317027/jailbreak-with-
pdf-f...](http://digdog.tumblr.com/post/894317027/jailbreak-with-pdf-
flatedecode-filter) ]

~~~
tptacek
While I agree with your general take on the severity of the problem, I'm going
to point out:

* The teardown you've linked to is (a) pretty superficial and (b) wrong (though I see it's now been corrected) --- here I will annoy you by smugly noting that you've linked to an exploit teardown written by someone who thinks it's likely that the iPhone would have been vulnerable to an Acrobat Reader flaw.

* It is not generally the impression I get from vulnerability researchers that the iPhone does a poorer job of defending against remote code execution vulnerabilities than Android; specifically: the iPhone has much stricter (DEP-style) page protections than OSX, and the iPhone has strict code signing.

Does Apple need to take security seriously? Indubitably. But I don't think you
can read tea leaves here. Things like this are going to happen _to every
phone_. Let's see how Apple handles it; that, at least, is a signal we can
actually discuss reasonably.

~~~
illumin8
Agreed. There are dozens of WebKit bugs fixed in every iOS point release.
These bugs are usually exploitable on any WebKit browser which includes iOS,
Android, and a number of desktop platforms like Safari and Chrome.

It's not the end of the world, but it would be nice to see companies take
browser security more seriously.

~~~
tptacek
Charlie Miller suggested that this flaw actually tickles a bug in IOKit, which
suggests that it isn't a cross-platform flaw, which makes sense since WebKit
doesn't (AFAIK) do PDF.

------
DrJokepu
So how do people know that this site doesn't install a rootkit that spies for
credit card numbers or something similarly sinister? Why do they trust it?
Because it looks "legit" or because it's in the news?

Imagine something along the lines of:

 _Clueless user:_ Wow this jailbreaking site really worked well! Now that it
has finished, it's showing a Paypal donation button in my browser. It was
really helpful so I'll just go ahead and donate $10 on Paypal, right here in
the browser of my newly jailbroken phone...

 _Author of the crack:_ [trollface.jpg] (thanks for the Paypal login details!)

~~~
Lewisham
_shrug_

Why do you trust anyone to do anything? Why do I trust AT&T not to be
recording phone calls for the NSA (oh wait...) or Sony not to install rootkits
on my Windows PC (hang on a second...).

At the end of the day, unless it's open-source, the possibility of malicious
intent is everywhere. It only takes one disgruntled/incompetent employee.

That said, Gruber's last post on this indicated someone of repute had looked
over the exploit, and they hadn't mentioned anything about such nastiness.

~~~
DrJokepu
To be fair, even open source is not an absolute guarantee for lack of
malicious code, as proven by the absolutely brilliant Underhanded C Contest:
<http://underhanded.xcott.com/>

~~~
uxp
Not only that, but combine some random code you don't really know about, and
slightly less than stellar (aka average) security practices on the web and you
might end up with a backdoor trojan implemented in your open source project:
<http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt>

------
Samuel_Michon
Every time a new method for jailbreaking is announced, you know there must be
an exploit in the OS. Apple will surely fix the exploit with an OS update, but
as an effect customers won't be able to use jailbreak with that version. And
so it becomes a question of whether you choose freedom or safety.

~~~
rryyan
The jailbreak for iOS 1.1 based on the TIFF vulnerability also had a side-
effect of patching the vulnerability itself[1] -- does jailbreak.me (or
another party) do the same?

[1] [http://www.networkworld.com/news/2007/102907-iphone-ipod-
tou...](http://www.networkworld.com/news/2007/102907-iphone-ipod-touch-
jailbreak-app.html)

------
sev
> "remote code exploit now in the wild"

it's not just remote code exploit...it's privilege escalation, and that's no
joke

------
jrockway
Good thing Apple requires C, C++, and Objective-C.

Good thing for crackers, I mean.

------
vinhboy
Three days now, and no one figured it out yet... I want to know more... links,
anyone?

------
antidaily
So who's tried it?

~~~
ElbertF
I jailbroke my wife's phone (3G) a couple of days ago, the process was a
breeze. I have to say the OS feels a bit sluggish now but that may have been
caused by the update to 4.0.1.

~~~
Splines
Back when I had a jailbroken 3G running 3.something, it was noticeably slower.
It ended up getting wiped by my 1 year old; I didn't re-jailbreak it and found
it to be more performant.

IMO, unless you _really_ need an app that lives only in Cydia, it's not worth
the hassle. Tethering is cool, but seems like something I would personally
need 1% of the time.

------
drivebyacct2
Good thing Apple's review policy on the AppStore worked. (In case it's not
immediately obvious, this is sarcastic in multi dimensions).

~~~
rryyan
I know you're being sarcastic, but an exploit in iOS really doesn't have
anything to do with Apple's review policy for 3rd party applications.

~~~
spinchange
A principle reason they give as a defense of their app review policy and
walled garden approach is that it is necessary to protect users from bad or
malicious apps.

I think he's inferring (or pointing out the irony) that perhaps it's not the
3rd party ones they need to be so overly concerned with.

~~~
dman
The popularity of the jailbreaks suggests that apple might be underestimating
the intelligence of their own users.

~~~
andreyf
I think Apple realizes the importance of the jailbreaking community (at least,
some people at Apple do - do you doubt that 20 year old Steve Jobs would have
jailbroken his phone?). I imagine they're simply uninterested in an arms race
on that front.

~~~
CamperBob
True; 20-year-old Steve Jobs was 'jailbreaking' the whole damn phone company
(<http://www.paulgraham.com/bluebox.html>).

