• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • The FlateDecode Hole: How JailbreakMe Gets Root


    The simple, elegant JailbreakMe tool exploits a zero-day security hole in Mobile Safari to gain root access to the iOS kernel. The vulnerability, which involves a filter used with embedded files in PDF documents, could still be used by malicious hackers to attack any iOS device, not just jailbroken ones. However, until Apple fixes the hole, the only way to protect yourself is to jailbreak and install @cdevwill's PDF Loading Warner tweak. Tell your friends.

    Ching-Lan Huang has a nice technical explanation of how the FlateDecode exploit works. Basically, the PDF file used for JailbreakMe contains a payload that is disguised as a Compact Font Format (CFF) file. FlateDecode - which is a lossless general purpose filter for any data compressed with the zlib implementation of classic RFC1951 deflate - uncompresses and loads the CFF file from the stream, which causes the font stack to overflow. As Huang describes it: "Kaboom." The payload then executes, jailbreaks your device, and loads Cydia.

    Charlie Miller, who found a similar vulnerability in Mac OS X Safari, calls this exploit "very beautiful work," adding that it's "scary how it totally defeats Apple’s security architecture." What can't be emphasized enough is that this is a door Apple left jammed open, not one that comex broke open. The hole was there from the beginning (which is why we call it a "zero-day" vulnerability), and it's still there now, on every iOS device, jailbroken or not. What the Dev-Team's Will (@cdevwill) Strafach put together is a simple tweak, PDF Loading Warner, that will detect when a PDF file is attempting to load arbitrary code. If you're on a trusted site, you can choose "Load," or otherwise tap "Cancel" and you're all good.

    Good news/bad news: as @chpwn tweeted yesterday, "there are /lots/ of public exploits out there, and @comex's JailbreakMe just uses one of them." So it's "no big deal" if Apple fixes this one, because there are, apparently, enough holes in the system to allow future jailbreaks. Yikes. And Apple complains about jailbreaks causing "compromised security..."
    This article was originally published in forum thread: The FlateDecode Hole: How JailbreakMe Gets Root started by Paul Daniel Ash View original post
    Comments 83 Comments
    1. nickxab's Avatar
      nickxab -
      Wow thanks for the news.
    1. Joseph_Prophet's Avatar
      Joseph_Prophet -
      Quote Originally Posted by dark_stranger View Post
      i know that, so less of the noob, nob. and ultimately, safari is an app that has identifed security flaws, of which the developer will be required to fix, espically now that its been hightlighted in such an extreme way. So it may be a mobile device as you brilliantly pointed out, but on the said mobile device it is running an OS, and applications, very much like a PC, so basic principles apply. App release, flaw identified, revision of software released addressing flaw. Its not rocket science.
      Yes, but unlike a pc u can't individually update stock applications, they have to come with the full firmware update.
    1. The Digital Alchemist's Avatar
      The Digital Alchemist -
      Please, does anybody know what OSs PDF Loading Warner is compatible with? I haven't upgraded in a very long time because I didn't want to risk my JB.

      Thank you.

      Nevermind, I wrote to Mr. Strafach directly and his response was:

      "As a proactive measure, I actually "hook" two of the commonly used functions for showing PDFs, in hopes that it will help support people on other firmwares, in case Apple used the alternative one on an older firmware. Unfortunately, I have only been able to test it on my 4.0.1 device, so I am unsure as to whether it will work on your device or not :/

      Wish I could be of more assistance to you, but I do not have a device available on iOS 2 that I can test on. Sorry."
    1. alectra82's Avatar
      alectra82 -
      Whewww. thanks for the heads up. Until I read this I had no plans to jailbreak. I told all my friends too.
    1. ozarka's Avatar
      ozarka -
      no idea. why you would want to report something like this even if there areother holes... it's retarded keep it to yourself.
    1. santacruzlocal's Avatar
      santacruzlocal -
      Quote Originally Posted by olivo42 View Post
      I need some Help!

      After JB my 3GS iOS4 with Jailbreakme.com, it keeps on SAFE MODE all the time, but I cannot get it out.

      Please help me out... should I try Jailbreakme.com again?
      Restore then Re-JB, Same thing happened to me
    1. UKROB86's Avatar
      UKROB86 -
      GLITCH FOUND: after installing "PDF Loader Warning", repeated pop-ups of the PDF loader warning can be produced if accessing clock.app/world clock.

      I started a thread on this also. Please test on your devices..
    1. yogurt's Avatar
      yogurt -
      Quote Originally Posted by UKROB86 View Post
      GLITCH FOUND: after installing "PDF Loader Warning", repeated pop-ups of the PDF loader warning can be produced if accessing clock.app/world clock.

      I started a thread on this also. Please test on your devices..
      Happens to mine also, everything else on the clock app works fine though just the world time. i'm currently on 3gs 32gb on 4.0 unlocked.
    1. javiert30's Avatar
      javiert30 -
      Installed
    1. dhamien's Avatar
      dhamien -
      Quote Originally Posted by BeachLivin88 View Post
      Correct. The exploit is specific to iOS4. 3.X users are in the clear
      As said earlier in this thread by more than one, no you're not in the clear. The hole exists in 3.x as well.
    1. iFone_Inpho's Avatar
      iFone_Inpho -
      This really is a prime example of jailbreaking at it's finest. Apple is going to pay a group of people an unheard of amount of money to find this and fix in probably 2 month with an update but yet this fine dev team found a temporary solution to help the situation. Apply claims jailbreaking your phone is a security breach but in actuality they are fixing apples mistakes and making our phone MORE secure by jailbreaking. I think apple owes the dev team a thank you for mopping up their botched mistake.

      I also just want to take a second and thank the dev team for all their work they do....all for free. I will support you guys buy getting all paid apps they produce and really encourage everyone else to do the same.

      Also, on a side note, I know nobody really cares about what I think but no one wanted a i4 jailbreak more than me but I never once sent an e-mail or tweet about "hurrying" the jailbreak. This stuff takes time and I knew once a jailbreak was ready they would release. For all the people that bothered the dev team in this process please let the actions of geohot be a lesson. They don't need people DEMANDING a jailbreak every 5 minutes. Just let them do what they do and don't harass them.

      Quote Originally Posted by UKROB86 View Post
      GLITCH FOUND: after installing "PDF Loader Warning", repeated pop-ups of the PDF loader warning can be produced if accessing clock.app/world clock.

      I started a thread on this also. Please test on your devices..
      I tested this and the warning pops up 6 times then goes away and you can access the world clock app. If you ask me this is a SMALL sacrifice for a more secure phone. You don't lose the world time options just have to press load 6 times.
    1. cypherpunk's Avatar
      cypherpunk -
      10 times, actually. No big deal for me since I don't use apple's clock app.
    1. clacrosseh's Avatar
      clacrosseh -
      I'm not able to use this to jailbreak my iPhone 4 what is the problem
    1. dhamien's Avatar
      dhamien -
      Quote Originally Posted by clacrosseh View Post
      I'm not able to use this to jailbreak my iPhone 4 what is the problem
      This thread is about an app, not the iPhone 4 jailbreak.
    1. PanayiotisN's Avatar
      PanayiotisN -
      If Apple make someday the iphone un-jailbrekable the customers won't buy it:P Personally all of my friends who have ipod touch or iphone all are jailbroken
    1. Jaxxster's Avatar
      Jaxxster -
      Could this PDF exploit be replicated on any app on the iphone that runs pdf files or is only down to ibooks and safari?
    1. holygamer22's Avatar
      holygamer22 -
      Quote Originally Posted by dark_stranger View Post
      its very clever, still hurts my head trying to figure out how they managed to jailbreak my phone, just by me going to a webpage. Very smart people.

      And I guess, if you want to remain having the ability to jailbreak your phone, dont update safari on your phone.
      Haha funny but it's impossible to update safari on the phone unless u update to a newer firmware
    1. dark_stranger's Avatar
      dark_stranger -
      Quote Originally Posted by Joseph_Prophet View Post
      Ok you update your firmware, not safari. Your iPhone isn't a Personal Computer its a mobile device. n00b....

      BTW, very cool with the BTS info^^
      Oh look, they have updated/patched Safari.
    1. Joseph_Prophet's Avatar
      Joseph_Prophet -
      Quote Originally Posted by dark_stranger View Post
      Oh look, they have updated/patched Safari.
      yeah, they have, thru a firmware update
    1. andyharp's Avatar
      andyharp -
      I'm confused. All this pdf warning app does is every time you open a pdf is says "hey your opening a pdf so watch out" it does not actually look the pdf over for an exploit or anything. So once youve been told why do we need an app to tell us every time we open a pdf???
      Don't get me wrong I give credit to who discovered this exploit, but do I really need the app now that it is known??