• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • The FlateDecode Hole: How JailbreakMe Gets Root


    The simple, elegant JailbreakMe tool exploits a zero-day security hole in Mobile Safari to gain root access to the iOS kernel. The vulnerability, which involves a filter used with embedded files in PDF documents, could still be used by malicious hackers to attack any iOS device, not just jailbroken ones. However, until Apple fixes the hole, the only way to protect yourself is to jailbreak and install @cdevwill's PDF Loading Warner tweak. Tell your friends.

    Ching-Lan Huang has a nice technical explanation of how the FlateDecode exploit works. Basically, the PDF file used for JailbreakMe contains a payload that is disguised as a Compact Font Format (CFF) file. FlateDecode - which is a lossless general purpose filter for any data compressed with the zlib implementation of classic RFC1951 deflate - uncompresses and loads the CFF file from the stream, which causes the font stack to overflow. As Huang describes it: "Kaboom." The payload then executes, jailbreaks your device, and loads Cydia.

    Charlie Miller, who found a similar vulnerability in Mac OS X Safari, calls this exploit "very beautiful work," adding that it's "scary how it totally defeats Apple’s security architecture." What can't be emphasized enough is that this is a door Apple left jammed open, not one that comex broke open. The hole was there from the beginning (which is why we call it a "zero-day" vulnerability), and it's still there now, on every iOS device, jailbroken or not. What the Dev-Team's Will (@cdevwill) Strafach put together is a simple tweak, PDF Loading Warner, that will detect when a PDF file is attempting to load arbitrary code. If you're on a trusted site, you can choose "Load," or otherwise tap "Cancel" and you're all good.

    Good news/bad news: as @chpwn tweeted yesterday, "there are /lots/ of public exploits out there, and @comex's JailbreakMe just uses one of them." So it's "no big deal" if Apple fixes this one, because there are, apparently, enough holes in the system to allow future jailbreaks. Yikes. And Apple complains about jailbreaks causing "compromised security..."
    This article was originally published in forum thread: The FlateDecode Hole: How JailbreakMe Gets Root started by Paul Daniel Ash View original post
    Comments 83 Comments
    1. macsoldier's Avatar
      macsoldier -
      Dang I would of never known...THANKS
    1. delusion950's Avatar
      delusion950 -
      when there was a news abt hiw thet found hole in the safari, than jaikbreak came out through browser i had feeling they used that hole to release this jailbreak. very smart. and thanks for the patch.

      how* they*
    1. eLuxury4viet's Avatar
      eLuxury4viet -
      All of you who cant find pdf loading warner need to turn off backgrounder and reload cydia to get it download new release n go back to search for pdf
    1. dhamien's Avatar
      dhamien -
      Quote Originally Posted by tremerone View Post
      SO it affects any iOS device...just to clarify....those of us still running 3.1.2 or 3.1.3 should be in the clear.....as this is the exploit for the iOS firmwares.

      Thanks
      No, it affects 3.1.2 and 3.1.3 as well, so you're not in the clear.
    1. confucious's Avatar
      confucious -
      Quote Originally Posted by dark_stranger View Post
      Fortunately the dev team are the good guys and on our side,


      or are they
      A gooder bunch of guys you'll never meet.
    1. Joseph_Prophet's Avatar
      Joseph_Prophet -
      Quote Originally Posted by dark_stranger View Post
      its very clever, still hurts my head trying to figure out how they managed to jailbreak my phone, just by me going to a webpage. Very smart people.

      And I guess, if you want to remain having the ability to jailbreak your phone, dont update safari on your phone.
      Ok you update your firmware, not safari. Your iPhone isn't a Personal Computer its a mobile device. n00b....

      BTW, very cool with the BTS info^^
    1. imfrank's Avatar
      imfrank -
      What do i do, i mean do i need to do something to not lose my jailbreak?
    1. ro0oney's Avatar
      ro0oney -
      we have a winner!!
    1. sandstorm77's Avatar
      sandstorm77 -
      Running 3.2.1 on my 3g ipad (jailbroken)
    1. unreach's Avatar
      unreach -
      Why did my usage time and standby time go away? It just says - now. What if a hacker is remotely accessing my phone without me knowing? Lol
    1. dark_stranger's Avatar
      dark_stranger -
      Quote Originally Posted by Joseph_Prophet View Post
      Ok you update your firmware, not safari. Your iPhone isn't a Personal Computer its a mobile device. n00b....

      BTW, very cool with the BTS info^^
      i know that, so less of the noob, nob. and ultimately, safari is an app that has identifed security flaws, of which the developer will be required to fix, espically now that its been hightlighted in such an extreme way. So it may be a mobile device as you brilliantly pointed out, but on the said mobile device it is running an OS, and applications, very much like a PC, so basic principles apply. App release, flaw identified, revision of software released addressing flaw. Its not rocket science.
    1. luvmytj's Avatar
      luvmytj -
      Quote Originally Posted by amandej View Post
      still cant open my ibooks
      I had to re-sync it a second time to get my iBooks working correctly.
    1. WilliamO7's Avatar
      WilliamO7 -
      OK,Let Me tell you a few things,

      1.@comex is the person who developed Spirit,which is a userland jailbreak.

      2.The same type of jailbreak as JailbreakMe was introduced in 2007,when the iPod Touch had a TIFF Vulnerability on 1.1.1.

      So he could have done it either way, and people are planning more exploits.
      So use the official jailbreaks and nothing else.
    1. Gom33's Avatar
      Gom33 -
      Quote Originally Posted by unreach View Post
      Why did my usage time and standby time go away? It just says - now. What if a hacker is remotely accessing my phone without me knowing? Lol

      same with me, usage time went away.
    1. GellBrake'rrrr's Avatar
      GellBrake'rrrr -
      Just installed it. This is just another example of how the Dev team is very beneficial to us all. And for MANY REASONS! thanks Will, for making this PDF tweak available for all of us. Great Work!!!
    1. cypherpunk's Avatar
      cypherpunk -
      Quote Originally Posted by tremerone View Post
      SO it affects any iOS device...just to clarify....those of us still running 3.1.2 or 3.1.3 should be in the clear.....as this is the exploit for the iOS firmwares.

      Thanks
      ALL IOS RELEASES.
      NOT just recent IOS releases. Yes, that means 4.0, 3.1.x and ALL VERSIONS BEFORE.

      The only reason jailbreakme.com doesn't work on versions prior to 3.1.2 (4.0 according to some) is that the payload in the "malicious" PDF is designed around that specific kernel version. That does not mean that the hole itself is not still there.

      *sigh*

      It's at times like this I think we really need a Noscript for mobile Safari...
    1. mustard05's Avatar
      mustard05 -
      I agree
    1. rruready's Avatar
      rruready -
      Interesting how not that long ago there were pages of people bashing Android for the supposedly malicious wallpaper app that was collecting sensative information (btw, three days after the story showed up on mmi, it was found to be false: Lookout Clarifies Accusations Against “Suspicious” Wallpaper App | Droid Life: A Droid Community Blog), now we have an article stating that the stock browser of iOS is this vulnerable. It's funny because now you have to jailbreak the iphone to put proper precautionary measures in place for this while Android has the simple solution of the Lookout app in the market. It just goes to show what I've said before and I'll say again...both os's have pros and cons, and I hope all of the Apple fanboys who were bashing away just a few days ago about Android being "so open and vulnerable", realize it now.
    1. BeachLivin88's Avatar
      BeachLivin88 -
      Quote Originally Posted by tremerone View Post
      SO it affects any iOS device...just to clarify....those of us still running 3.1.2 or 3.1.3 should be in the clear.....as this is the exploit for the iOS firmwares.

      Thanks
      Correct. The exploit is specific to iOS4. 3.X users are in the clear
    1. PWNsyst3m's Avatar
      PWNsyst3m -
      Installed early this morning. Good stuff.