After all the trouble Apple went to to secure the boot loader, I expected this to be a really complicated procedure. I saw the Tweet today and I went on the site, clicked on "install" and Cydia started installing.
I was blown away. How is this even possible? Did they find another userland exploit that allows you to write to the boot loader? I am very, very impressed.
"Q: Do the holes discovered by @comex put my device at risk?
A: Yes. We recommend installing PDF Patcher 2 in Cydia once you’re jailbroken to eliminate this risk (any firmware version)."
PDF really is the most dangerous file format around today.
Did you know the PDF spec includes its own LISP-like language? As well as basically anything else you can imagine. It is surely impossible to write a secure, conformant PDF reader.
If I ran any kind of super-sensitive organisation I'd include an outright ban on PDF renderers in my security policy. If anyone really needed to look at PDFs, I'd require them to be rendered down to TIFs or something on a "cleanroom" machine, preferably running some sort of locked-down linux build.
That one wins by not bothering to conform to the PDF spec at all.
The spec is huge, and the insecurity comes from having to faithfully implement all its utterly insane features, like embedding flash files, executing javascript, rendering external assets, and so on.
The challenge is to decide which subset of those features you want to deliberately ignore.
Most of the esoteric ones are likely critical to obscure, in-house business applications created years ago by corporate coders lacking in sense. Adobe Reader obviously implements everything, and its the reference implementation, so it is installed in most businesses.
Unfortunately, business is the area most in need of security.
Some rich clients deliberately ignore parts of the format. For example, the Windows-based Sumatra client did. It seems to have been acquiring more features in the last few releases, and I'm not sure of its current state. But in the past it has been useful for example in that it simply doesn't run embedded Javascript. Or Flash.
That's been my personal approach, such as it is, to the need to deal with some PDF files from third parties. I look for the environment that does no more than render the static page content.
Somewhat akin to using NoScript in the browser. I only execute when I need to, and then from a source for whom I have some trust.
I recently had to clean up some business systems belonging to a relative whose employee ran an infected PDF. By avoiding execution, I was able to examine the PDF and show them how it was indeed the source of their problems.
Unfortunately, these "business users" still have limited will to learn the techniques to avoid such problems. I've made some impression, but the Adobe PDF format is still a time bomb ticking away in the midst of their organization.
I'll mention that, for casual browsing, I use an extension that redirects PDF URL's to Google's Document Viewer (while not signed in to Google). Again, I get (usually) the static view without having to trust or execute the file on my own system. Thanks, Goog!
(Note that I don't do the latter with documents containing sensitive/personal information.)
The complexity of the PDF specification isn't what's relevant here. Even if pdf.js were to implement all of the PDF specification, it would still be more secure than Apple's renderer, because it's written in a memory-safe language.
This is one of the reasons pdf.js is so important: it reduces the attack surface of the browser.
I can't view the talk right now... do you mean its own scripting language or the fact that PostScript is turing complete? Either way you could execute it in a sandboxed environment and be pretty damn confident there won't be any problems.
Exactly. And look at how much of a nightmare it is every day! Fortunately on the web it is very useful. No need to invite that pain into an environment designed for replicating the printed page though.
And the thing is, the html spec doesnt include js. It specifies a way of marking it up. Thats not the same thing. The core pdf spec actually contains features so powerful, you could almost make a lisp machine out of them. See the video for details.
When you can rewrite your bootloader from the web, I think it's safe to say there is a nasty browser & userland exploit out there for all iPads. Just like rooting an Android-phone without adb or pre-rooted images usually involves OS-level exploits.
The only way to be safe from these is usually to root/jailbreak your system and then patch it up using your newly acquired powers to close the hole before anyone else gets cheeky.
Will be interesting to see if any virus-makers will decide to exploit this before Apple patches it up in a later iOS release.
The first thing I tried was to change the password (iPhone 4 4.3.3) after jailbreaking but the MobileTerminal crashes upon launch. Same story after a phone restart.
Edit: Figured out the problem. Looks like the MobileTerminal in the CYdia repo doesn't work for iOS 4.0 onwards. The following is a working version from the author of the app:
I've got a 3gs with an old tethering crack on it, and am considering upgrading to 4.3.3 to get this jailbreak. How can I be sure that this will work for me, and how do I go about tethering afterwards? Googling only seems to turn up some app that I have to buy from some other store (a cydia store?). Is it more complicated than the help.benm.at tethering hack that I used?
I used Fiddler to sniff traffic between iPad 2 and Jailbreakme during jailbreaking but I did not found where the PDF files are located. Could you help me find out where are PDFs that contains the exploits?
There is no PDF file, the pdf is a base64 encoded data-uri in the javascript, in the page itself, not even in a separate asset.
For those who fancy doing some analysis, here's the curl command with the required ipad UA string:
curl -A "Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5" http://www.jailbreakme.com
the PDF is very invalid, because it never needs to masquerade as a real document, it doesn't have to pretend to implement the PDF spec correctly. This makes it somewhat resistant to analysis, it doesn't even have the required '%%EOF' marker so many tools choke on it immediately.
EDIT: There's an unterminated stream object in there which doesn't have a type, and it also has a declared length of 61 bytes and an actual length of well over 400. I think we have a winner... Unfortunately iOS shellcode analysis is waaaay over my head so I'll have to do something useful instead.
The release of this is probably related to the leak [1]. My guess is that they intended to save this for iOS5, but had to release it now due to the beta leak.
It doesn't work on my iPhone on 4.3.3 with that 4.10.01 baseband. The cydia icon comes up, but when the icon changes to "Installing..." it just disappears.
No, it's down due to an insane traffic load. It'll be up as soon as either a) traffic gets less insane (not likely to happen soon) or b) BigBoss adds more capacity. I'd also suggest to just keep trying: it'll likely work to install just that if you just keep trying to download it (eventually).
Does anyone know how Cydia licensing actually works? I jailbroke just to install RetinaPad, and I managed to buy it and install it. Cydia says "Package Officially Purchased". RetinaPad says "RetinaPad license missing!" and doesn't work. I guess the license download failed or something (due to high load?) but I don't see how to fix it.
It really makes me appreciate the Apple App Store, to be honest.
All Cydia Store purchases go through SaurikIT's centralized payment processing server. When the user attempts installing a store package, the repo that hosts it queries the central licensing server to see if the device is authorized before returning the package. Some packages make additional calls after the package has been installed on the device to download a license.
It is this final step that was failing intermittently on my servers due to the insane load (~300x usual sales on this package, ~125x traffic load overall). Please give it a try now, I have verified that it is up.
Thanks! Interesting. It still isn't working, after uninstalling / reinstalling in Cydia, but I guess I'll give it a day or too. Is the Authorize button in RetinaPad supposed to actually do something?
Indeed, and Comex gave them a heads up ~3.5 weeks ago that something was amiss in PDF. Let's hope they found it and are just going through the last testing cycles for the new patch?!
I was blown away. How is this even possible? Did they find another userland exploit that allows you to write to the boot loader? I am very, very impressed.