Hacker News new | past | comments | ask | show | jobs | submit login
PDF exploit in iOS 4 (daringfireball.net)
79 points by andreyf on Aug 3, 2010 | hide | past | favorite | 47 comments



It is good to see some analysis turning up on the exploit front. I was (and still am) surprised that the coverage of this jailbreak has been focused almost exclusively on the jailbreak itself rather than the attack vector and its implications.

The fact that a zero-day remote code execution exploit can be triggered so reliably in every iOS 4 and iPad 3.x device that the creators could drop a cute "Slide to Jailbreak" widget on a web page is alarming. With nothing more than a single rogue link and a bit of Objective C, this exploit could easily be used to produce a worm spread by e-mail or SMS to every contact with a link to the same rogue code, hopping from device to device as users tap an innocent link from a friend. In fact, the action of clicking a link could be bypassed entirely by script injection -- resulting in infection should the user merely browse to a page serving the rouge JS. Considering that the exploit is PDF-based, it's likely that it could also be triggered by viewing a document in Mail.

The prospect of iOS worms is very real, and unless Apple begins to take security more seriously (note that this is the second remote code execution exploit accessible from within MobileSafari, and they've yet to even make a peep about this one), I would not be surprised if we begin to see malware on the platform.

[ See the original exploit teardown here: http://digdog.tumblr.com/post/894317027/jailbreak-with-pdf-f... ]


While I agree with your general take on the severity of the problem, I'm going to point out:

* The teardown you've linked to is (a) pretty superficial and (b) wrong (though I see it's now been corrected) --- here I will annoy you by smugly noting that you've linked to an exploit teardown written by someone who thinks it's likely that the iPhone would have been vulnerable to an Acrobat Reader flaw.

* It is not generally the impression I get from vulnerability researchers that the iPhone does a poorer job of defending against remote code execution vulnerabilities than Android; specifically: the iPhone has much stricter (DEP-style) page protections than OSX, and the iPhone has strict code signing.

Does Apple need to take security seriously? Indubitably. But I don't think you can read tea leaves here. Things like this are going to happen to every phone. Let's see how Apple handles it; that, at least, is a signal we can actually discuss reasonably.


Apologies, Thomas - wasn't attempting to hop on the FUD box, proclaim doom, or voice an opinion about the relative security of one platform to another.

I intended the comment to bring a few possibilities to the surface that I've not seen raised elsewhere surrounding an exploit which is otherwise being received by many in the community as a Good Thing.

Thanks for pointing out the error in the (original) write-up I'd linked. Yesterday I found myself telling a friend I thought it unfortunate to see others hopping blame upon Adobe for something they clearly had nothing to do with. If you're aware of a more detailed link to a writeup on the vulnerability in the font file processing, I expect people might be interested to see it.


Agreed. There are dozens of WebKit bugs fixed in every iOS point release. These bugs are usually exploitable on any WebKit browser which includes iOS, Android, and a number of desktop platforms like Safari and Chrome.

It's not the end of the world, but it would be nice to see companies take browser security more seriously.


Charlie Miller suggested that this flaw actually tickles a bug in IOKit, which suggests that it isn't a cross-platform flaw, which makes sense since WebKit doesn't (AFAIK) do PDF.


>the iPhone has much stricter (DEP-style) page protections than OSX

Not sure relative to OSX (or why that relates to Android), however note that Android makes just as heavy of a use of the ARM's NX bit. Gruber recently subtly implied that Android was more reckless about security -- in a blurb about Android 2.2s V8 JIT engine for JavaScript, Gruber offhandedly mentioned that iOS "couldn't" perform such optimization because it barred executable segements -- implying that it didn't have NX-type uses, and he was simply blindly wrong.

And clearly it isn't quite so universal in iOS. This demonstration makes that amply clear.


All these countermeasures can be bypassed.

RPW and Vince from Zynamics wrote a compiler that transforms the REIL intermediate form Zynamics BinDiff/BinNavi tools generate into synthesized stack frames that continually return through fragments of legitimate basic blocks in signed executable iOS code; I believe they're working with fully general programs built in that form, which is to traditional computer programs what Voltron is to Johnny 5.

Which is to say that the cat is thoroughly out of the bag here. All I can point out is, it's not like Apple is totally slacking on the iPhone.


Yea I find it annoying that coverage is all about "jailbreaking". For gosh sake, they could use this and do drive-by looting of virtually any iPhone.


So how do people know that this site doesn't install a rootkit that spies for credit card numbers or something similarly sinister? Why do they trust it? Because it looks "legit" or because it's in the news?

Imagine something along the lines of:

Clueless user: Wow this jailbreaking site really worked well! Now that it has finished, it's showing a Paypal donation button in my browser. It was really helpful so I'll just go ahead and donate $10 on Paypal, right here in the browser of my newly jailbroken phone...

Author of the crack: [trollface.jpg] (thanks for the Paypal login details!)


shrug

Why do you trust anyone to do anything? Why do I trust AT&T not to be recording phone calls for the NSA (oh wait...) or Sony not to install rootkits on my Windows PC (hang on a second...).

At the end of the day, unless it's open-source, the possibility of malicious intent is everywhere. It only takes one disgruntled/incompetent employee.

That said, Gruber's last post on this indicated someone of repute had looked over the exploit, and they hadn't mentioned anything about such nastiness.


To be fair, even open source is not an absolute guarantee for lack of malicious code, as proven by the absolutely brilliant Underhanded C Contest: http://underhanded.xcott.com/


Not only that, but combine some random code you don't really know about, and slightly less than stellar (aka average) security practices on the web and you might end up with a backdoor trojan implemented in your open source project: http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt


This argument is often put up for these kind of questions (the why trust anything you don't have control over), but there is a big difference from trusting a large corporation that might have to take responsibility and an obscure website.

That being said I have a rooted/Custom ROM droid phone and I have no clue whether or not it is logging my keyboard or any such thing as I took the easy way of installing the root and rom, but that doesn't stop me from using it and I have to agree that if you want to wear a tinfoil hat that is fine and dandy just don't go against those who choose to go unprotected.


Are you really comparing the trustability of 'AT&T' and 'Sony' with 'some website that rootkitz your phonez'?


Well, since we know that AT&T are forwarding all calls to the NSA, and Sony already has installed rootkits onto peoples computers, I would say that no, we are not comparing them at all. We already know the levels that those two companies will go, but we might be able to trust the website.


That sort of anti corporation FUD belongs on Reddit IMHO.


that sort of Big Business admiration can only belong to political website or something


The Sony "rootkit" wasn't actually a rootkit. It used a similar technique to some rootkits to 'hide' itself from the user/other software, after the user had knowingly installed it.

I have no idea about the AT&T 'forward all calls to the NSA', but I'd expect that would be logistically impossible.


> The Sony "rootkit" wasn't actually a rootkit. It used a similar technique to rootkits to 'hide' itself from the user/other software, after the user had knowingly installed it.

ho hum, that sounds like a rootkit definition to me. or what's your beloved corporation's definition of this?

> I have no idea about the AT&T 'forward all calls to the NSA', but I'd expect that would be logistically impossible.

oh please, http://en.wikipedia.org/wiki/Room_641A


OK, so your belief is that any program, that 'hides' itself on a computer, is a rootkit?

Does the 'root' not give you a clue as to the primary requirement of a rootkit?

May as well end here I think.


you make me wonder what kind of security research and corporate apologism genius am I dealing with here?

because the thing was defined as rootkit by original security researcher, EFF, court AND even Sony itself.

May as well end here I think.


Thanks. You reminded me why I need to block HN access. It becomes poisonous quickly.


yet you won't quit.

hypocrisy at it's best.


Every time a new method for jailbreaking is announced, you know there must be an exploit in the OS. Apple will surely fix the exploit with an OS update, but as an effect customers won't be able to use jailbreak with that version. And so it becomes a question of whether you choose freedom or safety.


The jailbreak for iOS 1.1 based on the TIFF vulnerability also had a side-effect of patching the vulnerability itself[1] -- does jailbreak.me (or another party) do the same?

[1] http://www.networkworld.com/news/2007/102907-iphone-ipod-tou...


> "remote code exploit now in the wild"

it's not just remote code exploit...it's privilege escalation, and that's no joke


Good thing Apple requires C, C++, and Objective-C.

Good thing for crackers, I mean.


Three days now, and no one figured it out yet... I want to know more... links, anyone?


So who's tried it?


I have, it works fabulously. I needed to jailbreak my phone because the home button is broken, but couldn't use traditional means, as they required you to press the home button! This web-based one worked amazingly; you really do just visit the site, press "OK" and then three minutes later its done.


Jailbroke my new iPhone 4. I've been jailbreaking for years, although primarily to change my SMS sound (sad but true, and practically required in an office full of iPhones).

I tether too, but only for conferences, which is pretty rare.

I've been playing more with various apps since the iPhone 4 can certainly take the performance hit. SBSettings (swipe status bar to pull down commonly-used options, like toggling 3G/EDGE), LockInfo (put calendar, mail, weather, etc on your lock screen), BiteSMS (SMS replacement with a bunch of features).


Worked perfectly on my iPhone 3GS. I was going to hold off on iOS 4 but I had to try this out. Easiest jailbreak yet, no computer required.

It's awesome and scary. I really hope Apple gets a fix out soon.


I jailbroke my wife's phone (3G) a couple of days ago, the process was a breeze. I have to say the OS feels a bit sluggish now but that may have been caused by the update to 4.0.1.


Back when I had a jailbroken 3G running 3.something, it was noticeably slower. It ended up getting wiped by my 1 year old; I didn't re-jailbreak it and found it to be more performant.

IMO, unless you really need an app that lives only in Cydia, it's not worth the hassle. Tethering is cool, but seems like something I would personally need 1% of the time.


I did. Mainly for facetime over 3G, MyWi and theming options.

Super easy to install and lets you actually patch (well, pseudo patch) this exploit.


Good thing Apple's review policy on the AppStore worked. (In case it's not immediately obvious, this is sarcastic in multi dimensions).


I know you're being sarcastic, but an exploit in iOS really doesn't have anything to do with Apple's review policy for 3rd party applications.


A principle reason they give as a defense of their app review policy and walled garden approach is that it is necessary to protect users from bad or malicious apps.

I think he's inferring (or pointing out the irony) that perhaps it's not the 3rd party ones they need to be so overly concerned with.


The popularity of the jailbreaks suggests that apple might be underestimating the intelligence of their own users.


I think Apple realizes the importance of the jailbreaking community (at least, some people at Apple do - do you doubt that 20 year old Steve Jobs would have jailbroken his phone?). I imagine they're simply uninterested in an arms race on that front.


True; 20-year-old Steve Jobs was 'jailbreaking' the whole damn phone company (http://www.paulgraham.com/bluebox.html).


No, that was the sarcasm. It's funny because it's ironic that Apple wants to lock down what apps are available, and yet it's being openned to those very apps through an exploit in their own software. BUT, it's yet more ironic that people will try to use this in attacks again the App Store even though it's irrelevant. Apparently this wasn't obvious despite me pointing out that the comment was multidimensionally sarcastic. oh well.

People attacking AppStore policies in the context of a browser exploit is as relevant as a "malicious app" that reports having access to your contact list, "stealing" your data through a Wallpaper that you manually install and grant access (ie, last weeks "debacle"). THOUGH, one could question why the Mobile Safari process is allowed the ability to become rampant anyway. I particularly appreciate the separation of the Dalvik VM in such scenarios.

Also, I posted two comments this evening. One is at -4, the other is at 10. Why did my overall "karma" move from 92 to 89. Should it not be at 98? Maybe I don't understand it. Oh well, hardly relevant.


The obvious difference is Apple's problem is unintentional and a theoretical malicious app distributed in Apple's store would be intentional. Probably something along the lines of going into a B&M Apple Store and falling down due to a wet spot on the floor versus some Apple employee running out and pushing you down on purpose. The damage may be the same but they don't have any real connection to each other.


That's the point I'm making!!! Why is everyone down voting and not bothering to read?!!?!

"People attacking AppStore policies in the context of a browser exploit is as relevant as a "malicious app" that reports having access to your contact list, "stealing" your data through a Wallpaper that you manually install and grant access (ie, last weeks "debacle")"

AKA, NOT RELEVANT. Hence the sarcasm. Whatever.


You're right - security and quality certainly have nothing to do with their App Store policies. It's just that, knowing the above, some people wonder why Apple and their fans keep saying there's indeed such a connection.


Now you're just trolling.


Actually I think he's got a partial point.

I think there is a review of app quality (although you could dispute the criteria they use).

But security? It would be unfeasible to do a proper security audit of every app even if they did have access to the source code. And yet many people are convinced that there is some form of security guarantee.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: