not matching remote, download new 2. .epub + manifest in ZIP called .itmsp, manifest contains md5 of epub, md5 + size must match /tmp/.itmstransporter/lib/osgibootstrapper.jar
not matching remote, download new 2. .epub + manifest in ZIP called .itmsp, manifest contains md5 of epub, md5 + size must match 3. epubtoolkit will then extract and validate epub-ZIP before uploading /tmp/.itmstransporter/lib/osgibootstrapper.jar
not matching remote, download new 2. .epub + manifest in ZIP called .itmsp, manifest contains md5 of epub, md5 + size must match 3. epubtoolkit will then extract and validate epub-ZIP before uploading 4. If we find a vuln locally, we can trigger it on authors.apple.com /tmp/.itmstransporter/lib/osgibootstrapper.jar
were not writable • Only /tmp/ found to be writable • We know app works with files in /tmp/ • App only runs using JAR:s • JAR:s are already loaded when unpacking ZIP
.class in osgibootstrapper • Modify it, then compile into .class • Repack into JAR • Put JAR in .epub to replace ../../../tmp/.itmstransporter/lib/osgibootstrapper.jar
a .class in osgibootstrapper • Modify the inner class, then compile into .class • Make sure size + compression is the same • Repack into JAR • Put JAR in .epub to replace
"AADAF" • This allows us to iterate from an original size and lower or higher the compression rate by injecting non-consecutive letters • We will use System.out.println since we see output
Prerequisites: 1. URLClassLoader is used 2. JAR can have been loaded prior to replacing but class from loaded JAR has not been triggered 3. Class needs to have inner-classes