Visar resultat 1 till 6 av 6

Diskussion: Linux på omidifierad XBOX med direkt boot

  1. #1
    Registrerade
    Aug 2000
    Från
    Stockholm, Sweden
    Inlägg
    22 483
    Respekt
    10

    Linux på omidifierad XBOX med direkt boot

    Nu kan man installera Linux på en OMODIFIERAD XBOX, med DIREKT BOOT.

    Den utnyttjade svagheten i MS DASHBOARD kommer även gå att utnyttja för att starta t.ex. kopierade spel m.m. så fort någon mindre nogräknad hacker släpper kod som använder samma svaghet för att patcha bios direkt i minnet istället för att bara använda det för att starta Linux.

    XBOX Security

    -= Security Advisory =-



    Advisory: XBOX Dashboard local vulnerability
    Release Date: 2003/07/04
    Last Modified: 2003/07/04
    Author: Stefan Esser [se <at> nopiracy.de]

    Application: Microsoft XBOX Dashboard (up to today)
    Severity: A vulnerability within the XBOX Dashboard allows to
    totally compromise the security features of the XBOX.
    Risk: Critical
    Vendor Status: Vendor is not willing to talk about XBOX vulnerabilities.


    Overview:

    The XBOX Dashboard is what appears when you turn the XBOX on without a
    disc in the DVD drive. It will let you adjust system settings, manage
    your save games, play and rip audio CDs and configure your XBOX Live
    account. It is the heart of the XBOX and its most vulnerable point,
    because it lacks several security restrictions which are enforced on
    games. This includes the lack of the reboot-on-eject-button "feature",
    which is obligatory for all games.

    The existance of an exploitable vulnerability within the dashboard could
    totally compromises the XBOX security system. It will make the box
    independent from Microsoft signed code and therefore this information is
    released to the public now on the 4th of July 2003, the day of the XBOX
    Independence.


    Details:

    Microsoft knows that a vulnerability within the XBOX dashboard could
    have serious impact. This is underlined by the fact that the dashboard
    checks most of its files against an internal stored SHA1 hash value
    before it uses them.

    For an unknown reason this check is not performed on the audio (.wav)
    and font (.xtf) files. Unfourtunately for Microsoft there exists an
    exploitable integer underflow vulnerabilitiy within the font file loader
    which can be exploited with a malformed font file. When the XTF header
    is processed the dashboards reads a 4 byte blocksize field from the font
    file. This is expected to represent the size of some datablock including
    the 4 bytes of the size field itself. The blocksize is then allocated
    and the sizefield is copied into the beginning of the buffer. This is
    already a possible overflow bug when the field contains the values 0..3.
    Due to memory alignment this is not exploitable. But then the blocksize
    is decreased by 4 because the dashboard wants to read the rest of the
    block into memory. Obviously values of 0..3 will underflow when
    decreased by 4 and this results in the dashboard wanting to read up to
    ~4 gigabytes of data from the font file in a f.e. 3 bytes buffer.

    Because the XBOX malloc()/free() implementation is also storing control
    information inbound and is similiar to the Windows 2000/XP heap
    allocators this bug is exploitable and allows execution of arbitrary
    code. The attached proof of concept code shows that exploiting is
    possible with offsets that are equal on all dashboards and XBOX versions
    known.

    BTW: the dashboard loads its font files directly after the XBOX start
    animation. This means the exploit does not need any user
    interaction and when the code is executed only part of the
    dashboard background is on screen.


    Proof of Concept:

    Attached you will find a proof of concept exploit which will start
    linux. To install it you have to rename the 2 XBOX font files within the
    font directory of the dashboard partition and then copy ernie.xtf and
    bert.xtf into this directory. (If you have an XBOX with an older
    dashboard the font directory does not exist and you must do the renaming
    and file adding work in the main directory). Once the new fonts are in
    place you copy the default.xbe (which is a copy of xbeboot) into the
    main directory and add your favourite linux to it.


    Trustworthy Computing:

    Trustworthy Computing at its best. Nearly 2 Years ago I reported an SSL
    vulnerability within IE to Microsoft. 1 month later I released
    information about this bug to the public because MS did absolutely
    nothing. The vulnerability was nearly forgotten, it only exists on the
    list of 19 unpatched IE vulnerabilities anymore. But this is wrong, the
    vulnerability was indeed fixed with one of the many IE patches in the
    middle of last year. Well is secretly fixing bugs without an official
    advisory trustworthy?


    Anticipated Questions:

    Q1: How do I get the files onto the harddisk?

    A1: There are several ways. You could f.e. install the files with the
    Mechassault or 007 hacks. This requires one of the games and the
    files on a memorycard. The other way is to open the box and do the
    harddisk swap trick which is described all over the net.


    Q2: This vulnerability is in the dashboard, isn't it? So Microsoft can
    simply update the dashboard with XBOX Live or with the help of new
    games.

    A2: Yes Microsoft could try to upgrade the dashboard and fix the
    vulnerability with such an update, but keep in mind that this
    vulnerability is like a "local root" hole. You can do nearly
    everything with it and this includes redirecting reads and writes to
    the xboxdash.xbe file. Additionally people who do not play games on
    their box will not be reachable with such updates. And groups who
    pirate games can always disable the update feature.


    Q3: Well but MS can make the kernel block the vulnerable dashboard.

    A3: Indeed they can. But until boxes with new kernels reach the market
    we will have the end of this year (You can still get 1.0 boxes in
    shops over here) and they can only fix the bugs they know about.


    Q4: Is it possible to play "backed-up" games with this?

    A4: Yes it is possible to play pirated games by using this vulnerability
    but my proof of concept code will not allow this. You have to change
    the exploit to patch the kernel in memory. This is not very hard and
    I am not going to help you with this.


    Q5: Can I go "Live" with this hack?

    A5: You have full control over the box with this vulnerability. You can
    modify the exploit to allow XBOX Live playing but this will only
    start a cat & mouse game with Microsoft.


    Q6: I have read that I can solder my mainboard with this hack...

    A6: This exploit has nothing to do with soldering, It will just run
    everything you want on unmodded (and even unopened) XBOXes. Infact
    when this hack is installed you do not need to solder anything to
    get your homebrew or whatever applications to run.


    Copyright 2003 Stefan Esser. All rights reserved.


    (uuencodad fil borttagen från msg, den är attachad 2 poster neråt)

  2. #2
    Registrerade
    Mar 2002
    Inlägg
    280
    Respekt
    23
    Hm... Filen sist i meddelandet verkar vara skadad:

    [stefan@localhost dayX]$ tar xvzf dayX.tgz

    gzip: stdin: invalid compressed data--format violated
    tar: Underprocess avslutade med slutstatus 1
    tar: Avslut med felslutstatus fördröjd från föregående fel
    [stefan@localhost dayX]$
    Last edited by Stefan; 2003-07-04 at 14:49.

  3. #3
    Registrerade
    Aug 2000
    Från
    Stockholm, Sweden
    Inlägg
    22 483
    Respekt
    10
    Prova den här då, tänk på att den är uuencodad eller nåt oxå
    Attached Files Attached Files

  4. #4
    Registrerade
    Jul 2003
    Från
    Borlänge
    Inlägg
    68
    Respekt
    22
    kan ingen "råka" översätta till svenska ..
    vissa (t.ex. jag ) årkar inte läsa så mykke på engelska nu ..

  5. #5
    Registrerade
    Feb 2004
    Inlägg
    7
    Respekt
    0
    säg bara att du inte förstår

  6. #6
    Registrerade
    Mar 2004
    Inlägg
    3
    Respekt
    0
    kan inget typ ge mig en väg beskrivnig till den här cdn eller tipsa mig om var den skulle kuna finnas och vad den heter =)

Liknande diskussioner

  1. dvd+R i xbOx?
    By oskarthekungen in forum X-BOX Hårdvaruforum
    Inlägg: 10
    Senaste inlägg: 2004-09-10, 11:06
  2. Varför så'n stor skillnad mellan montering på PS2 och XBox?
    By Gasbananen in forum Playstation 2 - produktsupport - MULTI-X CHIP
    Inlägg: 25
    Senaste inlägg: 2004-06-08, 01:21
  3. Línux
    By redsnake in forum XBOX Media Player / Media Center
    Inlägg: 0
    Senaste inlägg: 2003-01-08, 23:03
  4. XBOX LINUX 0.1 RELEASED!
    By Sheytan in forum X-BOX Spel/Mjukvara
    Inlägg: 0
    Senaste inlägg: 2002-08-17, 05:22
  5. Inlägg: 1
    Senaste inlägg: 2002-08-05, 21:24

Bookmarks

Behörigheter

  • Du får inte starta nya diskussioner
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •