[NEWS] XBOX Dashboard Local Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 07/07/03

  • Next message: SecuriTeam: "[UNIX] Cross Site Scripting Vulnerability in phpGroupWare" 
    To: list@securiteam.com
Date: 7 Jul 2003 17:57:13 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      XBOX Dashboard Local Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    The XBOX Dashboard is the interface you see whenever you turn on the XBOX
    without a disc in the DVD drive. This interface lets you adjust system
    settings, manage your saved games, play and rip audio CDs and configure
    your XBOX Live account. XBOX Dashboard is the heart of the XBOX machine
    and as such it has the potential to become the most vulnerable point of
    the machine. This potential has become vivid as it has been found that
    this interface lacks several security restrictions that exist for games
    that are executed under the XBOX environment. For example it lacks the
    restriction, reboot-on-eject-button, which is obligatory for all games.

    Since the XBOX Dashboard is the heart of the system, the smallest
    exploitable vulnerability will allow the complete compromise of the XBOX
    system (security mechanism included).

    DETAILS

    Since Microsoft figured that a vulnerability within the XBOX dashboard
    could have a serious impact, the dashboard checks most of its files
    against an internally stored SHA1 hash value before it uses them.

    However, for an unknown reason this check is not performed on audio (.wav)
    and font (.xtf) files. Unfortunately for Microsoft there is an exploitable
    integer underflow vulnerability within the font file loader that can be
    exploited with a malformed font file.

    When the XTF header is processed the Dashboard reads a 4 byte blocksize
    field from the font file. This is expected to represent the size of some
    datablock including the 4 bytes of the size field itself. The blocksize is
    then allocated and the sizefield is copied into the beginning of the
    buffer. This is already a possible overflow bug when the field contains
    the values 0 up to 3.

    However, due to memory alignment this vulnerability is not exploitable.
    However, then the blocksize is decreased by 4, the dashboard will try to
    read the rest of the block into memory. Obviously values of 0 up to 3 will
    cause an underflow, since when they are decreased by 4 instead of
    producing a negative value, the maximum value of the number will be
    returned (around 4,294,967,296). This results in the dashboard wanting to
    read up to ~4 gigabytes of data from the font file into an allocated 3
    bytes buffer.

    Since the XBOX malloc()/free() implementation also stores control
    information and has similarities to the Windows 2000/XP heap allocators,
    this vulnerability is exploitable and allows execution of arbitrary code.

    The attached proof of concept code shows that exploiting is possible with
    offsets that are equal on all dashboards and XBOX versions known.

    BTW: The Dashboard loads its font files directly after the XBOX start
    animation. This means the exploit does not need any user interaction and
    when the code is executed only the Dashboard background appears on the
    screen.

    Proof of Concept:
    At the end of the article you will find a link to a proof of concept
    exploit that will start the Linux operating system (replacing the existing
    OS). To install it you have to rename the 2 XBOX font files within the
    font directory of the Dashboard partition and then copy ernie.xtf and
    bert.xtf into this directory (If you have an XBOX with an older dashboard
    the font directory does not exist and you must do the renaming and file
    adding work in the main directory). Once the new fonts are in place you
    copy the default.xbe (which is a copy of xbeboot) into the main directory
    and add your favorite Linux to it.

    ADDITIONAL INFORMATION

    Proof of concept codes are available at:
    <http://packetstormsecurity.nl/0307-advisories/xbox001.txt> XBOX Dashboard
    local vulnerability

    The information has been provided by <mailto:se@nopiracy.de> Stefan
    Esser.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Cross Site Scripting Vulnerability in phpGroupWare"
    • Quantcast