Here is some more information about this. You can find the
proof of concept code talked about herein at the link below:
http://lists.netsys.com/pipermail/full-disclosure/2003-July/010895.html
XBOX* Security
* * * * * * * * * * * -= Security* Advisory =-
* ** Advisory: XBOX Dashboard local vulnerability
Release Date: 2003/07/04
Last Modified: 2003/07/04
* * ** Author: Stefan Esser [se@nopiracy.de]
* Application: Microsoft XBOX Dashboard (up to today)
* ** Severity: A vulnerability within the XBOX Dashboard allows to
* * * * * * ** totally compromise the security features of the XBOX.
* * * ** Risk: Critical
Vendor Status: Vendor is not willing to talk about XBOX vulnerabilities.
Overview:
** The XBOX Dashboard is what appears when you turn the XBOX on without a
** disc in the DVD drive. It will let you adjust system settings, manage
** your save games, play and rip audio CDs and configure your XBOX Live
** account. It is the heart of the XBOX and its most vulnerable point,
** because it lacks several security restrictions which are enforced on
** games. This includes the lack of the reboot-on-eject-button "feature",
** which is obligatory for all games.
**
** The existance of an exploitable vulnerability within the dashboard could
** totally compromises the XBOX security system. It will make the box
** independent from Microsoft signed code and therefore this information is
** released to the public now on the 4th of July 2003, the day of the XBOX
** Independence.
**
**
Details:
**
** Microsoft knows that a vulnerability within the XBOX dashboard could
** have serious impact. This is underlined by the fact that the dashboard
** checks most of its files against an internal stored SHA1 hash value
** before it uses them.
**
** For an unknown reason this check is not performed on the audio (.wav)
** and font (.xtf) files. Unfourtunately for Microsoft there exists an
** exploitable integer underflow vulnerabilitiy within the font file loader
** which can be exploited with a malformed font file. When the XTF header
** is processed the dashboards reads a 4 byte blocksize field from the font
** file. This is expected to represent the size of some datablock including
** the 4 bytes of the size field itself. The blocksize is then allocated
** and the sizefield is copied into the* beginning of the buffer. This is
** already a possible overflow bug when the field contains the values 0..3.
** Due to memory alignment this is not exploitable. But then the blocksize
** is decreased by 4 because the dashboard wants to read the rest of* the
** block into memory. Obviously values of 0..3 will underflow when
** decreased by 4 and this results in the dashboard wanting to read up to
** ~4 gigabytes of data from the font file in a f.e. 3 bytes buffer.
**
** Because the XBOX malloc()/free() implementation is also storing control
** information inbound and is similiar to the Windows 2000/XP heap
** allocators this bug is exploitable and allows execution of arbitrary
** code. The attached proof of concept code shows that exploiting is
** possible with offsets that are equal on all dashboards and XBOX versions
** known.
**
** BTW: the dashboard loads its font files directly after the XBOX start
* * * * animation. This means the exploit does not need any user
* * * * interaction and when the code is executed only part of the
* * * * dashboard background is on screen.
**
Proof of Concept:
** Attached you will find a proof of concept exploit which will start
** linux. To install it you have to rename the 2 XBOX font files within the
** font directory of the dashboard partition and then copy ernie.xtf and
** bert.xtf into this directory. (If you have an XBOX with an older
** dashboard the font directory does not exist and you must do the renaming
** and file adding work in the main directory). Once the new fonts are in
** place you copy the default.xbe (which is a copy of xbeboot) into the
** main directory and add your favourite linux to it.
**
Trustworthy Computing:
** Trustworthy Computing at its best. Nearly 2 Years ago I reported an SSL
** vulnerability within IE to Microsoft. 1 month later I released
** information about this bug to the public because MS did absolutely
** nothing. The vulnerability was nearly forgotten, it only exists on the
** list of 19 unpatched IE vulnerabilities anymore. But this is wrong, the
** vulnerability was indeed fixed with one of the many IE patches in the
** middle of last year. Well is secretly fixing bugs without an official
** advisory trustworthy?
Anticipated Questions:
** Q1: How do I get the files onto the harddisk?
**
** A1: There are several ways. You could f.e. install the files with the
* * ** Mechassault or 007 hacks. This requires one of the games and the
* * ** files on a memorycard. The other way is to open the box and do the
* * ** harddisk swap trick which is described all over the net.
** Q2: This vulnerability is in the dashboard, isn't it? So Microsoft can
* * ** simply update the dashboard with XBOX Live or with the help of new
* * ** games.
* * *
** A2: Yes Microsoft could try to upgrade the dashboard and fix the
* * ** vulnerability with such an update, but keep in mind that this
* * ** vulnerability is like a "local root" hole. You can do nearly
* * ** everything with it and this includes redirecting reads and writes to
* * ** the xboxdash.xbe file. Additionally people who do not play games on
* * ** their box will not be reachable with such updates. And groups who
* * ** pirate games can always disable the update feature.
* * *
* * *
** Q3: Well but MS can make the kernel block the vulnerable dashboard.
**
** A3: Indeed they can. But until boxes with new kernels reach the market
* * ** we will have the end of this year (You can still get 1.0 boxes in
* * ** shops over here) and they can only fix the bugs they know about.
**
* * *
** Q4: Is it possible to play "backed-up" games with this?
**
** A4: Yes it is possible to play pirated games by using this vulnerability
* * ** but my proof of concept code will not allow this. You have to change
* * ** the exploit to patch the kernel in memory. This is not very hard and
* * ** I am not going to help you with this.
* * **
* * **
** Q5: Can I go "Live" with this hack?
**
** A5: You have full control over the box with this vulnerability. You can
* * ** modify the exploit to allow XBOX Live playing but this will only
* * ** start a cat & mouse game with Microsoft.
** Q6: I have read that I can solder my mainboard with this hack...
**
** A6: This exploit has nothing to do with soldering, It will just run
* * ** everything you want on unmodded (and even unopened) XBOXes. Infact
* * ** when this hack is installed you do not need to solder anything to
* * ** get your homebrew or whatever applications to run.
* * **
* * * **
Copyright 2003 Stefan Esser. All rights reserved.
[b]Edit - Then this:
http://www.xboxhacker.net/forums/index.php?act=ST&f=12&t=12211
e: Would anyone happen to have saved that page or info so it could be posted as a zip and read now?
Linear Mode
