Image Viewer, Buffer Overflow... Possible attack Options

[Bizquick]

I think this approch is pointless to look at. The USB ports are 2.0 and Read only. Which means I bet its just some emulation of a MS Media Player software that these ports are linked up too. if you want to try to get a buffer overflow attack. I would suggest some sort of exploit with the memory card slots thoes work bothways and are basily USB 2.0 ports but just wired diffrent. I would try working with that.

[PVNick]

I don't know if any of you are aware of this, but Windows XP already has stack buffer overflow protection built in (at least SP2, I forget about the bare install); however, you still see overflow attacks. Stack overflows arent the only types of memory corruption. The one that I think we would be most likely to see in X-Box 360 is heap overruns, which overflows heap structures. The reason I think this is likely is because of the facts that while stack buffers have a fixed size, heap structures are created and destroyed on the go, meaning they have dynamic sizes, just like file contents. Therefore, my prediction is that if you were to find a locally exploitable buffer overflow in the X360, it would most likely be in some sort of file format.

[Dameon]

What details do we have about the buffer overflow protection on the Xbox? Is it nothing more than stack pages marked as non-executable? (NX bit?)

If that is the case, then our job is certainly a tad more difficult. But as a reminder, non-executable stack does not mean that we can't have buffer overflows. The memory is still corrupted, return addresses can still be overwritten, it's just that any shellcode cannot execute. The common workaround for this has been to jump to a widely available and statically located library/system call, or at the very least an address in the executable that is known to be a useful function, and include your parameters on the stack. As an example, on a windows machine with buffer overflow protection, you can overwrite the return address to point to ShellExecute and slap a string on the stack to run whatever command you wish.

Some information on available API calls on the X-360 would be great, perhaps a little peek at the import table on an available executable. Surely there's a single command to launch an XBE/XEX, but the question is does it have to be local? Can you pass it a remote URL?

In our case though, a single command isn't enough. Call it a longshot, but what if we could hijack two consecutive return addresses? The first jumps to a pre-existing routine to copy a chunk of memory to another location (Such as memcpy, you don't get more standard than that) while the second jumps to said new location, in effect relocating our shellcode to an executable codepage. That would take some careful stack manipulation and debugging abilities that we don't have at this point...unless someone has a dev kit. It also assumes a lot, for one thing that the heap is executable or the code pages are writable, both of which are doubtful.

Just putting it out there.

[lordvader129]

even if you did manage an overflow, where would you take it from there?

on xbox the overflow was used to patch the private signing key in RAm to a known value, so we could sign our own xbes to run

based on reading xbox-linux's overview of the security, all comparitive values are stored in non-volatile memory on the CPU die, meaning you probably wont be able to patch the key

[Dameon]

One step at a time. Being able to execute code on a virgin box is inherently useful. Security has no doubt been stepped up, meaning it just takes a different approach once there.

[PVNick]

I agree with Dameon. Besides, if one could get unsigned code running on the 360, that would be the spark needed to get everyone to turn their attention to hacking.

[globe_guyx]

The scariest thing I've read is that all calls reside solely inside the cpu itself. The cpu apparently contains its own ram for this purpose. I'm doubtful of much until somebody with access to some hefty equipment cracks open the chip. This is similar to the way ATA security (HDD locking) works. While not feasible for the common man, this can be hacked.
As for exploitation after that, this is MS people. Most likely a hilariously simple alteration to a presently common attack will work. Images do seem the logical approach though, so they probably spent 95% of their time securing that. Luckily enough though I missed out on one of these early defective machines so its all pure speculation at this point.

[BlueCELL]

The scariest thing I've read is that all calls reside solely inside the cpu itself. The cpu apparently contains its own ram for this purpose. I'm doubtful of much until somebody with access to some hefty equipment cracks open the chip. This is similar to the way ATA security (HDD locking) works. While not feasible for the common man, this can be hacked.
As for exploitation after that, this is MS people. Most likely a hilariously simple alteration to a presently common attack will work. Images do seem the logical approach though, so they probably spent 95% of their time securing that. Luckily enough though I missed out on one of these early defective machines so its all pure speculation at this point.

Yeah, your right. They wasted so much time/money to secure the curcits and shit and they left other "software" bugs open

BlueCELL

[BiMP]

If the USB 2.0 ports are read-only, then why not trying to make an adapter to use the memory unit ports. Aren't they based on USB structure? I see five prongs on my memory card, it may be silimar to Xbox 1 where it would be 4 USB connections and a 'yellow wire' to identify what the product is.

[NanoStudios]

How can a USB port be 'read-only'? The reason why you can't copy music/photos/whatever to a USB drive is because MS has to be careful not to violate copyright laws. Unless I am greatly mistaken, the wired version of the Xbox 360 controller receives information from the Xbox 360 console such as which sector on the 'ring of light' to light up, and requests for information to verify that it is an official Xbox 360 peripheral (part of MS's new accessory quality-control program).

And about the PSP overflow - it was only possible because the 2.0 version of the firmware contained an old version of libpng.

[Dameon]

Traffic always must be bidirectional at some point for USB. Even if the device is stopped/disconnected after negotiation, a quick glance at the USB standard indicates that there is plenty of room for error at that critical stage.

Also, I noticed on the free60 wiki that one of the peripherals hooked up to a computer advertises a rather interesting interface, "Xbox Security Method 1, Version 1.00, © 2005 MS Corporation. All rights reserved".
http://www.free60.org/wiki/WirelessLan#Linux_support
Could that be our culprit for peripheral authentication?

[holydemon]

Cows aren't in the milk business you dumbass... cows make milk naturally, they know nothing about it.

MS makes software by choice. They study it, they master it (at least moreso than sony).

Your analogy just plain sucks

well that new compiler is lack of use...MS really has been letting go but we might be able to do that buffer overflow...it will be hard as hell though