iLiad Huge exploit found in 2.7

[design256]

Quote:

Originally Posted by arivero

It is somehow risky in the sense that if you change the connection and it really gets to contact iDS, it could update the system if you are not fast enough to remove the internet cable nor swicht your wifi router off.

Wow, I can see Iliad owners running down the street to escape their iliad connecting to ids through WiFi

[k2r]

I'm not quite sure why we would have to change the root-password to log in to the device.
If I remember correctly dropbear client supports public key authentication, you just have to convert the id into a dropbear specific format.

[Antartica]

Quote:

Originally Posted by design256

Do it quickly! I bet that this and Xserver will be patched on IDS today.

Updated! :-)

[design256]

Quote:

Originally Posted by k2r

I'm not quite sure why we would have to change the root-password to log in to the device.
If I remember correctly dropbear client supports public key authentication, you just have to convert the id into a dropbear specific format.

WOOHOO!! I'm in!!!

tsh compiled statically out of the box with the Zaurus cross compiler and runs without any problems at all. I've attached the arm tshd and linux tsh binary.

Usual bricking caveats apply..

[CommanderROR]

Congrats!

[arivero]

Quote:

Originally Posted by design256

WOOHOO!! I'm in!!!

tsh compiled statically out of the box with the Zaurus cross compiler and runs without any problems at all. I've attached the arm tshd and linux tsh binary.

Usual bricking caveats apply..

Design, could you also attach the shell script and/or the command you use to launch it? Or are you still opening the network using your "http proxy failure" trick?

[design256]

Quote:

Originally Posted by arivero

Design, could you also attach the shell script and/or the command you use to launch it? Or are you still opening the network using your "http proxy failure" trick?

I'm using the http proxy trick for now - I haven't worked out how to turn the network on from a script yet, but should do soon. I just make it sleep for 2 minutes then run tshd.

BTW, the linux-side tsh I uploaded doesn't work statically compiled because of missing gethostbyname. Here is a dynamically compiled one on FC3, and the source. It is easy to compile. You need to set the password in tsh.h to 'abc'.

[arivero]

Quote:

Originally Posted by design256

I'm using the http proxy trick for now - I haven't worked out how to turn the network on from a script yet

Ah, you simply call wired.sh or wireless.sh with the right parameters; sort of "/usr/bin/wired.sh start" or similar call, we used it back in the 2.4 version three months ago.

Check them in /usr/bin. There is even an "usage" help. But in any case, how does the "proxy trick" works? Do I need actually to take the work of setting a proxy?

Quote:

BTW, the linux-side tsh (...)

guess most people will use a apt-get anyway.

[design256]

Quote:

Originally Posted by arivero

Ah, you simply call wired.sh or wireless.sh with the right parameters; sort of "/usr/bin/wired.sh start" or similar call, we used it back in the 2.4 version three months ago.

Check them in /usr/bin. There is even an "usage" help. But in any case, how does the "proxy trick" works? Do I need actually to take the work of setting a proxy?


guess most people will use a apt-get anyway.

Try just pointing it at a nonexistent proxy. If the network light stays on and you get a popup error box on connect then you're there.

[design256]

Quote:

Originally Posted by design256

Try just pointing it at a nonexistent proxy. If the network light stays on and you get a popup error box on connect then you're there.

ok wired.sh works a treat, so no need for the proxy hack any more.
Change /mnt/card if you're not using a mmc card...

/mnt/card/a.sh contains:

#!/bin/sh
sleep 120
/usr/bin/wired.sh start
sleep 5
/tmp/tshd

---------------

/mnt/card/b.sh contains:

#!/bin/sh

/bin/cp /mnt/card/tshd /tmp
/bin/cp /mnt/card/a.sh /tmp
/bin/chmod 755 /tmp/tshd
/bin/chmod 755 /tmp/a.sh
/tmp/a.sh &


-------

Then run /mnt/card/b.sh from network profiles, quit, then wait
a couple of minutes. When the light comes on:

tsh ILIAD_IP /bin/sh from your linux box.

...and you'll be in.

I'm working on a packaged version to replace download manager. Will post in CommanerROR's sticky topic when done.

Once again, big thanks for finding this excellent hole. Would love to be a fly on the wall at Irex when they were so keen to keep developers out...

[Antartica]

Quote:

Originally Posted by Antartica

Updated! :-)

It seems that they plugged the hole. I've not been able to reproduce the backqoute-hack :-(((

They've been fast.

UPDATE: It was my fault , they have not patched it, it still works . sorry if I scared someone.

[design256]

Quote:

Originally Posted by Antartica

It seems that they plugged the hole. I've not been able to reproduce the backqoute-hack :-(((

They've been fast.

eeek. that was quick

guess we'll have to keep working on an IDS-based exploit. I wonder if they also closed off the Xserver?

[tribble]

I dont think that there are different versions of 2.7 out there.

[scotty1024]

Quote:

Originally Posted by tribble

I dont think that there are different versions of 2.7 out there.

Maybe he's a beta tester.

Take Caeser's Beta, Take Caeser's Security Patches.

[TadW]

As far as I can tell 2.7 is unchanged since its initial release.