Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > More E-Book Readers > iRex > iRex Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 10-19-2006, 01:47 PM   #1
arivero
Guru
arivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it is
 
arivero's Avatar
 
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
Huge exploit found in 2.7

Ok, I have downloaded the 2.7. Awesome pdf thing, it remembers the zoom between pages, and this is already better than standard xpdf, nice icons, blah blah blah. Ah and yes, I got to execute a ls > /opt/content/books/a.txt command. But on the other hand the remote Xserver approach seems promising. So what do I do? Wait for a crack via Xserver to be done? Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.
arivero is offline   Reply With Quote
Old 10-19-2006, 01:58 PM   #2
jęd
Evangelist
jęd has a complete set of Star Wars action figures.jęd has a complete set of Star Wars action figures.jęd has a complete set of Star Wars action figures.
 
Posts: 458
Karma: 293
Join Date: May 2006
Quote:
Originally Posted by arivero
Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.
Up to you whether you think its better to have an unsecured Illiad and to be the only one with this knowledge, or to help the Illiad progress. Congratulations, btw...
jęd is offline   Reply With Quote
 
Enthusiast
Old 10-19-2006, 02:00 PM   #3
arivero
Guru
arivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it is
 
arivero's Avatar
 
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
Quote:
Originally Posted by jęd
Up to you whether you think its better to have an unsecured Illiad and to be the only one with this knowledge, or to help the Illiad progress. Congratulations, btw...
I could ask for a NDA agreement
arivero is offline   Reply With Quote
Old 10-19-2006, 02:11 PM   #4
design256
Connoisseur
design256 doesn't litterdesign256 doesn't litter
 
Posts: 78
Karma: 103
Join Date: Aug 2006
Location: Ipswich, UK
Device: Irex Iliad
Quote:
Originally Posted by arivero
Ok, I have downloaded the 2.7. Awesome pdf thing, it remembers the zoom between pages, and this is already better than standard xpdf, nice icons, blah blah blah. Ah and yes, I got to execute a ls > /opt/content/books/a.txt command. But on the other hand the remote Xserver approach seems promising. So what do I do? Wait for a crack via Xserver to be done? Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.
Perhaps you could use it to help us finish the Xserver exploit. Then make it public when Irex patches that in 2.8...
design256 is offline   Reply With Quote
Old 10-19-2006, 02:32 PM   #5
arivero
Guru
arivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it is
 
arivero's Avatar
 
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
Ok I will release it, on second inspection it is so simple that there is no issue.

I backquoted the password in the WEP configuration.

this is, I created a new wireless wep connection (wizard, anyname, Proceed, Wireless, anyssid, proceed, WEP, proceed) and in the wep security key field I used:

Quote:
`ls > /opt/content/books/a.txt`
I pressed TEST (no proceed anymore).

And yep, it escaped.

I think iRex does not really need to patch this one. It is not a security hole, as the ssh was. Nor a Cuartango trick, as the pdf could be. Here the Owner of the machine must know exactly what he is doing, no argue about being tricked to do it (except if you have got a devilish system admistrator telling you that THAT is the password for your local wlan!).

Besides, you need to retort the trick in order to use it to "open the internet", because most probably this escape is executed at the level of the networking scripts, and man you do not want to call the networking script from the networking script.

Last edited by arivero; 10-19-2006 at 02:40 PM.
arivero is offline   Reply With Quote
Old 10-19-2006, 02:43 PM   #6
design256
Connoisseur
design256 doesn't litterdesign256 doesn't litter
 
Posts: 78
Karma: 103
Join Date: Aug 2006
Location: Ipswich, UK
Device: Irex Iliad
Quote:
Originally Posted by arivero
Ok I will release it, on second inspection it is so simple that there is no issue.

I backquoted the password in the WEP configuration.

this is, I created a new wireless wep connection (wizard, anyname, Proceed, Wireless, anyssid, proceed, WEP, proceed) and in the wep security key field I used:



I pressed TEST (no proceed anymore).

And yep, it escaped.

I think iRex does not really need to patch this one. It is not a security hole, as the ssh was. Nor a Cuartango trick, as the pdf could be. Here the Owner of the machine must know exactly what he is doing, no argue about being tricked to do it (except if you have got a devilish system admistrator telling you that THAT is the password for your local wlan!).

Besides, you need to retort the trick in order to use it to "open the internet", because most probably this escape is executed at the level of the networking scripts, and man you do not want to call the networking script from the networking script.
neat. Congratulations on thinking of this one.
design256 is offline   Reply With Quote
Old 10-19-2006, 02:57 PM   #7
arivero
Guru
arivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it isarivero knows what time it is
 
arivero's Avatar
 
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
Quote:
Originally Posted by design256
neat. Congratulations on thinking of this one.
A pleasure. Please remember this trick is under the 75 Euros caveat
arivero is offline   Reply With Quote
Old 10-19-2006, 06:42 PM   #8
scotty1024
Banned
scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.
 
Posts: 1,300
Karma: 1479
Join Date: Jul 2006
Location: Peoples Republic of Washington
Device: Reader / iPhone / Librie / Kindle
Now that's a nice hole!

So who hasn't done this yet?

cp /etc/passwd /opt/content/books/passwd
<edit passwd>
cp /opt/content/books/passwd /etc/passwd
cp /opt/content/books/bugbear /usr/sbin
...
scotty1024 is offline   Reply With Quote
Old 10-19-2006, 06:45 PM   #9
scotty1024
Banned
scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.scotty1024 is no ebook tyro.
 
Posts: 1,300
Karma: 1479
Join Date: Jul 2006
Location: Peoples Republic of Washington
Device: Reader / iPhone / Librie / Kindle
Hmmm perhaps update the irex.crt to make iDS proxy very simple again?
scotty1024 is offline   Reply With Quote
Old 10-19-2006, 07:40 PM   #10
Mike Kostousov
Connoisseur
Mike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-books
 
Posts: 50
Karma: 861
Join Date: Aug 2006
Device: Zaurus C1000/iLiad/SE K750i
Wau!!!! It is amazing! So big hole!

Code:
`/bin/bash /opt/books/what-ever-you-want.sh`
Mike Kostousov is offline   Reply With Quote
Old 10-19-2006, 07:48 PM   #11
Mike Kostousov
Connoisseur
Mike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-books
 
Posts: 50
Karma: 861
Join Date: Aug 2006
Device: Zaurus C1000/iLiad/SE K750i
sorry. There is no bash. Just sh
Mike Kostousov is offline   Reply With Quote
Old 10-19-2006, 08:10 PM   #12
Mike Kostousov
Connoisseur
Mike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-books
 
Posts: 50
Karma: 861
Join Date: Aug 2006
Device: Zaurus C1000/iLiad/SE K750i
uupi!!! It works!
Code:
`/bin/sh /opt/content/books/a.sh`
There is "a.sh"
Code:
#!/bin/sh

/bin/ps aux > /opt/content/books/ps-aux-out.txt
/bin/uname -a > /opt/content/books/uname-a.txt
/bin/cat /proc/cpuinfo > /opt/content/books/cpuinfo.txt
/bin/mount > /opt/content/books/mount.txt
/bin/dmesg > /opt/content/books/dmesg.txt
/bin/ls /boot > /opt/content/books/ls-boot.txt
But, if you want to try by yourself, you are doing it by you own risk! Be careful!

It is really big hole. Now, I will try to compile somthing for iLiad (my be cross-compiler for zaurus will succseed). BTW, I think, it is the most careful way is to mount MMC with ext2, and try to do everything there..
Attached Files
File Type: txt cpuinfo.txt (510 Bytes, 266 views)
File Type: txt dmesg.txt (7.1 KB, 265 views)
File Type: txt mount.txt (437 Bytes, 256 views)
File Type: txt ps-aux-out.txt (2.1 KB, 244 views)
File Type: txt uname-a.txt (90 Bytes, 238 views)
Mike Kostousov is offline   Reply With Quote
Old 10-19-2006, 08:31 PM   #13
Mike Kostousov
Connoisseur
Mike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-booksMike Kostousov has learned how to read e-books
 
Posts: 50
Karma: 861
Join Date: Aug 2006
Device: Zaurus C1000/iLiad/SE K750i
Wau! I have first my own program running on iLiad!!!!! he-he-he!!!! I am spammer today!
Usual Zaurus cross-platform sdk (gcc2.95) works well.

hello_iliad.c

Code:
#include <stdio.h>

int main(int argc,char **argv)
{
	printf("Hello, my iLiad");

}
b.sh

Code:
#!/bin/sh

/bin/cp /opt/content/books/hello_iliad /tmp
/bin/chmod a+x /tmp/hello_iliad
/tmp/hello_iliad > /opt/content/books/hello_from_iliad.txt
Attached Files
File Type: tar hello_iliad.tar (20.0 KB, 223 views)
Mike Kostousov is offline   Reply With Quote
Old 10-20-2006, 02:17 AM   #14
Antartica
Evangelist
Antartica has learned how to read e-booksAntartica has learned how to read e-booksAntartica has learned how to read e-booksAntartica has learned how to read e-booksAntartica has learned how to read e-booksAntartica has learned how to read e-booksAntartica has learned how to read e-books
 
Posts: 415
Karma: 754
Join Date: Jun 2006
Location: Madrid, Spain
Device: iliad, onhandpc, newton, zaurus
Quote:
Originally Posted by arivero
Ok I will release it, on second inspection it is so simple that there is no issue.
Oh! I'm happy. I'll be upgrading to 2.7 today, then :-).

What's next in my todo list queue: investigate the pageBar protocol and doing a simple viewer using SDL... Now that we can test it :-)~~~! Yipieee!!!

Thanks arivero :-).
Antartica is offline   Reply With Quote
Old 10-20-2006, 03:40 AM   #15
Drops
Connoisseur
Drops began at the beginning.
 
Posts: 65
Karma: 10
Join Date: May 2006
Has anyone tried a java --version command yet?
Drops is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
A Huge Thank You BurBunny Amazon Kindle 4 02-27-2009 01:36 PM
Adobe Reader 9 new exploit in the wild doctorow News 2 02-20-2009 03:38 PM
Cybook not found in linux, found in win XP fjf Bookeen 15 01-18-2008 06:57 PM
Adobe Acrobat subject to remote exploit Alexander Turcic News 3 09-16-2006 05:29 AM
Serious exploit in Greasemonkey 0.4 Alexander Turcic Lounge 2 07-19-2005 04:59 AM


All times are GMT -4. The time now is 01:47 PM.


MobileRead.com is a privately owned, operated and funded community.