Tag Archives: Exploit

[PS3] XorLoser Releases PS3 Exploit Toolkit

Notorious XorLoser has fully rewritten GeoHot’s PS3 glitch attack programs, that allow more convenient exploiting. He names it XorHack.

It allows you to call lv1 syscalls (level 1 system calls) from a normal (userspace) program. It also lets you run the software required when triggering the PS3 exploit from a normal userspace program. To give an example of how it can be used I have included the following example programs:

  • ps3exploit – Runs the software required to exploit the ps3, it loops a number of times which can be specified as a parameter. (This still must be used along with the “button pressing”, it will not exploit the PS3 via software alone).
  • dumphv – Dumps the hypervisor to a file in the current directory.
  • dumpbl – Dumps the bootloader to a file in the current directory.
  • dumprom – Dumps the system  rom to a file in the current directory.

Links

» XorLoser: XorHack – The PS3 Exploit Toolkit
» GeoHot: Here’s Your Silver Platter

Picture is courtesy of XorHack

[PS3] GeoHot Opens All HV’s SPUs / XorLoser Preps Manual

Obviously notorious George Hotz has managed to get all 7 SPUs of the Playstation 3’s CPU under his control. This means although he cannot access the CPU’s root key, he now can decrypt everything that’s going thru these SPUs like datastreams of (encrypted) commercial games.

The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.

In the meantime another hacker going under the nick XorLoser has released a more detailed manual of how to use GeoHot’s exploitation files and how to do the glitching.

Besides that XorLoser maintains a plugin for reverser’s beloved Interactive Disassembler (IDA) that contains special PPC instructions for Xbox360 and PS3.

Congratulations to GeoHot. Kudos fly out to XorLoser.

Links

» GeoHot: On Isolated SPUs
» XorLoser: PS3 Exploit – Software
» XorLoser: PS3 Exploit – Hardware
» XorLoser: PS3 and Xbox360 IDA PlugIn
» Hex-Rays.com: IDA Pro

[iPhone] Jailbreak for iPhone 3Gs on the Way?

GeoHot posted a picture showing that he managed to run custom commands on iBoot. This seems to be the first major step for a jailbreak. Moreover GeoHot also managed to find the key for the Ramdisk while MuscleNerd of the iPhoneDevTeam obviously has already found the vfdecrypt key.

All this is good news. Anyway aswell as GeoHot and the DevTeam will have lots of work to do. Don’t expect anything soon, since GeoHot also found a new security addition called ECID, which obviously gets generated by Apple’s servers and which seems to be unique to every iPhone. Every restore seems to have to be validated by Apple’s servers. And this is bad news.

» Running custom commands on iBoot
» Ramdisk key found
» ECID signature layer found

[MacOS] Critical Safari and Firefox Java Exploit

Abstract

Landon Fuller reports that an almost six months old Java exploit has still not been fixed for Mac OS X. The exploit allows to compromise the Java sandbox in order to break out and run commands with the permissions of the executing user.

Classification

This issue is classified as serious as Java applets containing malicious code may be executed just by visiting a web page. Ladon Fuller says an illegal exploit is available in the wild. He prepared a proof of concept exploit that will make your Mac OS X computer say “I am executing in a user process“.

Applies to

The exploit aswell applies to Intel as to PowerPC based Mac OS X systems running Safari or Firefox.

More information

Some more background information and workarounds may be found on Fuller’s site.

[Linux] Demo Exploits for Acrobat in the wild

According to SecurityFocus Adobe Acrobat Reader has been compromised by using a JavaScript buffer overflow.Demo exploits have already been located on the internet. It may only be a matter of time until this exploit gets used by the botnet guys. Pay attention which PDF documents you really need to open on the net.

Description

Acrobat Reader’s getAnnots() Javascript is vulnerable to remote code execution. Arbitrary code can be run with the user’s privileges, thus circumventing Acrobat Reader’s security system.

Affected Versions

Demo Exploits are in the wild for

  • Linux Acrobat Reader 8.14
  • Linux Acrobat Reader 9.1

Other operating system may also be affected.

Workaround

As there is no patch available by Adobe at this moment, uninstalling the Acrobat Reader seems to be the best choice. Third party PDF readers are available all over the net. Find one of them here.

[iPhone] Baseband Downgrading Possible on 3G

We’ve recently reported that exploits can be applied to the baseband bootloader 5.8 to install any bootloader. Now a working exploit has been released via Cydia.

As we have not tested this program we strongly recommend not to try this for two reasons: first it seems this package is in violation of Apple’s copyright, as it distributes a bootloader and second the script seems to have issues. In quite a few cases downgrading did not work, although everything seems to have applied properly. Don’t use untested exploits. Sideeffects and damaged basebands might be the result.

[iPhone] iPhone 3G Bootloader 5.8 Compromised

George Hotz – well known to the iPhone scene as GeoHot – has put some efforts into analyzing the  behaviour of the bootloader 5.8 that is running in many iPhone 3G’s. He found the signature checking of the bootloader is buggy. By exploiting this bug we are now able to up- and downgrade the bootloader. Sadly many of nowadays iPhone 3G’s contain bootloader 5.91. which added an RSA check that GeoHot could not circumvent yet. Read his whole article here.

By the way: this seems to be the same exploit the iPhone Dev Team used and released to be able to be used for manipulating (read our news here). Anyway GeoHot did standing work again. Kudos to you, dude.