Xbox Hypervisor Security Protection Hacked 232
ACTRAiSER writes "A recent Post on Bugtraq claims the hack of the Xbox 360 Security Protection Hypervisor. It includes sample code as well."
From Bugtraq
"We have discovered a vulnerability in the Xbox 360 hypervisor that allows
privilege escalation into hypervisor mode. Together with a method to
inject data into non-privileged memory areas, this vulnerability allows
an attacker with physical access to an Xbox 360 to run arbitrary code
such as alternative operating systems with full privileges and full
hardware access."
Re:That's Because... (Score:5, Interesting)
containing the bug
Nov 16, 2006 - proof of concept completed; unsigned code running in
hypervisor context
Nov 30, 2006 - release of 4548 kernel, bug still not fixed
Dec 15, 2006 - first attempt to contact vendor to report bug
Dec 30, 2006 - public demonstration
Jan 03, 2007 - vendor contact established, full details disclosed
Jan 09, 2007 - vendor releases patch
Feb 28, 2007 - full public release
Patch Development Time (In Days): 6
Does MS force updates for things like this?
Ironically, I might buy one now (Score:3, Interesting)
-S
How Useless. (Score:5, Interesting)
Patch Tuesday)."
Fixed already for most people , anyone who's connected to xbox live.
I'm not sure why there still protecting the system like they are though, 'backup' games are already rife due to hacked DVD rom firmware (which they seem to be unable to back fix), so why not let it run arbitary code, didnt hurt the xbox 1?
Timelines for Vulnerability Fixes (Score:5, Interesting)
Timeline:
..
..
Jan 03, 2007 - vendor contact established, full details disclosed
Jan 09, 2007 - vendor releases patch
Patch Development Time (In Days): 6
Interesting to compare timelines affecting Microsoft's users to timelines affecting Microsoft's control schemes.
Re:Attacker?? (Score:2, Interesting)
Well, yes, if you can get it to work you can run anything you want on your XBox. Has Microsoft ever said you couldn't? Did they make any legal threats? No, no I don't think so. As much as youmight want to be a martyre for The Cause, the police will not be looking for you simply because you have voided your Xbox warranty.
Re:Attacker?? (Score:3, Interesting)
You might think you own it, but SUPRISE, you are licensing it. You probably could have found the completely abiguous statement on that little postcard you threw away.
Blue Pill time. (Score:3, Interesting)
Yes. As soon as your XB360 attempts to connect to Live (which even without you paying, it will do if you signed up for it) it will demand you update or it will disconnect you (which with Live-connected dashboard accounts signs you out of your local XB360 profile too)
Any bets on whether code running in hypervisor mode can create a virtual machine environment where the updated Microsoft code can think it's running the show when it's actually king of a sandbox?
Re:How Useless. (Score:4, Interesting)
Well, one thing that sure as hell makes cheating hard is requiring signed code and not allowing it to be modified. Have a hell of a time getting around that.
I have a couple friends who are both PC and console gamers and one thing they say they really like about shooters on their 360 is the absence of cheaters. On the PC it seems to be a game of cat and mouse. The cheaters find a way to screw with things, the anti-cheat software is updated, they find a way around that, etc. I remember back in the Quake 2 days it was just continuous. You'd get jerks with the latest, greatest aimbot, then the servers would update the anti-cheat, they'd all disappear, until the next one came out.
Re:How Useless. (Score:2, Interesting)
That's "loser". And the original Xbox was expected to lose money. It was a mostly-off-the-shelf console built quite quickly (approximately a year from initial design to ship, compared to the 360 that was in design for 3+ years before shipping) in an attempt to break into the market following the Sony-style loss-leader method.
The 360, on the other hand, was designed as a purpose-built console, with contracts in place to allow Microsoft to own the IP of the chips, thus allowing them the opportunity to farm out chip manufacture to lower cost partners, or even consolidate chips at a later date. While it's unclear whether or not the 360 is currently breaking even or making a profit on console sales, it's safe to say that this will happen eventually, and probably sooner than later.
Except that hacked consoles are detectable on Live and can be blocked from participating in online gameplay as well as access to the Marketplace (no updates for games, no demos or trailers, no XBLA access, etc). Xbox 360's biggest draw is the pervasive support of Xbox Live. Halo 2 is still selling very well today, over two years later, due to its Live support. Games like Gears of War or Crackdown are fun in single player but are even better when you can team up with a friend and play co-op. Some small percentage of people may be willing to trade off Live support in order to get free games. The bread-and-butter core market isn't going to go there.
Re:now i've got a reason too buy a 360 (Score:3, Interesting)
Yes, we really need a crack for the PS3's hypervisor. I believe it's similar to VMWare - Linux on the PS3 runs under a highly virtualized environment - not only can Linux not access the RSX, but it can only touch the stuff Sony wants touched (e.g., no wifi). The Linux partitioning is transparent to Linux (i.e., you can't access the "Game OS Partition" - Linux just sees its partition as a blank disk), and the hypervisor presents incomplete SCSI emulation of the 6 storage devices (hard disk, 4MB of flash memory, blu-ray drive, SD, CF and memory stick slots).
The emulation is so incomplete, if you have a bad block somewhere, the hypervisor returns an I/O error without reporting a media error. Makes for interesting times when your filesystem suddenly goes read-only for no apparent reason (you don't get anything logged other than "I/O Error" and "Filesystem is read-only", no media sense errors...). I think this is testing codepaths in Linux that really couldn't be tested since the errors they handled would be caught earlier...
The things that the hypervisor doesn't let you do:
* RSX access, obviously
* WiFi adapter
* Full access to Blu-Ray drive
* Full hard drive access
* Full configuration flash access
* Access to the EE/GS hardware
If you want fun, you can boot into Linux without formatting the hard drive - the hard drive doesn't appear at all.
Re:Yet another reason for better prog languages (Score:3, Interesting)
1. Save user mode registers (context switch).
2. Manipulate special purpose registers, e.g. re-enable interrupts.
3. Jump to system call service routine, based on the system call number passed as a parameter. This is where the bug was found - the jump destination was being computed incorrectly.
4. Restore registers.
5. Return to user code.
Even C is too high-level to do most of these operations. Standard C does not allow you to manipulate low-level registers. So assembly is used.
If you are interested, you can find the Linux system call handler for x86 systems in arch/i386/entry.S.