Mobile/PDA About Us Advertise here


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.

Browse by topic

News

Code shown to exploit Xbox 360 security

1 March 2007 7:20 by James "Dela" Delahunty | 13 comments

An anonymous hacker has discovered a way to hack Microsoft's Xbox 360 console in a way that could have allowed an alternative operating system to run on the hardware. For the hack to work, physical access to the hardware is required to take advantage of a vulnerability in the Xbox 360 hypervisor.

The hypervisor provides encryption and decryption services for the console, and controls access to memory. This ensures that all games and other code run on the console need to be cryptographically signed with Microsoft's private key and run in non-privileged read-only mode.

Flaws in the interaction between unprivileged code and the hypervisor led to the groundwork for the hack. The hacker tipped off Microsoft about the problem and the company quickly produced a patch. Proof of concept code and details were published on BugTraq on Wednesday.

Severity:
Critical (Unsigned Code Execution in Hypervisor Mode)

Vendor:
Microsoft

Systems Affected:
All Xbox 360 systems with a kernel version of 4532 (released Oct 31, 2006) and 4548 (released Nov 30, 2006). Versions prior to 4532 are not affected. Bug was fixed in version 4552 (released Jan 09, 2007 - not a Patch Tuesday).

Overview:
We have discovered a vulnerability in the Xbox 360 hypervisor that allows privilege escalation into hypervisor mode. Together with a method to inject data into non-privileged memory areas, this vulnerability allows an attacker with physical access to an Xbox 360 to run arbitrary code such as alternative operating systems with full privileges and full hardware access.

Technical details:
The Xbox 360 security system is designed around a hypervisor concept. All games and other applications, which must be cryptographically signed with Microsoft's private key, run in non-privileged mode, while only a small
hypervisor runs in privileged ("hypervisor") mode. The hypervisor controls access to memory and provides encryption and decryption services.

The policy implemented in the hypervisor forces all executable code to be read-only and encrypted. Therefore, unprivileged code cannot change executable code. A physical memory attack could modify code; however, code memory is encrypted with a unique per-session key, making meaningful modification of code memory in a broadly distributable fashion difficult. In addition, the stack and heap are always marked as non-executable, and therefore data loaded there can never be jumped to by unprivileged code.

Unprivileged code interacts with the hypervisor via the "sc" ("syscall") instruction, which causes the machine to enter hypervisor mode. The vulnerability is a result of incomplete checking of the parameters passed to the syscall dispatcher, as illustrated below.

Read the rest of the technical details at http://www.securityfocus.com/archive/1/461489/30/0/threaded

Source:
The Register

More Recent Gaming News	Date
BioShock release set for August	Mar 01, 2007
Take-Two enters settlement for Hot Coffee	Mar 01, 2007
Sony: 1000 PS2 games backwards compatible with Euro PS3	Mar 01, 2007
Sony confirms price of UK PS3 downloads	Feb 28, 2007
Sony aims to resolve PS3 shortages by May	Feb 27, 2007
Sony Australia boss talks about PS3 price	Feb 27, 2007
Disney teams up with Macrovision for game downloads	Feb 27, 2007
Microsoft changes to Wii strategy	Feb 27, 2007
European PS3 titles priced	Feb 26, 2007
Best Buy sale, $2 video games	Feb 26, 2007

Permalink to this article

Patch available for SafeDisc security flaw (6 November 2007)

« Previous news article
YouTube banned in Australian schools

Next news article »
O2 gets exclusive UK iPhone deal

Post your comment

Discuss this article!
tabletpc (Inactive) 1 March 2007 7:24
knew about this they where talking about it on a german video that showed a hacker hacking the 360 to run a screen saver that said mac osx and linux soon [ + quote]
Dela (Staff Member) 1 March 2007 7:55
I had thought that was just modified King Kong running on hacked DVD drive firmware? [ + quote]
emachine (Senior Member) 1 March 2007 9:19
To bad that hacker gave his goods away to M$. But I bet he made an ass load of cash. [ + quote]
dikdimond (Member) 1 March 2007 9:30
I read of rumors that the German video was made with the King Kong modified shaders. I had hoped that it was indeed a true hack. This might be it. Just because this hacker left the cat out of the bag to M$ doesn't mean the exploit can't be reproduced. seriously I doubt he was paid anything [ + quote]
hughjars (Inactive) 1 March 2007 13:07
It's early days but I just hope the XBox 360 can become as good an allround media player as the mk1 XBox was. [ + quote]
xhardc0re (Inactive) 1 March 2007 19:54
hmmmm someone already h4ck0rzd the PS3 Hypervisor to d/l games onto the HDD. aka b00tloader for PS3. now they've taken the same concept & applied to the Xbox360. Sweet :) [ + quote]
duckNrun (Inactive) 2 March 2007 8:57
xhardc0re to self: I 4\|\/\| $0 \|<3\/\/l 83c@u53 1 C4\|\\| U$E LE3+ Most other people to themselves: j00 @Re 50 \|<3\/\/l U5iNG L33t$P34k 1N 4 PUbl1c PH0Ru\|\/\|...\|\\|Ot! sorry just a pet peeve of mine. [ + quote]
xhardc0re (Inactive) 2 March 2007 10:48
Originally posted by duckNrun: xhardc0re to self: I 4\|\/\| $0 \|<3\/\/l 83c@u53 1 C4\|\\| U$E LE3+ Most other people to themselves: j00 @Re 50 \|<3\/\/l U5iNG L33t$P34k 1N 4 PUbl1c PH0Ru\|\/\|...\|\\|Ot! sorry just a pet peeve of mine. u seem to have a lot of pet peeves buddy. where's some actual content in your msg about the story? having a bad day? :( :( :( [ + quote]
duckNrun (Inactive) 2 March 2007 11:09
lol actually not a bad day at all, just hate to see leet in a public forum knowing that most people cant read it. Seems pointless, like posting french in an all english forum. peace [ + quote]
kshep92 (Member) 3 March 2007 4:02
... OK, righty-o. Anyway, It would have been cool to see this exploit built on and expanded. Imagine the possibilities!! This could have been the first X360 mod... looks like my waiting period to buy one is extended :( [ + quote]
Bageland (Newbie) 3 March 2007 11:45
x hardcore said: you are so lame using leetspeak in a public forum...not! yea ur cool [ + quote]
DXR88 (Senior Member) 6 November 2007 12:25
*Quote:* xhardc0re to self: I 4\|\/\| $0 \|<3\/\/l 83c@u53 1 C4\|\\| U$E LE3+ = i am so cool i can use leet Thats one out of many. the real question is how he was able to get as far as he did. [ + quote]
marcusita (Senior Member) 9 November 2007 6:27
This is very old news. [ + quote]