Xbox Hypervisor Security Protection Hacked

← Back to Stories (view on slashdot.org)

Xbox Hypervisor Security Protection Hacked

Posted by samzenpus on Wednesday February 28, 2007 @12:48PM from the they're-in dept.

ACTRAiSER writes "A recent Post on Bugtraq claims the hack of the Xbox 360 Security Protection Hypervisor. It includes sample code as well." From Bugtraq "We have discovered a vulnerability in the Xbox 360 hypervisor that allows privilege escalation into hypervisor mode. Together with a method to inject data into non-privileged memory areas, this vulnerability allows an attacker with physical access to an Xbox 360 to run arbitrary code such as alternative operating systems with full privileges and full hardware access."

11 of 232 comments (clear)

Min score:

Reason:

Sort:

Re:That's Because... by TubeSteak · 2007-02-28 12:57 · Score: 4, Interesting

Oct 31, 2006 - release of 4532 kernel, which is the first version
containing the bug
Nov 16, 2006 - proof of concept completed; unsigned code running in
hypervisor context
Nov 30, 2006 - release of 4548 kernel, bug still not fixed
Dec 15, 2006 - first attempt to contact vendor to report bug
Dec 30, 2006 - public demonstration
Jan 03, 2007 - vendor contact established, full details disclosed
Jan 09, 2007 - vendor releases patch
Feb 28, 2007 - full public release
Patch Development Time (In Days): 6

Does MS force updates for things like this?

--
[Fuck Beta]
o0t!
Ironically, I might buy one now by sdo1 · 2007-02-28 13:01 · Score: 2, Interesting

I've been looking to upgrade my media streamer capabilities and the original XBOX can run Xbox Media Center (http://www.xboxmediacenter.com/). I wonder if this means that a 360 version with HD streaming might be forthcoming? I hope so. I've been avoiding getting one because how locked down it is.

-S

--
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
How Useless. by Rdickinson · 2007-02-28 13:06 · Score: 4, Interesting

"Bug was fixed in version 4552 (released Jan 09, 2007 - not a
Patch Tuesday)."

Fixed already for most people , anyone who's connected to xbox live.

I'm not sure why there still protecting the system like they are though, 'backup' games are already rife due to hacked DVD rom firmware (which they seem to be unable to back fix), so why not let it run arbitary code, didnt hurt the xbox 1?
1. Re:How Useless. by Sycraft-fu · 2007-02-28 14:55 · Score: 3, Interesting
  
  While I'm sure there are also more draconian reasons, a simple one is cheat prevention. Cheating is always a big problem with online games since you end up having to trust the client to some degree to get reasonable performance. It's a nice idea that everything would e done server side, but you find that the latency and bandwidth of normal Internet connections make such a thing unworkable.
  
  Well, one thing that sure as hell makes cheating hard is requiring signed code and not allowing it to be modified. Have a hell of a time getting around that.
  
  I have a couple friends who are both PC and console gamers and one thing they say they really like about shooters on their 360 is the absence of cheaters. On the PC it seems to be a game of cat and mouse. The cheaters find a way to screw with things, the anti-cheat software is updated, they find a way around that, etc. I remember back in the Quake 2 days it was just continuous. You'd get jerks with the latest, greatest aimbot, then the servers would update the anti-cheat, they'd all disappear, until the next one came out.
2. Re:How Useless. by Osty · 2007-02-28 16:12 · Score: 2, Interesting
  
  Yes they make money on sales - 360 costs about what it sells for now, xbox1 was always a looser(financialy also..:P) - sales they make money on are games, add ons (controlers etc) and live stuff.
  
  That's "loser". And the original Xbox was expected to lose money. It was a mostly-off-the-shelf console built quite quickly (approximately a year from initial design to ship, compared to the 360 that was in design for 3+ years before shipping) in an attempt to break into the market following the Sony-style loss-leader method.
  
  The 360, on the other hand, was designed as a purpose-built console, with contracts in place to allow Microsoft to own the IP of the chips, thus allowing them the opportunity to farm out chip manufacture to lower cost partners, or even consolidate chips at a later date. While it's unclear whether or not the 360 is currently breaking even or making a profit on console sales, it's safe to say that this will happen eventually, and probably sooner than later.
  
  The 360 is [i]already[/i] compromised in its chief money making area, new games, you can play illigal copies with hacked DVD roms, this should have been the primary area of security, but as normal what security is left only hurts the law abiding people (no multie region dvd player, no linux, no arbitary homebrew etc).
  
  Except that hacked consoles are detectable on Live and can be blocked from participating in online gameplay as well as access to the Marketplace (no updates for games, no demos or trailers, no XBLA access, etc). Xbox 360's biggest draw is the pervasive support of Xbox Live. Halo 2 is still selling very well today, over two years later, due to its Live support. Games like Gears of War or Crackdown are fun in single player but are even better when you can team up with a friend and play co-op. Some small percentage of people may be willing to trade off Live support in order to get free games. The bread-and-butter core market isn't going to go there.
Timelines for Vulnerability Fixes by lmnfrs · 2007-02-28 13:08 · Score: 5, Interesting

Timeline:
..
Jan 03, 2007 - vendor contact established, full details disclosed
Jan 09, 2007 - vendor releases patch
..
Patch Development Time (In Days): 6

Interesting to compare timelines affecting Microsoft's users to timelines affecting Microsoft's control schemes.
Re:Attacker?? by Frosty+Piss · 2007-02-28 13:15 · Score: 1, Interesting

Wait. Don't you mean this allows an Xbox 360 user to run arbitrary code such as alternative operating systems with full privileges and full hardware access on the machine they rightfully own ?

Well, yes, if you can get it to work you can run anything you want on your XBox. Has Microsoft ever said you couldn't? Did they make any legal threats? No, no I don't think so. As much as youmight want to be a martyre for The Cause, the police will not be looking for you simply because you have voided your Xbox warranty.

--
If you want news from today, you have to come back tomorrow.
Re:Attacker?? by TheRealMindChild · 2007-02-28 13:21 · Score: 2, Interesting

See my comment here

You might think you own it, but SUPRISE, you are licensing it. You probably could have found the completely abiguous statement on that little postcard you threw away.

--

"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Blue Pill time. by Ungrounded+Lightning · 2007-02-28 14:16 · Score: 2, Interesting

Does MS force updates for things like this?

Yes. As soon as your XB360 attempts to connect to Live (which even without you paying, it will do if you signed up for it) it will demand you update or it will disconnect you (which with Live-connected dashboard accounts signs you out of your local XB360 profile too)

Any bets on whether code running in hypervisor mode can create a virtual machine environment where the updated Microsoft code can think it's running the show when it's actually king of a sandbox?

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Re:now i've got a reason too buy a 360 by tlhIngan · 2007-02-28 16:21 · Score: 2, Interesting

No. The PS3 also uses a hypervisor to keep Linux out of things Sony doesn't want you to touch. They allow basic framebuffer access, including direct YUV video modes at all of the popular HD resolutions. But 3D is reserved for PS3 games who pay their percentage to Sony. Hard drive access is also regulated to keep Linux inside the portion of the drive reserved for it.

Yes, we really need a crack for the PS3's hypervisor. I believe it's similar to VMWare - Linux on the PS3 runs under a highly virtualized environment - not only can Linux not access the RSX, but it can only touch the stuff Sony wants touched (e.g., no wifi). The Linux partitioning is transparent to Linux (i.e., you can't access the "Game OS Partition" - Linux just sees its partition as a blank disk), and the hypervisor presents incomplete SCSI emulation of the 6 storage devices (hard disk, 4MB of flash memory, blu-ray drive, SD, CF and memory stick slots).

The emulation is so incomplete, if you have a bad block somewhere, the hypervisor returns an I/O error without reporting a media error. Makes for interesting times when your filesystem suddenly goes read-only for no apparent reason (you don't get anything logged other than "I/O Error" and "Filesystem is read-only", no media sense errors...). I think this is testing codepaths in Linux that really couldn't be tested since the errors they handled would be caught earlier...

The things that the hypervisor doesn't let you do:
* RSX access, obviously
* WiFi adapter
* Full access to Blu-Ray drive
* Full hard drive access
* Full configuration flash access
* Access to the EE/GS hardware

If you want fun, you can boot into Linux without formatting the hard drive - the hard drive doesn't appear at all.
Re:Yet another reason for better prog languages by Cheesey · 2007-02-28 23:10 · Score: 2, Interesting

Actually the system call handler was probably written in PPC assembly. The system call handler is an interrupt service routine: it does the following jobs -

1. Save user mode registers (context switch).
2. Manipulate special purpose registers, e.g. re-enable interrupts.
3. Jump to system call service routine, based on the system call number passed as a parameter. This is where the bug was found - the jump destination was being computed incorrectly.
4. Restore registers.
5. Return to user code.

Even C is too high-level to do most of these operations. Standard C does not allow you to manipulate low-level registers. So assembly is used.

If you are interested, you can find the Linux system call handler for x86 systems in arch/i386/entry.S.

--
>north
You're an immobile computer, remember?