iLiad Huge exploit found in 2.7

arivero · 10-19-2006, 02:47 PM

Ok, I have downloaded the 2.7. Awesome pdf thing, it remembers the zoom between pages, and this is already better than standard xpdf, nice icons, blah blah blah. Ah and yes, I got to execute a ls > /opt/content/books/a.txt command. But on the other hand the remote Xserver approach seems promising. So what do I do? Wait for a crack via Xserver to be done? Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.

jæd · 10-19-2006, 02:58 PM

Quote:

Originally Posted by arivero

Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.

Up to you whether you think its better to have an unsecured Illiad and to be the only one with this knowledge, or to help the Illiad progress. Congratulations, btw...

arivero · 10-19-2006, 03:00 PM

Quote:

Originally Posted by jæd

Up to you whether you think its better to have an unsecured Illiad and to be the only one with this knowledge, or to help the Illiad progress. Congratulations, btw...

I could ask for a NDA agreement

design256 · 10-19-2006, 03:11 PM

Quote:

Originally Posted by arivero

Ok, I have downloaded the 2.7. Awesome pdf thing, it remembers the zoom between pages, and this is already better than standard xpdf, nice icons, blah blah blah. Ah and yes, I got to execute a ls > /opt/content/books/a.txt command. But on the other hand the remote Xserver approach seems promising. So what do I do? Wait for a crack via Xserver to be done? Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.

Perhaps you could use it to help us finish the Xserver exploit. Then make it public when Irex patches that in 2.8...

arivero · 10-19-2006, 03:32 PM

Ok I will release it, on second inspection it is so simple that there is no issue.

I backquoted the password in the WEP configuration.

this is, I created a new wireless wep connection (wizard, anyname, Proceed, Wireless, anyssid, proceed, WEP, proceed) and in the wep security key field I used:

Quote:

`ls > /opt/content/books/a.txt`

I pressed TEST (no proceed anymore).

And yep, it escaped.

I think iRex does not really need to patch this one. It is not a security hole, as the ssh was. Nor a Cuartango trick, as the pdf could be. Here the Owner of the machine must know exactly what he is doing, no argue about being tricked to do it (except if you have got a devilish system admistrator telling you that THAT is the password for your local wlan!).

Besides, you need to retort the trick in order to use it to "open the internet", because most probably this escape is executed at the level of the networking scripts, and man you do not want to call the networking script from the networking script.

design256 · 10-19-2006, 03:43 PM

Quote:

Originally Posted by arivero

Ok I will release it, on second inspection it is so simple that there is no issue.

I backquoted the password in the WEP configuration.

this is, I created a new wireless wep connection (wizard, anyname, Proceed, Wireless, anyssid, proceed, WEP, proceed) and in the wep security key field I used:

I pressed TEST (no proceed anymore).

And yep, it escaped.

I think iRex does not really need to patch this one. It is not a security hole, as the ssh was. Nor a Cuartango trick, as the pdf could be. Here the Owner of the machine must know exactly what he is doing, no argue about being tricked to do it (except if you have got a devilish system admistrator telling you that THAT is the password for your local wlan!).

Besides, you need to retort the trick in order to use it to "open the internet", because most probably this escape is executed at the level of the networking scripts, and man you do not want to call the networking script from the networking script.

neat. Congratulations on thinking of this one.

arivero · 10-19-2006, 03:57 PM

Quote:

Originally Posted by design256

neat. Congratulations on thinking of this one.

A pleasure. Please remember this trick is under the 75 Euros caveat

scotty1024 · 10-19-2006, 07:42 PM

Now that's a nice hole!

So who hasn't done this yet?

cp /etc/passwd /opt/content/books/passwd
<edit passwd>
cp /opt/content/books/passwd /etc/passwd
cp /opt/content/books/bugbear /usr/sbin
...

scotty1024 · 10-19-2006, 07:45 PM

Hmmm perhaps update the irex.crt to make iDS proxy very simple again?

Mike Kostousov · 10-19-2006, 08:40 PM

Wau!!!! It is amazing! So big hole!

Code:

`/bin/bash /opt/books/what-ever-you-want.sh`

Mike Kostousov · 10-19-2006, 08:48 PM

sorry. There is no bash. Just sh

Mike Kostousov · 10-19-2006, 09:10 PM

uupi!!! It works!

Code:

`/bin/sh /opt/content/books/a.sh`

There is "a.sh"

Code:

#!/bin/sh

/bin/ps aux > /opt/content/books/ps-aux-out.txt
/bin/uname -a > /opt/content/books/uname-a.txt
/bin/cat /proc/cpuinfo > /opt/content/books/cpuinfo.txt
/bin/mount > /opt/content/books/mount.txt
/bin/dmesg > /opt/content/books/dmesg.txt
/bin/ls /boot > /opt/content/books/ls-boot.txt

But, if you want to try by yourself, you are doing it by you own risk! Be careful!

It is really big hole. Now, I will try to compile somthing for iLiad (my be cross-compiler for zaurus will succseed). BTW, I think, it is the most careful way is to mount MMC with ext2, and try to do everything there..

Mike Kostousov · 10-19-2006, 09:31 PM

Wau! I have first my own program running on iLiad!!!!! he-he-he!!!! I am spammer today!
Usual Zaurus cross-platform sdk (gcc2.95) works well.

hello_iliad.c

Code:

#include <stdio.h>

int main(int argc,char **argv)
{
	printf("Hello, my iLiad");

}

b.sh

Code:

#!/bin/sh

/bin/cp /opt/content/books/hello_iliad /tmp
/bin/chmod a+x /tmp/hello_iliad
/tmp/hello_iliad > /opt/content/books/hello_from_iliad.txt

Antartica · 10-20-2006, 03:17 AM

Quote:

Originally Posted by arivero

Ok I will release it, on second inspection it is so simple that there is no issue.

Oh! I'm happy. I'll be upgrading to 2.7 today, then :-).

What's next in my todo list queue: investigate the pageBar protocol and doing a simple viewer using SDL... Now that we can test it :-)~~~! Yipieee!!!

Thanks arivero :-).

Drops · 10-20-2006, 04:40 AM

Has anyone tried a java --version command yet?

10-19-2006, 02:47 PM	#1
arivero Guru Posts: 607 Karma: 2157 Join Date: Oct 2005 Device: NCR3125, Nokia 770,...	Huge exploit found in 2.7 Ok, I have downloaded the 2.7. Awesome pdf thing, it remembers the zoom between pages, and this is already better than standard xpdf, nice icons, blah blah blah. Ah and yes, I got to execute a ls > /opt/content/books/a.txt command. But on the other hand the remote Xserver approach seems promising. So what do I do? Wait for a crack via Xserver to be done? Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.

10-19-2006, 08:40 PM	#10
Mike Kostousov Connoisseur Posts: 50 Karma: 861 Join Date: Aug 2006 Device: Zaurus C1000/iLiad/SE K750i	Wau!!!! It is amazing! So big hole! Code: `/bin/bash /opt/books/what-ever-you-want.sh`

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
A Huge Thank You	BurBunny	Amazon Kindle	4	02-27-2009 02:36 PM
Adobe Reader 9 new exploit in the wild	doctorow	News	2	02-20-2009 04:38 PM
Cybook not found in linux, found in win XP	fjf	Bookeen	15	01-18-2008 07:57 PM
Adobe Acrobat subject to remote exploit	Alexander Turcic	News	3	09-16-2006 06:29 AM
Serious exploit in Greasemonkey 0.4	Alexander Turcic	Lounge	2	07-19-2005 05:59 AM

10-19-2006, 07:42 PM	#8
scotty1024 Banned Posts: 1,300 Karma: 1479 Join Date: Jul 2006 Location: Peoples Republic of Washington Device: Reader / iPhone / Librie / Kindle	Now that's a nice hole! So who hasn't done this yet? cp /etc/passwd /opt/content/books/passwd <edit passwd> cp /opt/content/books/passwd /etc/passwd cp /opt/content/books/bugbear /usr/sbin ...

10-19-2006, 07:45 PM	#9
scotty1024 Banned Posts: 1,300 Karma: 1479 Join Date: Jul 2006 Location: Peoples Republic of Washington Device: Reader / iPhone / Librie / Kindle	Hmmm perhaps update the irex.crt to make iDS proxy very simple again?

10-19-2006, 08:48 PM	#11
Mike Kostousov Connoisseur Posts: 50 Karma: 861 Join Date: Aug 2006 Device: Zaurus C1000/iLiad/SE K750i	sorry. There is no bash. Just sh

10-20-2006, 04:40 AM	#15
Drops Connoisseur Posts: 65 Karma: 10 Join Date: May 2006	Has anyone tried a java --version command yet?

Advert

Advert