03 Aug 2013

Chromecast exploit package spawns a root shell on port 23

GTVHacker has stated:

How does the exploit work?

Lucky for us, Google was kind enough to GPL the bootloader source code for the device. So we can identify the exact flaw that allows us to boot the unsigned kernel. By holding down the single button, while powering the device, the Chromecast boots into USB boot mode. USB boot mode looks for a signed image at 0×1000 on the USB drive. When found, the image is passed to the internal crypto hardware to be verified, but after this process the return code is never checked! Therefore, we can execute any code at will.

ret = VerifyImage((unsigned int)k_buff, cpu_img_siz, (unsigned int)k_buff);

The example above shows the call made to verify the image, the value stored in ret is never actually verified to ensure that the call to “VerifyImage” succeeded. From that, we are able to execute our own kernel.

If you are in Vegas for DEF CON 21, check out – Google TV: Or How I Learned to Stop Worrying and Exploit Secure Boot by GTVHacker this Friday, August 2nd, at 3PM in the Penn and Teller Theater!

]]>

One Comment

Comments are closed.