Wii Hacks

        

Sunday, January 07, 2007

Opera Vulnerability Discovered - Crash your Wii

--This post if being updated throughout the day, if you are reading via RSS, it is recommended that you go to the actual URL of this post to get the most recent information. --

PS2-Scene is reporting a vulnerability in the Opera Browser. They have posted code which uses SVG to crash the Wii's Web Browser. This could lead to arbitrary code execution. The hackers are busy at work trying to make something useful out of this, while Opera is probably scrambling to issue a patch to fix the problem.

XiaNaix posted:

A flaw exists within Opera's Javascript SVG implementation. When processing a createSVGTransformFromMatrix request Opera does not properly validate the type of object passed to the function. Passing an incorrect object to this function can result in it using a pointer that is user controlled when it attempts to make the virtual function call.

Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious JavaScript and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user.

This exploit could possibly be used to run code on the Wii!

Get more info and example code from here

I've also added this link to the Wii Portal Page, so if you already have that bookmarked, you can test out the 'Crash My Wii' link from there as well.

So to reiterate, they can get the Wii to crash. This has not yet opened up any way to run homebrew, but it's the hole most hackers have been waiting for. Will update later when more is known.

UPDATE 11:35AM
More information about this bug posted on iDefense. Seems like Opera has known about this one since November.

UPDATE 11:40AM
trapflag on IRC is looking at the registers to find ways to execute code:
http://paste.uni.cc/12615 (x86 opera)

UPDATE 11:45AM
pab_ has it crashing on Opera 9 PPC binary with debugger attached
Debugger Output

UPDATE 12:05PM
Opera's Response to this bug:
"Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights. The vendor has categorized both of the holes as merely "moderate". The firm argues that it is not easy to exploit the heap overflow consistently."
- http://www.heise-security.co.uk/news/83279

Also, Opera claims they fixed this bug in Opera 9.10... but the Wii's version appears to be earlier than that.

An important thing to note is that if this works, it is also possible for dangerous things to happen to your Wii. Please use caution before you click on any unknown links, as someone may try to implement malicious code that breaks your Wii.

FreePlayPSP on digg writes:
I'm not sure how much is known about the Wii's architecture, so I'm not sure how viable it will be to run our own unsigned code through this. Not to mention that Opera seems to run in a sort of sandbox - I've Lastmeasured my Wii to the point that the browser was 100% unresponsive but the Home button still worked just fine. Haven't tested this out yet, though, so it's possible that this 'breaks' the sandbox.

Nice PoC, lbradeen and larholm. Question, though: is this an actual overflow, or just an out-of-memory glitch from trying to create an array with 0xFFFFFFFF members? I don't know much about how Opera handles memory in its Javascript handler, or if 0xFFFFFFFF means -1 or 4294967295 for Javascript in general. I assume that shoving this function into createSVGTransformFromMatrix simply bypasses some sort of memory limitation check. Is this really usable to run unsigned code, or just to crash the system?
--
Discuss this topic on the following forum posts:

- WiiNewz
- GBA Temp
- QJ.NET
- digg
- WiiLi
- WiiModWii

Or post your comments on this blog.

5 Comments:

Eli said...

We've gotta be careful, this could be an easy way for malicious hackers to brick our Wiis.

Eli said...

By that I mean the whole concept, not you guys :)

Ari said...

I hope it leads to homebrew and backup booting!

raindog469 said...

I'm not too excited about any browser-based method of booting homebrew unless someone uses it to write a firmware manager/downgrader somehow before January 27 (or earlier.... I just say January 27 because that's the go-live date for the News Channel which will involve another firmware update.)

punkrockguy318 said...

Hey liquidice: In what IRC channel is this being worked on and discussed?

Click Here to Post a Comment

Subscribe to the Nintendo Wii Hacks Blog RSS Feed

Also see:
PSP Hacks
PS3 Hacks
Zune Hacks
iPhone Hacks
Apple TV Hacks