478
edits
Changes
no edit summary
Nintendo Zone v3.0 has the URL buffer overflow bug from NetFront 3.3 and DS Station. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. Linux/hostapd compatible box and a NIC supported by hostapd is required.
Nintendo Zone v3.0 has the URL buffer overflow bug from NetFront 3.3 and DS Station. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. Linux/hostapd compatible box and a NIC supported by hostapd is required.
A DS Station exploit has been written by [[User:Yellows8|Yellows8]]. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available [http://code.google.com/p/wmb-asm/source/browse/#svn/trunk/ds/nzonehtmlhaxx here], SVN URL available [http://wmb-asm.googlecode.com/svn/trunk/ds/nzonehtmlhaxx here.] To use the exploit at home, you also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit can only be used with html that is transferred over http. All html on the NZone server was moved to HTTPS. The html for the index main and sub screens is transferred over https. However, the html for the main screen for the pages after the index,(main server for DS Station only) is transferred with http. The sub screen html is transferred with https, with the main server.
A DS Station/NZone exploit has been written by [[User:Yellows8|Yellows8]]. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available [http://code.google.com/p/wmb-asm/source/browse/#svn/trunk/ds/nzonehtmlhaxx here], SVN URL available [http://wmb-asm.googlecode.com/svn/trunk/ds/nzonehtmlhaxx here.] To use the exploit at home with DS Station, you also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit can only be used with html that is transferred over http. All html on the NZone server was moved to HTTPS. Although the NZone bin has root CAs for VeriSign, Thawte, Nintendo, and others, NZone rejects all certs not signed by Nintendo which includes VeriSign, Thawte, etc. The html for the index main and sub screens is transferred over https. However, the html for the main screen for the pages after the index,(main server for DS Station only) is transferred with http. The sub screen html is transferred with https, with the main server.
[[File:2010-08-22-161844.jpg|200px|thumb|right|Test NZone haxx, crashed NZone. The EUR server bug exploited here was fixed a couple hours after beginning html injection attacks.]]
[[File:2010-08-22-161844.jpg|200px|thumb|right|Test NZone haxx, crashed NZone. The EUR server bug exploited here was fixed a couple hours after beginning html injection attacks.]]
=== Server exploits ===
=== Server exploits ===
The EUR NZone server used to have the [http://www.phonefactor.com/sslgap SSL] [http://extendedsubset.com/?p=8 renegotiation] [http://www.g-sec.lu/tls-ssl-proof-of-concept.html authentication] [http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html gap] bug. Initially, exploiting this with the redirection script on the server were being attempted. Then on the next day, attacks via HTTP TRACE requests to inject html into the server response to the DSi NZone client were done. HTTP TRACE is never used by NZone or any web browser. Counting from the initial attack, Nintendo fixed this in less than 26 hours. Counting from when attacks with HTTP TRACE were started, Nintendo fixed this in less than 4 hours. The picture to the right is a shot of crashed DSi NZone, Nintendo fixed the bug before any payload was executed.
The EUR NZone server used to have the [http://www.phonefactor.com/sslgap SSL] [http://extendedsubset.com/?p=8 renegotiation] [http://www.g-sec.lu/tls-ssl-proof-of-concept.html authentication] [http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html gap] bug. Initially, exploiting this with the redirection script on the server were being attempted. Then on the next day, attacks via HTTP TRACE requests to inject html into the server response to the DSi NZone client were done. Tests of crashing DSi NZone with nzonehtmlhaxx was done twice: first test was injecting htmlhaxx when the client tried sending a request to the redirection script for third-party content, the second test was injecting htmlhaxx immediately when the client first connected to the server. Both tests crashed DSi NZone perfectly. HTTP TRACE is never used by NZone or any web browser. Counting from the initial attack, Nintendo fixed this in less than 26 hours. Counting from when attacks with HTTP TRACE were started, Nintendo fixed this in less than 4 hours. The picture to the right is a shot of crashed DSi NZone, Nintendo fixed the bug before any payload was executed.