478
edits
Changes
Jump to navigation
Jump to search
Line 88:
Line 88: + +
→Server exploits
The EUR NZone server used to have the [http://www.phonefactor.com/sslgap SSL] [http://extendedsubset.com/?p=8 renegotiation] [http://www.g-sec.lu/tls-ssl-proof-of-concept.html authentication] [http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html gap] bug. Initially, exploiting this with the redirection script on the server were being attempted. Then on the next day, attacks via HTTP TRACE requests to inject html into the server response to the DSi NZone client were done. Tests of crashing DSi NZone with nzonehtmlhaxx was done twice: first test was injecting htmlhaxx when the client tried sending a request to the redirection script for third-party content, the second test was injecting htmlhaxx immediately when the client first connected to the server. Both tests crashed DSi NZone perfectly. HTTP TRACE is never used by NZone or any web browser. Counting from the initial attack, Nintendo fixed this in less than 26 hours. Counting from when attacks with HTTP TRACE were started, Nintendo fixed this in less than 4 hours. The picture to the right is a shot of crashed DSi NZone, Nintendo fixed the bug before any payload was executed.
The EUR NZone server used to have the [http://www.phonefactor.com/sslgap SSL] [http://extendedsubset.com/?p=8 renegotiation] [http://www.g-sec.lu/tls-ssl-proof-of-concept.html authentication] [http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html gap] bug. Initially, exploiting this with the redirection script on the server were being attempted. Then on the next day, attacks via HTTP TRACE requests to inject html into the server response to the DSi NZone client were done. Tests of crashing DSi NZone with nzonehtmlhaxx was done twice: first test was injecting htmlhaxx when the client tried sending a request to the redirection script for third-party content, the second test was injecting htmlhaxx immediately when the client first connected to the server. Both tests crashed DSi NZone perfectly. HTTP TRACE is never used by NZone or any web browser. Counting from the initial attack, Nintendo fixed this in less than 26 hours. Counting from when attacks with HTTP TRACE were started, Nintendo fixed this in less than 4 hours. The picture to the right is a shot of crashed DSi NZone, Nintendo fixed the bug before any payload was executed.
That EUR SSL reneg exploit was the only NZone servers hole in existence, there are no more SSL holes, there are zero http links on all NZone sites Nintendo and third-party, and there are zero NZone beacon data code buffer overflows. NZone haxx is completely dead.