bitmap
04-02-2007, 06:01 AM
In my DTivo R10, factory prom, I determined that I could "monte" the /var partition, but this didn't seem too helpful, as i still couldn't find a weakness in the rc.d scripts that executed anything from var without a signature check. Maybe someone can run with this...
Anyway, here's what I did:
Partition 14 was just larger than my var, so i used it for MY var.
I first DD'ed the /dev/hdc9 to /dev/hdc14
(i have the disk mounted on HDC in my pc)
in /dev on the tivo disk: (Be sure to put the devices back to normal later if you test this.)
mv hda9 hda9.orig
ln hda14 hda9
What this accomplishes is simple, the initrd knows that /var is on /dev/hda9,
and that /dev is part of the ram disk image with the original device with the
normal device node ID, so when it runs the scan, it scans the original hda9 partition.
When the initrd scan processed /mnt/dev, it did not checksum the block devices, so the device node change is undetected. Once the scans complete, it mounts root, chroots into it, and then our changed /dev is in play, so when /var is mounted this time, it mounts hda14 instead by way of the modified hda9 device.
This /var has not been scanned, so we can put anything we want in here,
but i'm still searching for a way to exploit this. I think i recall that unrecognized symlinks got deleted in the scan, but maybe there is a hole i haven't found yet that might let us symlink into the new /var to execute something.
But this got me thinking, maybe we could use device nodes elsewhere to avoid the scan.
Moving on... Most places in the rc.d scripts that execute anything in /var that does not have a signature check are all tested with -x or something to check that the file referenced exists and is excutable, but wait, there is no check on the blizvalid.tcl. (not sure what its meant for, but /devbin/blizvalid didn't exist on my system.) blizvalid in on the root partition, but since the device nodes didn't get scanned... hmmm. lets see what happens.
I'm about to test now, putting something into blizvalid as a device node :)
in /devbin:
mknod hda14 b 3 14
mknod hdc14 b 22 14
ln hda14 blizvalid.tcl
cp ../tvlib/tcl/tv/telnetd.tcl .
dd if=/dev/zero of=hdc14 bs=512
cat telnetd.tcl > hdc14
Ok, this puts a tcl script in /devbin/blizvalid.tcl, now make it run.
bootpage -P "root=/dev/hda7 dsscon=true console=1,115200 blizvalid=true" /dev/hdc
sync, umount, put this disk back, and reboot...
Well, the blizvalid.tcl passed the scan, but the "blizvalid=true" in the bootpage got removed :(
5am and need sleep.
Any ideas on how we can use this??
Anyway, here's what I did:
Partition 14 was just larger than my var, so i used it for MY var.
I first DD'ed the /dev/hdc9 to /dev/hdc14
(i have the disk mounted on HDC in my pc)
in /dev on the tivo disk: (Be sure to put the devices back to normal later if you test this.)
mv hda9 hda9.orig
ln hda14 hda9
What this accomplishes is simple, the initrd knows that /var is on /dev/hda9,
and that /dev is part of the ram disk image with the original device with the
normal device node ID, so when it runs the scan, it scans the original hda9 partition.
When the initrd scan processed /mnt/dev, it did not checksum the block devices, so the device node change is undetected. Once the scans complete, it mounts root, chroots into it, and then our changed /dev is in play, so when /var is mounted this time, it mounts hda14 instead by way of the modified hda9 device.
This /var has not been scanned, so we can put anything we want in here,
but i'm still searching for a way to exploit this. I think i recall that unrecognized symlinks got deleted in the scan, but maybe there is a hole i haven't found yet that might let us symlink into the new /var to execute something.
But this got me thinking, maybe we could use device nodes elsewhere to avoid the scan.
Moving on... Most places in the rc.d scripts that execute anything in /var that does not have a signature check are all tested with -x or something to check that the file referenced exists and is excutable, but wait, there is no check on the blizvalid.tcl. (not sure what its meant for, but /devbin/blizvalid didn't exist on my system.) blizvalid in on the root partition, but since the device nodes didn't get scanned... hmmm. lets see what happens.
I'm about to test now, putting something into blizvalid as a device node :)
in /devbin:
mknod hda14 b 3 14
mknod hdc14 b 22 14
ln hda14 blizvalid.tcl
cp ../tvlib/tcl/tv/telnetd.tcl .
dd if=/dev/zero of=hdc14 bs=512
cat telnetd.tcl > hdc14
Ok, this puts a tcl script in /devbin/blizvalid.tcl, now make it run.
bootpage -P "root=/dev/hda7 dsscon=true console=1,115200 blizvalid=true" /dev/hdc
sync, umount, put this disk back, and reboot...
Well, the blizvalid.tcl passed the scan, but the "blizvalid=true" in the bootpage got removed :(
5am and need sleep.
Any ideas on how we can use this??