Results 1 to 5 of 5

Thread: Series 3 TiVo susceptable to Bash Bug

  1. #1
    Join Date
    Feb 2009
    Posts
    79

    Series 3 TiVo susceptable to Bash Bug

    Not sure if anyone has been following the news but a rather large bug was found in most Unix systems.

    https://securityblog.redhat.com/2014...ection-attack/

    and associated proof of concept hack that might work with TiVos or another avenue would be via the built in web interface for browsing shows.

    https://www.trustedsec.com/september...proof-concept/

    Not posting this to scare anyone but I just tested my modded TiVo Series 3 and it is susceptible. This could be a good thing though.

    TiVoHD/ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    vulnerable
    this is a test

    TiVoHD/ $ bash -version
    GNU bash, version 2.02.0(1)-release (i686-pc-linux-gnu)
    Copyright 1998 Free Software Foundation, Inc.

    So if someone was able to craft some sort of "hack" it might be possible to put modded code onto a unhacked TiVo.

    Sadly it is probably a pretty difficult thing to do though as there are two levels of protection as far as I know.

    1st Level
    The PROM chip which checks that the boot kernel is unmodified. This is currently the only way known to mod Series 3 units.

    2nd Level
    The Kernel which checks certain files on the drive to make sure they have not been modded.

    Does anyone know what these files are?

    I am guessing tivoapp is one of them?

    Possible Benefits
    If someone could craft an attack it could be possible to modify some of the files on the TiVo without tripping the 2 levels of protection. You could also in theory blow away the second level of protection completely but it would be detected by the first level on the next boot and you would have a brick on your hands.

    Anyway just thought I would mention it if anyone wanted to dig around a bit.

  2. #2
    Join Date
    Apr 2005
    Location
    Providence, RI
    Posts
    484
    It could work on a series 3, since there are no security checks after boot. The critical part would be storing your hacks to keep them from getting erased on restart. If I recall correctly, even a non-modded series 3 will ignore partition 16 completely. Install your hacks there, break in via bash bug, and mount the partition. That would get you access to everything except any hacks that have to be started at boot.
    More software at http://davidlauria.com/software.
    The lost alt-rock masterpiece from the '90s, Range of Motion's "Soft Buzz of Silence", is now available on iTunes!

  3. #3
    Join Date
    Jul 2001
    Posts
    130
    I am also wondering if some sort of "hack" might be possible to put modded code onto a unhacked TiVo.

    Way back in 2002 a Series 1 could be hacked, here is an example to get a shell prompt by adding to the boot arguments:
    Code:
    root=/dev/hdaX BASH_ENV=`/bin/bash</dev/ttyS3&>/dev/ttyS3`
    Maybe something like this may work:
    Code:
    root=/dev/hdaX BASH='() { :;}; /bin/bash -c "/var/hack/startup"'
    John

  4. #4
    Join Date
    Feb 2009
    Posts
    79
    Does anyone know what checks are in the kernel?

    Can you change tivoapp without it triggering an "alarm" during boot?

    That would be the only hack I think most people would be interested in.

  5. #5
    Join Date
    Feb 2009
    Posts
    79
    I have had a very vauge look at some of the current attacks out there in the wild and they appear to do three things

    1. Perform a check to see if the system is vulnerable
    2. get the "victim" machine to wget a payload from a server
    3. get the "victim" machine to extract and execute whatever was downloaded in the payload

    Like I said though not sure what use this would be if you cant modify tivoapp due to kernel checks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •