Hacking You Freaks.

[FaTaL_ErRoR]

Did you know that tons of browsers and servers fall victim to freak attacks?
One particular browser is very prone to fall victim to this attack.
All this bug hunting going around just thought I would share.
Oh yeah getting arbitrary code execution is very easy once a browser falls victim to a freak attack.
Anyway, happy hunting.
You can "test" using this. https://github.com/AbhishekGhosh/FREAK-Attack-CVE-2015-0204-Testing-Script
And learn more here: https://gist.github.com/degan/70e8059507d173751294
Who's ready to see if there is a 5.3.3.....lol

 

[elgruntox]

Huh? I'm not seeing anything that backs your claim of "Oh yeah getting arbitrary code execution is very easy once a browser falls victim to a freak attack.". Do you have a proof of concept you found somewhere? All I'm seeing is this allowing for mitm attacks on a small amount of browsers.

 

[SirByte]

As long as the "small amount of browsers" includes the browser on the Wii U it's all good and since there's a test server listed, I'm sure FaTaL_ErRoR tested it on his Wii U before posting... right? PS mine has never been connected to the Internet.

 

[elgruntox]

As long as the "small amount of browsers" includes the browser on the Wii U it's all good and since there's a test server listed, I'm sure FaTaL_ErRoR tested it on his Wii U before posting... right? PS mine has never been connected to the Internet.

Test server listed? Where do you see that? And what would that give us? Are you saying the Wii U runs a TLS enabled webserver that could be exploited? Because that sounds like a really weird thing to have built into the console.

Also if you look at the bash script posted to test for vulnerable servers you'll see that even it says its specifically looking at mitm attacks.

 

[SirByte]

You are correct. The browser test is here: https://freakattack.com/

 

[FaTaL_ErRoR]

Yep, tested and wii u is vulnerable to freak attack. And webserver testing is not all this is used for. just needs to be ran as a website instead of running it in command promt. It was intended to be used for "webserver testing". But not much needs to be done to make it run in a website.
And gaining code execution is a lot easier because you are lowering the encryption. And well great things happen when things are made easier to read.

And gaining arbitrary code execution is easy once freak attack is successful is not a claim it is a fact.
Read up on it and see why once some people started using it to exploit web browsers and webservers most rolled out patches very quickly.
Permissions escalation happens much faster when the code encryption is weak.
Anyway didn't say I was working on a freak attack for the wii u. Just pointing out that this is probably an easier method than browser bugs.
But, do something with it or don't do something with it. I shared it that's all I was trying to do with this post.

 

[Duo8]

This could help with intercepting SSL comms on the Wii U. Test it with eShop or something.
The part about code exec is bs though

 

[Marionumber1]

Reading up about the bug, it seems that all it lets you do is potentially perform a MITM on a Wii U app. I'd be very surprised if that would lead to code execution (but hey, prove me wrong).

 

[migles]

Reading up about the bug, it seems that all it lets you do is potentially perform a MITM on a Wii U app. I'd be very surprised if that would lead to code execution (but hey, prove me wrong).

more like prove me i am right.

 

[elgruntox]

Yep, tested and wii u is vulnerable to freak attack. And webserver testing is not all this is used for. just needs to be ran as a website instead of running it in command promt. It was intended to be used for "webserver testing". But not much needs to be done to make it run in a website.
And gaining code execution is a lot easier because you are lowering the encryption. And well great things happen when things are made easier to read.

And gaining arbitrary code execution is easy once freak attack is successful is not a claim it is a fact.
Read up on it and see why once some people started using it to exploit web browsers and webservers most rolled out patches very quickly.
Permissions escalation happens much faster when the code encryption is weak.
Anyway didn't say I was working on a freak attack for the wii u. Just pointing out that this is probably an easier method than browser bugs.
But, do something with it or don't do something with it. I shared it that's all I was trying to do with this post.

Lowering the encryption to what... a website running ssl? I'm not really getting what you're saying here it really sounds like you don't understand what this CVE is about. All this does is exploit a bug in OpenSSL that would potentially let an attacker downgrade the type of crypto used and potentially lead to a mitm attack. There is nothing about being able to execute code anywhere in this attack. Browsers of course rolled out patches fast because who would want to keep around a feature that let attackers snoop on your users email traffic and such.

 

[The Real Jdbye]

Carry on everyone, nothing to see here...

 

[FaTaL_ErRoR]

Freak works very similar to heartbleed. Hell if you are vulnerable to freak chances are you are vulnerable to heartbleed as well.
https://cve.mitre.org/news/
And both of which can gain access to corrupt memory. So both in can be very good for exploitation.

And Marionumber1: Challenge accepted.

 

[DarkFlare69]

Freak works very similar to heartbleed. Hell if you are vulnerable to freak chances are you are vulnerable to heartbleed as well.
https://cve.mitre.org/news/
And both of which can gain access to corrupt memory. So both in can be very good for exploitation.

And Marionumber1: Challenge accepted.

Good luck

 

[Marionumber1]

Freak works very similar to heartbleed. Hell if you are vulnerable to freak chances are you are vulnerable to heartbleed as well.
https://cve.mitre.org/news/
And both of which can gain access to corrupt memory. So both in can be very good for exploitation.

And Marionumber1: Challenge accepted.

I see nothing on that page which indicates FREAK can cause memory corruption...

 

[frogboy]

Marionumber1: Challenge accepted.

Consider this thread watched.

Either way, it'll be fun.

EDIT: It really wasn't

 

[elgruntox]

Freak works very similar to heartbleed. Hell if you are vulnerable to freak chances are you are vulnerable to heartbleed as well.
https://cve.mitre.org/news/
And both of which can gain access to corrupt memory. So both in can be very good for exploitation.

And Marionumber1: Challenge accepted.

Heartbleed never led to corruption of memory, it was a purely read only exploit due to the bad handling of a pointer that lead to leaking of memory.

I will paypal $100 to whoever uses heartbleed or freak to break the wii-u browser (and provides code of course). These are read only attacks.

 

[FaTaL_ErRoR]

Heartbleed never led to corruption of memory, it was a purely read only exploit due to the bad handling of a pointer that lead to leaking of memory.

I will paypal $100 to whoever uses heartbleed or freak to break the wii-u browser (and provides code of course). These are read only attacks.

My ass it didn't.
And 5.4 updated the open ssl to no longer be vulnerable to freak attack. I know this because I updated one of my wii u consoles to 5.4 and no longer vulnerable....(but that leaves me with a group combined of 22 consoles still on firmware ranging from 2.1 to 5.3) I wonder why it was updated if it's "read only". Fuck how can it be read only when browsers and servers vulnerable to it can have the memory dumped?
And if you can dump the memory you can get the keys. (just because the worry was over server private keys doesn't mean other things private keys aren't also a concern and hell I would be fine with getting the communication between the console and the update server)
I personally don't believe in coincidences 1 mention of a freak attack and 24 hours later an update rolls out updating the very exploitable ssl.
I'm still going to roll with this on a console that's still running 5.3.2 and see why this was updated.

 

[Marionumber1]

And 5.4 updated the open ssl to no longer be vulnerable to freak attack. I know this because I updated one of my wii u consoles to 5.4 and no longer vulnerable....(but that leaves me with a group combined of 22 consoles still on firmware ranging from 2.1 to 5.3) I wonder why it was updated if it's "read only".

Nintendo updated the browser in general, it's not unreasonable that they would have updated its components along with it.

Fuck how can it be read only when browsers and servers vulnerable to it can have the memory dumped?

And yet you still haven't shown anyone a single piece of evidence indicating that this is true.

I personally don't believe in coincidences 1 mention of a freak attack and 24 hours later an update rolls out updating the very exploitable ssl.
I'm still going to roll with this on a console that's still running 5.3.2 and see why this was updated.

Yes, because Nintendo is watching GBATemp intently, sees an unverifiably-useful bug, and can roll out patches that quickly. Believing in coincidences is kind of necessary, by the way, because sometimes life is just like that.

 

[VinsCool]

Ohohoh this gonna be good.

 

[yuyuyup]

Is the wii u hacked yet