Pop a Shell on Xbox One Video

[OsirisX]

After some time of Xbox One research, I've finally managed to pop a shell under retail mode. The exploit was ran on older firmware (any version before year 2020 is vulnerable). Note that no custom store apps were used for this exploit.

Spoiler

 

[FR0ZN]

Is this "just" a shell with system user privileges?
Or did you manage to attack the kernel or even the hypervisor?

 

[OsirisX]

The kernel itself was exploited to gain priv escalation of a process. From there you can patch memory, create new processes, etc. The shell does have LocalSystem privileges however the main part of the exploit is coming from kernel. A hypervisor exploit is not needed for creating HEN like payloads. Priv esc is enough to read/write memory to any process as long as you're careful on the memory regions.

 

[FR0ZN]

Does this suffice to access other processes or even decrypt XVDs?

 

[OsirisX]

Any process under System OS is accessible. More reversing is needed to see if XVDs can be decrypted although we'll probably need access to Game OS to do so.

 

[FR0ZN]

Any process under System OS is accessible. More reversing is needed to see if XVDs can be decrypted although we'll probably need access to Game OS to do so.

That's pretty impressive.
Will you attempt to go further?