You Freaks.

Discussion in 'Wii U - Hacking & Backup Loaders' started by FaTaL_ErRoR, Jun 7, 2015.

  1. FaTaL_ErRoR
    OP

    FaTaL_ErRoR AKA ŦƕƎ ƠṀƐƝ

    Member
    491
    346
    Mar 9, 2014
    United States
    Did you know that tons of browsers and servers fall victim to freak attacks?
    One particular browser is very prone to fall victim to this attack.
    All this bug hunting going around just thought I would share.
    Oh yeah getting arbitrary code execution is very easy once a browser falls victim to a freak attack.
    Anyway, happy hunting.
    You can "test" using this. https://github.com/AbhishekGhosh/FREAK-Attack-CVE-2015-0204-Testing-Script
    And learn more here: https://gist.github.com/degan/70e8059507d173751294
    Who's ready to see if there is a 5.3.3.....lol
     
    Last edited by FaTaL_ErRoR, Jun 7, 2015
    Adr990 likes this.
  2. elgruntox

    elgruntox Newbie

    Newcomer
    6
    6
    Jun 6, 2015
    United States
    Huh? I'm not seeing anything that backs your claim of "Oh yeah getting arbitrary code execution is very easy once a browser falls victim to a freak attack.". Do you have a proof of concept you found somewhere? All I'm seeing is this allowing for mitm attacks on a small amount of browsers.
     
  3. SirByte

    SirByte GBAtemp Fan

    Member
    494
    191
    Dec 30, 2012
    Canada
    As long as the "small amount of browsers" includes the browser on the Wii U it's all good and since there's a test server listed, I'm sure FaTaL_ErRoR tested it on his Wii U before posting... right? PS mine has never been connected to the Internet.
     
  4. elgruntox

    elgruntox Newbie

    Newcomer
    6
    6
    Jun 6, 2015
    United States
    Test server listed? Where do you see that? And what would that give us? Are you saying the Wii U runs a TLS enabled webserver that could be exploited? Because that sounds like a really weird thing to have built into the console.

    Also if you look at the bash script posted to test for vulnerable servers you'll see that even it says its specifically looking at mitm attacks.
     
  5. SirByte

    SirByte GBAtemp Fan

    Member
    494
    191
    Dec 30, 2012
    Canada
  6. FaTaL_ErRoR
    OP

    FaTaL_ErRoR AKA ŦƕƎ ƠṀƐƝ

    Member
    491
    346
    Mar 9, 2014
    United States
    Yep, tested and wii u is vulnerable to freak attack. And webserver testing is not all this is used for. just needs to be ran as a website instead of running it in command promt. It was intended to be used for "webserver testing". But not much needs to be done to make it run in a website.
    And gaining code execution is a lot easier because you are lowering the encryption. And well great things happen when things are made easier to read.

    And gaining arbitrary code execution is easy once freak attack is successful is not a claim it is a fact.
    Read up on it and see why once some people started using it to exploit web browsers and webservers most rolled out patches very quickly.
    Permissions escalation happens much faster when the code encryption is weak.
    Anyway didn't say I was working on a freak attack for the wii u. Just pointing out that this is probably an easier method than browser bugs.
    But, do something with it or don't do something with it. I shared it that's all I was trying to do with this post.
     
    DarkFlare69 likes this.
  7. Duo8

    Duo8 I don't like video games

    Member
    3,443
    1,140
    Jul 16, 2013
    This could help with intercepting SSL comms on the Wii U. Test it with eShop or something.
    The part about code exec is bs though
     
    DarkFlare69 likes this.
  8. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    1,234
    3,933
    Nov 7, 2010
    United States
    Reading up about the bug, it seems that all it lets you do is potentially perform a MITM on a Wii U app. I'd be very surprised if that would lead to code execution (but hey, prove me wrong).
     
    DarkFlare69, Adr990 and VinsCool like this.
  9. migles

    migles Mei the sexiest bae

    Member
    GBAtemp Patron
    migles is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    6,983
    4,701
    Sep 19, 2013
    Saint Kitts and Nevis
    my dad works for nintendo.
    more like prove me i am right.
     
    VinsCool and Marionumber1 like this.
  10. elgruntox

    elgruntox Newbie

    Newcomer
    6
    6
    Jun 6, 2015
    United States
    Lowering the encryption to what... a website running ssl? I'm not really getting what you're saying here it really sounds like you don't understand what this CVE is about. All this does is exploit a bug in OpenSSL that would potentially let an attacker downgrade the type of crypto used and potentially lead to a mitm attack. There is nothing about being able to execute code anywhere in this attack. Browsers of course rolled out patches fast because who would want to keep around a feature that let attackers snoop on your users email traffic and such.
     
  11. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08

    Member
    GBAtemp Patron
    The Real Jdbye is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    12,286
    5,310
    Mar 17, 2010
    Norway
    Alola
    Carry on everyone, nothing to see here...
     
  12. FaTaL_ErRoR
    OP

    FaTaL_ErRoR AKA ŦƕƎ ƠṀƐƝ

    Member
    491
    346
    Mar 9, 2014
    United States
    Freak works very similar to heartbleed. Hell if you are vulnerable to freak chances are you are vulnerable to heartbleed as well.
    https://cve.mitre.org/news/
    And both of which can gain access to corrupt memory. So both in can be very good for exploitation.

    And Marionumber1: Challenge accepted.
     
    DarkFlare69, Adr990 and NWPlayer123 like this.
  13. DarkFlare69

    DarkFlare69 GBAtemp Psycho!

    Member
    4,743
    2,601
    Dec 8, 2014
    United States
    Ohio
    Good luck
     
  14. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    1,234
    3,933
    Nov 7, 2010
    United States
    I see nothing on that page which indicates FREAK can cause memory corruption...
     
  15. frogboy

    frogboy lacking both style and grace

    Member
    2,380
    1,419
    Dec 6, 2011
    United States
    Consider this thread watched.

    Either way, it'll be fun.

    EDIT: It really wasn't
     
    Last edited by frogboy, Jun 26, 2015
    VinsCool and loco365 like this.
  16. elgruntox

    elgruntox Newbie

    Newcomer
    6
    6
    Jun 6, 2015
    United States
    Heartbleed never led to corruption of memory, it was a purely read only exploit due to the bad handling of a pointer that lead to leaking of memory.

    I will paypal $100 to whoever uses heartbleed or freak to break the wii-u browser (and provides code of course). These are read only attacks.
     
    VinsCool likes this.
  17. FaTaL_ErRoR
    OP

    FaTaL_ErRoR AKA ŦƕƎ ƠṀƐƝ

    Member
    491
    346
    Mar 9, 2014
    United States
    My ass it didn't.
    And 5.4 updated the open ssl to no longer be vulnerable to freak attack. I know this because I updated one of my wii u consoles to 5.4 and no longer vulnerable....(but that leaves me with a group combined of 22 consoles still on firmware ranging from 2.1 to 5.3) I wonder why it was updated if it's "read only". Fuck how can it be read only when browsers and servers vulnerable to it can have the memory dumped?
    And if you can dump the memory you can get the keys. (just because the worry was over server private keys doesn't mean other things private keys aren't also a concern and hell I would be fine with getting the communication between the console and the update server)
    I personally don't believe in coincidences 1 mention of a freak attack and 24 hours later an update rolls out updating the very exploitable ssl.
    I'm still going to roll with this on a console that's still running 5.3.2 and see why this was updated.
     
  18. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    1,234
    3,933
    Nov 7, 2010
    United States
    Nintendo updated the browser in general, it's not unreasonable that they would have updated its components along with it.

    And yet you still haven't shown anyone a single piece of evidence indicating that this is true.

    Yes, because Nintendo is watching GBATemp intently, sees an unverifiably-useful bug, and can roll out patches that quickly. Believing in coincidences is kind of necessary, by the way, because sometimes life is just like that.
     
    VinsCool likes this.
  19. VinsCool

    VinsCool Disgusted

    Member
    GBAtemp Patron
    VinsCool is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,976
    28,923
    Jan 7, 2014
    Canada
    An Alternate Reality
    Ohohoh this gonna be good.

    tCp90.gif
     
    Retr0Capez likes this.
  20. yuyuyup

    yuyuyup GBAtemp Psycho!

    Member
    3,337
    774
    Apr 30, 2006
    United States
    USA MTN timezone
    Is the wii u hacked yet