It was only a matter of time until someone discovered an interesting vulnerability in the Xbox 360...
So, what is the cunning plan? Well, the designers of the Xbox 360 (which is, incidentally, PowerPC-based) went to extreme lengths to try to make it "unhackable" and chose a hypervisor design in which, unlike previous generations of gaming consoles, games no longer take over the system. There is a thin "operating system" which the games communicate with using a classic syscall ("excuse me Mr. kernel, could you please do something for me?").
Since everything goes via the syscall then, theoretically, all you need to do is armor the syscall to keep everything nice and secure.
Looks like the syscall implementation didn't adequately check the parameters being passed for correctness and consistency allowing a privilege escalation attack. As a matter of fact if you read the actual description you will notice that it is a subtle bug with one instruction in the validation path only looking at 32 bits of a 64-bit register with a subsequent instruction acting on all 64 bits.
Now for the good news: this has been patched since January 7th 2007.
Can an Internet-connected games console be an interesting addition to the available systems for a botnet? Difficult question to answer trivially: there are many parameters to the game.
On the one side you have low-latency high-speed DSL lines favoured by gamers but on the other side you have a totally novel operating system which you have to develop for not to mention the connection time of these systems. What are the chances of a games console being left on 24x7 compared to a home PC on a DSL link? So we are probably back to the old story of "return on investment": is it worth my while to develop a new engine and virus to go after the Xbox 360s? Probably not, there are still plenty of Windows systems which will do just fine.
A final note: if you are technically minded the vulnerability description is very well written and a fascinating read.
Mar 6th 2007
1 decade ago