Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
This page lists vulnerabilities found in the original Sony PlayStation system software and hardware.
This page lists vulnerabilities found for the original Sony PlayStation. Here are display system flaws and userland flaws that are documented, exploited or not.
 
= PS Game Savedata =


=Savegames/Demos=
These flaws in this category are relatively easy to find and exploit. There is a write-up on finding these flaws [https://championleake.github.io/blog//PS1-StackSmashing/ here]
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
!  Game/Application name
!  Game/Application name
Vulnerability
Vuln/Flaw
!  Summary
!  Summary
!  Revisions
!  Revisions
Date of the discovery
Timeframe this vuln was discovered
Author of the discovery
Vuln discovered by
|-
| Brunswick Circuit Pro Bowling
| Stack Buffer Overflow via unchecked Custom Bowler Name length
| Brunswick Circuit Pro Bowling offers players to create their own bowlers in terms of physical appearances and names. The bowlers' name is limited up to 15 characters long. When the player wants to create name, it is copied to the stack, however the string length is not checked. With a very large string, one can overwrite the stack and take control of the return address '''($ra register)''' to eventually jump to unsigned code in the savegame.
| 1.0
| January 20th, 2019
| [[User:ChampionLeake|ChampionLeake]]
|-
|Brunswick Circuit Pro Bowling 2
|Stack Buffer Overflow via unchecked Custom Bowler Name length
|Same as Brunswick Circuit Pro Bowling exploit.
|1.0
|January 20th, 2019
|[[User:ChampionLeake|ChampionLeake]]
|-
|-
| Castlevania Chronicles
| Castlevania Chronicles
| Stack Buffer Overflow via unchecked Player Name length
| String Buffer overflow via unchecked profile name length
| The player name has a limit of 8 character strings to create a savedata slot (both original or arranged modes of the game). Since the string length is not checked, one can use a very large string to overwrite several stack registers including the return address '''($ra register)''' to eventually jump to unsigned code in the savegame.  
| The player name has a limit of 8 character strings to create a save-slot (Both original or arranged modes of the game). Since the string length/size is not checked, one can use a long excessive string(s) to overwrite several stack registers and take control of the '''''$ra(return address)''''' and then use it to jump to your region of custom code.  
| N/A
| N/A
| August 12th, 2018
| August 12th, 2018
| [[User:ChampionLeake|ChampionLeake]]
| [[User:ChampionLeake|ChampionLeake]]
|-
|-
|Castrol Honda Super Bike Racing
| Brunswick Circuit Pro Bowling 1 & 2
|
| Custom Bowler name stack smash
|
| Brunswick Circuit Pro Bowling offers players to create their own bowler in their own imaginations. The custom bowler name is limited up to 15 characters long. When the player wants to create name, it's copied to the stack, however the string length isn't checked. So with a very large string, one can overwrite the stack and take control of the return address'''($ra)''' and jump to your very own custom code.
|N/A
| 1.0
|?2022?
| January 20th, 2019
|?alex-free?
| [[User:ChampionLeake|ChampionLeake]]
|-
|Castrol Honda VTR
|
|Same as Castrol Honda Super Bike Racing exploit.
|N/A
|?2022?
|?alex-free?
|-
|Cool Boarders 4
|
|
|N/A
|?2022?
|?alex-free?
|-
|Crash Bandicoot 2: Cortex Strikes Back
|
|
|N/A
|?2022?
|?alex-free?
|-
|Crash Bandicoot 3: Warped
|
|Same as Crash Bandicoot 2: Cortex Strikes Back exploit.
|N/A
|?2022?
|?alex-free?
|-
|Dokiou-ki
|
|
|N/A
|?2022?
|?alex-free?
|-
|Downhill Snow
|
|
|N/A
|?2022?
|?alex-free?
|-
|Final Fantasy IX (Disc 1)
|
|
|N/A
|?2022?
|?alex-free?
|-
|Sports Superbike
|
| [https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html]
|N/A
|2014
|qwikrazor87 and Acid_snake
|-
| Sports Superbike 2
|
| Same as Sports Superbike exploit.
| N/A
| 2014
| qwikrazor87 and Acid_snake
|-
|-
| Tekken 2
| Tony Hawk Pro Skater 2
|
| Custom Skater name heap overflow
| [https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html]
| The player has the chance to create their own skater, their name is copied over the heap, however its length is not verified. With a large enough skater name, one can overwrite some ptrs and get control of the return address'''($ra)'''. One can trigger this overflow by selecting career mode and choosing to create a new career.
| N/A
| 2014
| qwikrazor87 and Acid_snake
|-
| Tekken 3
|
| Same as Tekken 2 exploit.
| N/A
| 2014
| qwikrazor87 and Acid_snake
|-
| Tony Hawk's Pro Skater 2
| Stack Buffer Overflow via unchecked Custom Skater name
| The player has the chance to create their own skater (physical appearance, skateboard, names, etc.). The skater name is copied to the stack, however the string length is not checked. With a large skater name, one can overwrite the stack and control the return address '''($ra register)''' to eventually jump to unsigned code in the savegame. One can trigger this overflow by selecting "Career Mode" and then selecting the "Create a new career" option.
| 1.0
| 1.0
| January 22nd, 2019
| January 22nd, 2019
| [[User:ChampionLeake|ChampionLeake]]
| [[User:ChampionLeake|ChampionLeake]]
|-
|Tony Hawk's Pro Skater 3
|
|Same as Tony Hawk's Pro Skater 2 exploit.
|N/A
|?2022?
|?alex-free?
|-
|Tony Hawk's Pro Skater 4
|
|Same as Tony Hawk's Pro Skater 2 exploit.
|N/A
|?2022?
|?alex-free?
|-
|The Legend of Heroes I & II: Eiyuu Densetsu
|
|
|N/A
|?2022?
|?alex-free?
|-
| XS Moto
|
| Same as Sports Superbike exploit.
| N/A
| 2014
| qwikrazor87 and Acid_snake
|}
|}


These flaws are relatively easy to find and exploit. There is a write-up on finding these flaws [https://championleake.github.io/blog//PS1-StackSmashing/ here].
=System/Hardware Flaws=
 
Flaws in this category are related to the system/hardware that holds and powers the Sony PlayStation.
See also [https://alex-free.github.io/tonyhax-international/save-game-exploit.html] and [https://github.com/alex-free/tonyhax/tree/master/entrypoints].
 
= System/Hardware =
 
These flaws are related to the system/hardware that holds and powers the Sony PlayStation.
 
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
!  Summary
!  Summary
Vulnerability
Vuln/Flaw
!  Documentation
!  Documentation
!  Revisions
!  Revisions
Date of the discovery
Timeframe this vuln was discovered
Author of the discovery
Vuln discovered by
|-
|-
| N/A
| N/A
Line 178: Line 53:
|}
|}


= Not Exploitable PS Game Savedata =
=Games already fuzzed(Useless Crashes)=
 
These are games that developers have fuzzed/researched trying to find bugs. Any useless crashes or games that don't crash at all go here. This is to inform users if a game is not exploitable.
These are games that developers have fuzzed or researched trying to find bugs. Any useless crashes or games that do not crash at all go here. This is to inform researchers which games have already been studied.
* Family Feud -- Using a large string for the family name doesn't seem to crash the game. In conclusion, the family name is not exploitable. (Researched by [[User:ChampionLeake|ChampionLeake]])
 
* Family Feud -- Using a large string for the family name does not seem to crash the game. In conclusion, the family name is not exploitable. (Researched by [[User:ChampionLeake|ChampionLeake]])
Please note that all contributions to PS1 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS1 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/ps1/Vulnerabilities"