Vulnerabilities: Difference between revisions
Jump to navigation
Jump to search
CelesteBlue (talk | contribs) |
CelesteBlue (talk | contribs) No edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
This page lists vulnerabilities found | This page lists vulnerabilities found in the original Sony PlayStation system software and hardware. | ||
= PS Game Savedata = | = PS Game Savedata = | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
Line 14: | Line 12: | ||
! Author of the discovery | ! Author of the discovery | ||
|- | |- | ||
| Sports Superbike 2 | | Brunswick Circuit Pro Bowling | ||
| | | Stack Buffer Overflow via unchecked Custom Bowler Name length | ||
| | | Brunswick Circuit Pro Bowling offers players to create their own bowlers in terms of physical appearances and names. The bowlers' name is limited up to 15 characters long. When the player wants to create name, it is copied to the stack, however the string length is not checked. With a very large string, one can overwrite the stack and take control of the return address '''($ra register)''' to eventually jump to unsigned code in the savegame. | ||
| 1.0 | |||
| January 20th, 2019 | |||
| [[User:ChampionLeake|ChampionLeake]] | |||
|- | |||
|Brunswick Circuit Pro Bowling 2 | |||
|Stack Buffer Overflow via unchecked Custom Bowler Name length | |||
|Same as Brunswick Circuit Pro Bowling exploit. | |||
|1.0 | |||
|January 20th, 2019 | |||
|[[User:ChampionLeake|ChampionLeake]] | |||
|- | |||
| Castlevania Chronicles | |||
| Stack Buffer Overflow via unchecked Player Name length | |||
| The player name has a limit of 8 character strings to create a savedata slot (both original or arranged modes of the game). Since the string length is not checked, one can use a very large string to overwrite several stack registers including the return address '''($ra register)''' to eventually jump to unsigned code in the savegame. | |||
| N/A | |||
| August 12th, 2018 | |||
| [[User:ChampionLeake|ChampionLeake]] | |||
|- | |||
|Castrol Honda Super Bike Racing | |||
| | |||
| | |||
|N/A | |||
|?2022? | |||
|?alex-free? | |||
|- | |||
|Castrol Honda VTR | |||
| | |||
|Same as Castrol Honda Super Bike Racing exploit. | |||
|N/A | |||
|?2022? | |||
|?alex-free? | |||
|- | |||
|Cool Boarders 4 | |||
| | |||
| | |||
|N/A | |||
|?2022? | |||
|?alex-free? | |||
|- | |||
|Crash Bandicoot 2: Cortex Strikes Back | |||
| | |||
| | |||
|N/A | |||
|?2022? | |||
|?alex-free? | |||
|- | |||
|Crash Bandicoot 3: Warped | |||
| | |||
|Same as Crash Bandicoot 2: Cortex Strikes Back exploit. | |||
|N/A | |||
|?2022? | |||
|?alex-free? | |||
|- | |||
|Dokiou-ki | |||
| | |||
| | |||
|N/A | |||
|?2022? | |||
|?alex-free? | |||
|- | |||
|Downhill Snow | |||
| | |||
| | |||
|N/A | |||
|?2022? | |||
|?alex-free? | |||
|- | |||
|Final Fantasy IX (Disc 1) | |||
| | |||
| | |||
|N/A | |||
|?2022? | |||
|?alex-free? | |||
|- | |||
|Sports Superbike | |||
| | |||
| [https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html] | |||
|N/A | |||
|2014 | |||
|qwikrazor87 and Acid_snake | |||
|- | |||
| Sports Superbike 2 | |||
| | |||
| Same as Sports Superbike exploit. | |||
| N/A | | N/A | ||
| 2014 | | 2014 | ||
Line 23: | Line 105: | ||
| Tekken 2 | | Tekken 2 | ||
| | | | ||
| | | [https://hackinformer.com/PlayStationGuide/PSV/_exploitgames.html] | ||
| N/A | | N/A | ||
| 2014 | | 2014 | ||
| qwikrazor87 and Acid_snake | | qwikrazor87 and Acid_snake | ||
|- | |- | ||
| | | Tekken 3 | ||
| | | | ||
| | | Same as Tekken 2 exploit. | ||
| N/A | | N/A | ||
| | | 2014 | ||
| | | qwikrazor87 and Acid_snake | ||
|- | |- | ||
| | | Tony Hawk's Pro Skater 2 | ||
| Stack Buffer Overflow via unchecked Custom Skater name | | Stack Buffer Overflow via unchecked Custom Skater name | ||
| The player has the chance to create their own skater(physical appearance, skateboard, names, etc.). The skater name is copied to the stack, however the string length | | The player has the chance to create their own skater (physical appearance, skateboard, names, etc.). The skater name is copied to the stack, however the string length is not checked. With a large skater name, one can overwrite the stack and control the return address '''($ra register)''' to eventually jump to unsigned code in the savegame. One can trigger this overflow by selecting "Career Mode" and then selecting the "Create a new career" option. | ||
| 1.0 | | 1.0 | ||
| January 22nd, 2019 | | January 22nd, 2019 | ||
| [[User:ChampionLeake|ChampionLeake]] | | [[User:ChampionLeake|ChampionLeake]] | ||
|- | |||
|Tony Hawk's Pro Skater 3 | |||
| | |||
|Same as Tony Hawk's Pro Skater 2 exploit. | |||
|N/A | |||
|?2022? | |||
|?alex-free? | |||
|- | |||
|Tony Hawk's Pro Skater 4 | |||
| | |||
|Same as Tony Hawk's Pro Skater 2 exploit. | |||
|N/A | |||
|?2022? | |||
|?alex-free? | |||
|- | |||
|The Legend of Heroes I & II: Eiyuu Densetsu | |||
| | |||
| | |||
|N/A | |||
|?2022? | |||
|?alex-free? | |||
|- | |||
| XS Moto | |||
| | |||
| Same as Sports Superbike exploit. | |||
| N/A | |||
| 2014 | |||
| qwikrazor87 and Acid_snake | |||
|} | |} | ||
=System/Hardware | These flaws are relatively easy to find and exploit. There is a write-up on finding these flaws [https://championleake.github.io/blog//PS1-StackSmashing/ here]. | ||
See also [https://alex-free.github.io/tonyhax-international/save-game-exploit.html] and [https://github.com/alex-free/tonyhax/tree/master/entrypoints]. | |||
= System/Hardware = | |||
These flaws are related to the system/hardware that holds and powers the Sony PlayStation. | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
! Summary | ! Summary | ||
! | ! Vulnerability | ||
! Documentation | ! Documentation | ||
! Revisions | ! Revisions | ||
! | ! Date of the discovery | ||
! | ! Author of the discovery | ||
|- | |- | ||
| N/A | | N/A | ||
Line 69: | Line 178: | ||
|} | |} | ||
= | = Not Exploitable PS Game Savedata = | ||
These are games that developers have fuzzed | |||
* Family Feud -- Using a large string for the family name | These are games that developers have fuzzed or researched trying to find bugs. Any useless crashes or games that do not crash at all go here. This is to inform researchers which games have already been studied. | ||
* Family Feud -- Using a large string for the family name does not seem to crash the game. In conclusion, the family name is not exploitable. (Researched by [[User:ChampionLeake|ChampionLeake]]) |
Latest revision as of 21:20, 8 October 2023
This page lists vulnerabilities found in the original Sony PlayStation system software and hardware.
PS Game Savedata[edit | edit source]
Game/Application name | Vulnerability | Summary | Revisions | Date of the discovery | Author of the discovery |
---|---|---|---|---|---|
Brunswick Circuit Pro Bowling | Stack Buffer Overflow via unchecked Custom Bowler Name length | Brunswick Circuit Pro Bowling offers players to create their own bowlers in terms of physical appearances and names. The bowlers' name is limited up to 15 characters long. When the player wants to create name, it is copied to the stack, however the string length is not checked. With a very large string, one can overwrite the stack and take control of the return address ($ra register) to eventually jump to unsigned code in the savegame. | 1.0 | January 20th, 2019 | ChampionLeake |
Brunswick Circuit Pro Bowling 2 | Stack Buffer Overflow via unchecked Custom Bowler Name length | Same as Brunswick Circuit Pro Bowling exploit. | 1.0 | January 20th, 2019 | ChampionLeake |
Castlevania Chronicles | Stack Buffer Overflow via unchecked Player Name length | The player name has a limit of 8 character strings to create a savedata slot (both original or arranged modes of the game). Since the string length is not checked, one can use a very large string to overwrite several stack registers including the return address ($ra register) to eventually jump to unsigned code in the savegame. | N/A | August 12th, 2018 | ChampionLeake |
Castrol Honda Super Bike Racing | N/A | ?2022? | ?alex-free? | ||
Castrol Honda VTR | Same as Castrol Honda Super Bike Racing exploit. | N/A | ?2022? | ?alex-free? | |
Cool Boarders 4 | N/A | ?2022? | ?alex-free? | ||
Crash Bandicoot 2: Cortex Strikes Back | N/A | ?2022? | ?alex-free? | ||
Crash Bandicoot 3: Warped | Same as Crash Bandicoot 2: Cortex Strikes Back exploit. | N/A | ?2022? | ?alex-free? | |
Dokiou-ki | N/A | ?2022? | ?alex-free? | ||
Downhill Snow | N/A | ?2022? | ?alex-free? | ||
Final Fantasy IX (Disc 1) | N/A | ?2022? | ?alex-free? | ||
Sports Superbike | [1] | N/A | 2014 | qwikrazor87 and Acid_snake | |
Sports Superbike 2 | Same as Sports Superbike exploit. | N/A | 2014 | qwikrazor87 and Acid_snake | |
Tekken 2 | [2] | N/A | 2014 | qwikrazor87 and Acid_snake | |
Tekken 3 | Same as Tekken 2 exploit. | N/A | 2014 | qwikrazor87 and Acid_snake | |
Tony Hawk's Pro Skater 2 | Stack Buffer Overflow via unchecked Custom Skater name | The player has the chance to create their own skater (physical appearance, skateboard, names, etc.). The skater name is copied to the stack, however the string length is not checked. With a large skater name, one can overwrite the stack and control the return address ($ra register) to eventually jump to unsigned code in the savegame. One can trigger this overflow by selecting "Career Mode" and then selecting the "Create a new career" option. | 1.0 | January 22nd, 2019 | ChampionLeake |
Tony Hawk's Pro Skater 3 | Same as Tony Hawk's Pro Skater 2 exploit. | N/A | ?2022? | ?alex-free? | |
Tony Hawk's Pro Skater 4 | Same as Tony Hawk's Pro Skater 2 exploit. | N/A | ?2022? | ?alex-free? | |
The Legend of Heroes I & II: Eiyuu Densetsu | N/A | ?2022? | ?alex-free? | ||
XS Moto | Same as Sports Superbike exploit. | N/A | 2014 | qwikrazor87 and Acid_snake |
These flaws are relatively easy to find and exploit. There is a write-up on finding these flaws here.
System/Hardware[edit | edit source]
These flaws are related to the system/hardware that holds and powers the Sony PlayStation.
Summary | Vulnerability | Documentation | Revisions | Date of the discovery | Author of the discovery |
---|---|---|---|---|---|
N/A | N/A | N/A | N/A | N/A | N/A |
Not Exploitable PS Game Savedata[edit | edit source]
These are games that developers have fuzzed or researched trying to find bugs. Any useless crashes or games that do not crash at all go here. This is to inform researchers which games have already been studied.
- Family Feud -- Using a large string for the family name does not seem to crash the game. In conclusion, the family name is not exploitable. (Researched by ChampionLeake)