Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 170: | Line 170: | ||
!Vulnerability | !Vulnerability | ||
!Description | !Description | ||
! | !Revisions | ||
!Date of discovery | !Date of discovery | ||
!Discovered | !Discovered by | ||
|- | |- | ||
|Carol Vorderman's Sudoku | |Carol Vorderman's Sudoku | ||
Line 178: | Line 178: | ||
|The save data file stores plaintext profile and high-score names. One can use a large string to overwrite the stack and jump to unsigned code. | |The save data file stores plaintext profile and high-score names. One can use a large string to overwrite the stack and jump to unsigned code. | ||
This vulnerability is also present in the PSP version of the game. See the [https://github.com/ChampionLeake/SudokuSTACK PSP exploit]. | This vulnerability is also present in the PSP version of the game. See the [https://github.com/ChampionLeake/SudokuSTACK PSP exploit]. | ||
| | |N/A | ||
|December 2021 (2011-01-06 for PSP) | |December 2021 (2011-01-06 for PSP) | ||
|ChampionLeake for PS2, Jeerum for PSP | |ChampionLeake for PS2, Jeerum for PSP | ||
|- | |||
|Star Wars Racer Revenge | |||
|Stack-Smash via unchecked "Record Name" length | |||
|The game allows players to record their names when breaking lap records on a course. However when displaying the Hall of Fame, the size of the names are not checked. Using a very large name can overwrite addresses on the stack and gain control of $ra, which can be used to jump to unsigned code. | |||
|N/A | |||
|August 2023 | |||
|ChampionLeake | |||
|- | |- | ||
|OKAGE: Shadow King | |OKAGE: Shadow King | ||
|Stack Buffer | |Stack Buffer Oveflow via unchecked "Player/Town" name length | ||
|Successfully exploit through mast1c0re for the PS4/PS5. | |Successfully exploit through mast1c0re for the PS4/PS5. | ||
CTurt's Writeup: [https://cturt.github.io/mast1c0re.html Here] | CTurt's Writeup: [https://cturt.github.io/mast1c0re.html Here] | ||
McCaulay's Writeup: [https://mccaulay.co.uk/mast1c0re-introduction-exploiting-the-ps4-and-ps5-through-a-gamesave/?t=1 Here] | McCaulay's Writeup: [https://mccaulay.co.uk/mast1c0re-introduction-exploiting-the-ps4-and-ps5-through-a-gamesave/?t=1 Here] | ||
| | |N/A | ||
|September 14th, 2022 | |September 14th, 2022 | ||
|CTurt & McCaulay | |CTurt & McCaulay | ||
|} | |} | ||
=== Confirmed vulnerable games === | === Confirmed vulnerable games === | ||
==== OKAGE: Shadow King ==== | ==== OKAGE: Shadow King ==== | ||
Line 320: | Line 299: | ||
* When using a save data that was badly hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the pages can be accessed. Pressing left or right to change track page makes sound but remains on this page. | * When using a save data that was badly hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the pages can be accessed. Pressing left or right to change track page makes sound but remains on this page. | ||
==== GTA III | ==== GTA III ==== | ||
* [https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 vulnerability] | * [https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 vulnerability] | ||
The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata. | The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata. | ||
==== Dark Cloud 1 and 2 ==== | ==== Dark Cloud 1 and 2 ==== | ||
Line 392: | Line 323: | ||
Dark Cloud 2 uses a scripting engine described [https://tcrf.net/User:Kojin/Dark_Cloud_2_Technical_Information#Scripting_Engine here]. | Dark Cloud 2 uses a scripting engine described [https://tcrf.net/User:Kojin/Dark_Cloud_2_Technical_Information#Scripting_Engine here]. | ||
==== Soul Calibur III ==== | ==== Soul Calibur III ==== | ||
Line 409: | Line 338: | ||
https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 | https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 | ||
=== Possible vulnerable games === | |||
==== Jak X: Combat Racing ==== | |||
There is a bug with the autosave feature that corrupts save data on memory card. It was fixed in the Platinum version of the game. | |||
https://gamefaqs.gamespot.com/boards/927166-jak-x-combat-racing/41999721 | |||
There is a bug, at least in PCSX2, where when starting the game for the first time and creating a new profile, the game freezes on the memory card saving screen. The save data is however well written and on next tries the game can be played as the save is correctly loaded. | |||
https://github.com/PCSX2/pcsx2/issues/6935 | |||
Profile name is limited to 12 characters by keyboard. The game displays up to ?32? characters and the profile name can be extended by editing saveX-Y-0000000Z.bin in the PSU savedata file. Extending profile name does not create any buffer overflow. The strings in the center of the saveX-Y-0000000Z.bin file cannot be edited for an unknown reason, else the game loops infinitely on the save data loading screen. | |||
==== Metal Gear Solid 3: Subsistence ==== | ==== Metal Gear Solid 3: Subsistence ==== | ||
Line 431: | Line 374: | ||
==== All FIFA games ==== | ==== All FIFA games ==== | ||
FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara DARA by CTurt]. | FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara|DARA by CTurt]. | ||
Moreover, a lot of Electronics Arts games are vulnerable on PSP. | Moreover, a lot of Electronics Arts games are vulnerable on PSP. |