Bugs & Vulnerabilities

From PS3 Developer wiki
Jump to: navigation, search

Contents

Unknown / unpatched[edit]

Webkit buffer overflow[edit]

Not Patched

RSX VRAM Access[edit]

Not Patched

Memory corruption and NULL pointer in Unreal Tournament III 1.2[edit]

unsure if it applies to PS3

MacOS X 10.5/10.6 libc/strtod(3) buffer overflow[edit]

unsure if it applies to PS3

OpenPrinter() stack-based buffer overflow[edit]

Patched: ?

DOM flaw[edit]

http://seclists.org/fulldisclosure/2009/Jul/299

Patched: ?

PS3xploit Kernel Exploit[edit]

Unpatched: To be disclosed.

Leakage of PTCH body plaintext over SPI on all BGA SYSCONs[edit]

When reading the body via the EEPROM read command, in all cases, the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas.

Examples[edit]

MISO[edit]
04 C8 34 30 BD E4 9F 27 16 DE 5C C1 E7 A3 DA 9C 
7F 5B 29 9A 5A 48 5C 14 ED B2 DE 28 84 43 68 82 
98 87 4E D4 62 51 01 A9 24 34 02 B3 FF 26 63 17 
77 8E 95 56 B1 5F 9F 22 93 46 DE 4E 3A 5E 8A D3
MOSI[edit]
3C 3A 04 3F 25 A6 68 09 02 00 04 00 00 00 00 00 (0x26B0)
3C 3A 04 3F 71 AD 00 00 09 00 00 00 00 00 00 00 (0x26C0)
3C 3A 04 3F 8E D5 75 0D 00 00 00 00 00 00 00 00 (0x26D0)
3C 3A 04 3F 80 86 48 0B 0B 00 03 00 00 00 00 00 (0x26E0)

Patched[edit]

Lv2 sys_fs_mount stack overflow[edit]

Stack buffer overflow with required privileges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.

Patched: sometime before 4.40 (only fw I checked)

RSX Syscall bug[edit]

In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.
however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.

Patched: 4.40

Lv2 sys_prx_register_module stack overflow[edit]

Stack buffer overflow which is fixed around 4.3x or 4.4x. Does not require any privileges.

Lv2 578 Syscall stack overflow[edit]

Stack buffer overflow which is fixed around 4.3x or 4.4x. Requires root privileges. Syscall is compiled with stack cookies.

Patched: 4.4x

AES CTR vulnerability on SELFs (and ebootroms maybe?)[edit]

Sometimes SCE reused the same AES CTR keys and IVs in different Certified Files.

See also [6].

Patched: since PSVita prototype FWs as their Certified Files don't use AES CTR but instead AES CBC.

Maybe not patched on ebootroms.

PARAM.SFO stack-based buffer overflow[edit]

Patched: since 2012-05-01 (4.40 and later)

Proof of Concept[edit]

Unsigned code can be added to the PARAM.SFO because the console does not recognize special characters.

Working on 4.31. Patched: since 2012-05-01 (4.40 and later).

PoC: PARAM.SFO

PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4
��� �
$� C ��� @ (� V ��� � h� j ��
€ p� t ��� € ð�
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE
TITLE
40ac78551a88fdc
SD
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]

Hackizeit: 1:33:07

ExpSkills: VL-LAB-TRAINING

Operation: 1%
Trojaners: 0%
... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc
...
BLES00371-NARUTO_STORM-0
HACKINGBKM 1
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];

AVP patch bypass exploit[edit]

Patched: since 3.70 and later.

PSN security intrusion[edit]

Patched: since 3.61 enforced password change

Sony PSN Account Service - Password Reset Vulnerability[edit]

Patched: since 2012-05-01

ECDSA private key non-random fail[edit]

See fail0verfl0w talk.

Patched: since 3.56

JIG downgrade[edit]

Patched: since 3.56

USB config heap-based buffer overflow (PSjailbreak/PSGroove)[edit]

Patched: since 3.42 and later

Leap year bug[edit]

Patched: since 3.40 and later

MP4 vulnerability[edit]

Patched: since 3.21 and later

Playback of Cinavia DRM protected titles[edit]

Patched: since 3.10 and later

Open Remote Play[edit]

Patched: since 2.80 and later

BD-J homebrew[edit]

Patched: since 2.50 and later

System Software Downgrade with hardware flasher[edit]

See also: Downgrading with Hardware flasher.

Patched: since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles).

Full RSX access in OtherOS[edit]

Patched: since 2.10 and later

Web browser DoS via a large integer value for the length property of a Select object[edit]

Patched: since 4 sept 2009

Remote Play UDP packets DoS[edit]

Affected: 2.10 and PSP 3.10 OE-A

Patched: since 13 nov 2008

Resistance: Fall of Man network update exploit[edit]

Patched

Warhawk network update exploit[edit]

Patched

Game Bugs patched via Firmware[edit]

Afro Samurai Black Screen[edit]

Black screen as a failed attempt to call:

cellAudioOutConfigure
cellSysutilAvconfExt_FA611DF4

Occours in Firmware 3.01

BLUS30264
NPUB90215
BLES00516
In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu)
go to "Settings" and select "Sound Settings" from here select "Audio Multi-Output" and set this option to "OFF". 
You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.

Source: [11]

Patched: in Firmware (VSH) since (unknown)

It's not a bug! It's a scekrit feature![edit]

Renesas verify function works on 4 byte values in All renesas/nec SysCon chips[edit]

All nec/renesas syscon chips has their verify function working for a 4 byte array but 256 byte size, increasing the probability of finding the correct bytes as opposed to the intended 256 bytes

(Universal) Renesas checksum function works on 256 byte values (ALL SYSCON CHIPS, stock, psp, vita, ps3, ps4)[edit]

renesas checksum feature works on 256 byte values instead of the intended block size, which means glitching could be done in a narrower margin, making the efforts a lot easier. it is also possible to identify 256 byte constants contiguous to eachother by their checksums