Editing Bugs & Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
== Unknown / unpatched == | == Unknown / unpatched == | ||
=== | === Webkit buffer overflow === | ||
http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28458 | |||
<br> | |||
Not Patched | |||
=== RSX VRAM Access === | === RSX VRAM Access === | ||
http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28421 | |||
<br> | |||
Not Patched | |||
Not Patched | |||
=== Memory corruption and NULL pointer in Unreal Tournament III 1.2 === | === Memory corruption and NULL pointer in Unreal Tournament III 1.2 === | ||
http://cxsecurity.com/issue/WLB-2008070060 | |||
unsure if applies to PS3? | |||
=== MacOS X 10.5/10.6 libc/strtod(3) buffer overflow === | === MacOS X 10.5/10.6 libc/strtod(3) buffer overflow === | ||
http://cxsecurity.com/issue/WLB-2010010162 | |||
unsure if applies to PS3? | |||
=== OpenPrinter() stack-based buffer overflow === | === OpenPrinter() stack-based buffer overflow === | ||
http://seclists.org/fulldisclosure/2007/Jan/474 | |||
Patched: ? | |||
=== DOM flaw === | === DOM flaw === | ||
http://seclists.org/fulldisclosure/2009/Jul/299 | http://seclists.org/fulldisclosure/2009/Jul/299 | ||
Patched: ? | |||
=== | === Kernel Exploit === | ||
Unpatched: To be disclosed. | |||
==== | === Leakage of PTCH body plaintext over SPI on some BGA SYSCONs === | ||
When reading the body via the EEPROM read command, in some cases (like DEB-001), the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. | |||
When reading the body via the EEPROM read command, in | |||
== Patched == | == Patched == | ||
=== Lv2 sys_fs_mount stack overflow === | === Lv2 sys_fs_mount stack overflow === | ||
Stack buffer overflow with required priveleges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.<br> | |||
Stack buffer overflow with required | https://nwert.wordpress.com/2012/09/19/exploiting-lv2/ <br> | ||
http://pastie.org/4755699 <br> | |||
Patched: sometime before [[4.40_CEX|4.40]] (only fw I checked) | Patched: sometime before [[4.40_CEX|4.40]] (only fw I checked) | ||
=== RSX Syscall bug === | === RSX Syscall bug === | ||
In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.<br> however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory. | In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.<br> however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory. | ||
Patched: [[4.40_CEX|4.40]] | Patched: [[4.40_CEX|4.40]] | ||
=== | === CTR bugs on SELFs (and ebootroms maybe?) === | ||
http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption CTR bugs on SELFs | |||
Patched: since Vita pre-retail [http://www.vitadevwiki.com/index.php?title=00.996.090_DEX 0.9.9.6] (SELFs, should match with ps3 firmware at release date), unknown (ebootroms) | |||
Patched: | |||
=== PARAM.SFO stack-based buffer overflow === | === PARAM.SFO stack-based buffer overflow === | ||
http://seclists.org/fulldisclosure/2013/May/113 | |||
Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later) | Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later) | ||
Line 153: | Line 65: | ||
==== Proof of Concept ==== | ==== Proof of Concept ==== | ||
Unsigned code can be added to the [[PARAM.SFO]] because the console does not recognize special characters | Unsigned code can be added to the [[PARAM.SFO]] because the console does not recognize special characters | ||
http://www.exploit-db.com/exploits/25718/ | |||
Working on [[4.31_CEX|4.31]] | Working on [[4.31_CEX|4.31]], Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later) | ||
PoC: PARAM.SFO | PoC: PARAM.SFO | ||
Line 186: | Line 98: | ||
=== AVP patch bypass exploit === | === AVP patch bypass exploit === | ||
Patched: since [[3.70_CEX|3.70]] and later | Patched: since [[3.70_CEX|3.70]] and later | ||
=== PSN security intrusion === | === PSN security intrusion === | ||
Line 193: | Line 105: | ||
=== Sony PSN Account Service - Password Reset Vulnerability === | === Sony PSN Account Service - Password Reset Vulnerability === | ||
http://www.vulnerability-lab.com/get_content.php?id=740 | |||
Patched: since 2012-05-01 | Patched: since 2012-05-01 | ||
=== | === Private key nonrandom fail === | ||
Patched: since [[3.56-1 CEX|3.56]] | Patched: since [[3.56-1 CEX|3.56]] | ||
Line 232: | Line 141: | ||
Patched: since [[2.50_CEX|2.50]] and later | Patched: since [[2.50_CEX|2.50]] and later | ||
=== | === Downgrading with Hardware flasher === | ||
See also: [[Downgrading with Hardware flasher]] | |||
See also: [[Downgrading with Hardware flasher]] | |||
Patched: since [[2.20_CEX|2.20]] and later (by adding [[CoreOS]] hashing in [[Syscon Hardware|Syscon]] to be checked by [[Hypervisor Reverse Engineering|hypervisor]]; worked around by patching hypervisor on [[3.56-1 CEX|3.56]] and lower capable consoles) | Patched: since [[2.20_CEX|2.20]] and later (by adding [[CoreOS]] hashing in [[Syscon Hardware|Syscon]] to be checked by [[Hypervisor Reverse Engineering|hypervisor]]; worked around by patching hypervisor on [[3.56-1 CEX|3.56]] and lower capable consoles) | ||
=== Full RSX access in OtherOS === | === Full RSX access in OtherOS === | ||
Line 243: | Line 151: | ||
=== Web browser DoS via a large integer value for the length property of a Select object === | === Web browser DoS via a large integer value for the length property of a Select object === | ||
http://www.cvedetails.com/cve/CVE-2009-2541/ | |||
Patched: since 4 sept 2009 | Patched: since 4 sept 2009 | ||
=== Remote Play UDP packets DoS === | === Remote Play UDP packets DoS === | ||
http://www.cvedetails.com/cve/CVE-2007-1728/ / http://cxsecurity.com/issue/WLB-2007030183 | |||
Affected: [[1.60_CEX|2.10]] and PSP 3.10 OE-A | Affected: [[1.60_CEX|2.10]] and PSP 3.10 OE-A | ||
Line 263: | Line 169: | ||
Patched | Patched | ||
=== Game Bugs patched via Firmware === | === Game Bugs patched via Firmware === | ||
Line 276: | Line 183: | ||
NPUB90215 | NPUB90215 | ||
BLES00516 | BLES00516 | ||
In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu) | In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu) | ||
Line 281: | Line 189: | ||
You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this. | You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this. | ||
Source: | Source: http://support.bandainamcogames.com/index.php?/Knowledgebase/Article/View/216/233/afro-samurai-why-doesnt-my-game-start-up-ps3-only | ||
Patched: in Firmware ([[VSH]]) since (unknown) | |||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> | {{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> |