Editing Bugs & Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
== Unknown / unpatched ==
== Unknown / unpatched ==


=== WebKit parseFloat() type confusion leading to stack buffer overflow ===
=== Webkit buffer overflow ===


==== Credits ====
* [http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28458]
* Zuk Avraham
* TODO


==== Bug Description ====
Not Patched
When inserting NaN with a parameter as an argument into parseFloat(), we can overflow the tiny buffer created by parseFloat().
 
==== Analysis ====
* [https://web.archive.org/web/20210521110132/https://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?tab=comments#comment-28458 WebKit PoC for PS3 released by xerpi through zecoxao in Playstationhax.xyz forum (2016-03-24)]
 
==== Implementation ====
* [https://github.com/PS3Xploit/PS3HEN PS3HEN on PS3 by the PS3Xploit team]
* [https://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html Writeup and PoC on Android 2.1 by Zuk Avraham]
 
==== Patched ====
Patched on PS3 FW 4.83. Remains exploitable on higher firmwares by installing old WebKit sprx files in hybrid PUP.
 
=== WebKit CSS font face source type confusion leading to read primitive ===
 
==== Credits ====
TODO
 
==== Bug Description ====
While parsing the source of a CSS font face, CSSParser::parseFontFaceSrc() assumes the value given is a string, but if we insert a specific double value into an exploitable function like insert() or format(), we can leak the memory via an overlap between two variables.
 
==== Implementation ====
* [https://github.com/PS3Xploit/PS3HEN PS3HEN on PS3 by the PS3Xploit team]
* [https://code.google.com/p/chromium/issues/detail?id=63866] initial bug report
 
==== Patched ====
Patched on PS3 FW 4.83. Remains exploitable on higher firmwares by installing old WebKit sprx files in hybrid PUP.


=== RSX VRAM Access ===
=== RSX VRAM Access ===


* [https://web.archive.org/web/*/http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28421]
* [http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28421]


==== Patched ====
Not Patched
Not Patched.


=== Memory corruption and NULL pointer in Unreal Tournament III 1.2 ===
=== Memory corruption and NULL pointer in Unreal Tournament III 1.2 ===
Line 46: Line 17:
* [http://cxsecurity.com/issue/WLB-2008070060]
* [http://cxsecurity.com/issue/WLB-2008070060]


Unsure if it applies to PS3.
unsure if it applies to PS3


=== MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ===
=== MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ===
Line 52: Line 23:
* [http://cxsecurity.com/issue/WLB-2010010162]
* [http://cxsecurity.com/issue/WLB-2010010162]


Unsure if it applies to PS3.
unsure if it applies to PS3


=== OpenPrinter() stack-based buffer overflow ===
=== OpenPrinter() stack-based buffer overflow ===
Line 58: Line 29:
* [http://seclists.org/fulldisclosure/2007/Jan/474]
* [http://seclists.org/fulldisclosure/2007/Jan/474]


==== Patched ====
Patched: ?
?patched?


=== DOM flaw ===
=== DOM flaw ===
Line 65: Line 35:
http://seclists.org/fulldisclosure/2009/Jul/299
http://seclists.org/fulldisclosure/2009/Jul/299


==== Patched ====
Patched: ?
?patched?
 
=== PS3Xploit Kernel Exploit ===
 
==== Credits ====
* Team PS3Xploit
* TODO


==== Bug description ====
=== PS3xploit Kernel Exploit ===
To be disclosed.


==== Implementation ====
Unpatched: To be disclosed.
* [https://github.com/PS3Xploit/PS3HEN PS3HEN on PS3 by the PS3Xploit team]
 
==== Patched ====
Not patched as of PS3 FW 4.90.


=== Leakage of PTCH body plaintext over SPI on all BGA SYSCONs ===
=== Leakage of PTCH body plaintext over SPI on all BGA SYSCONs ===
Line 126: Line 84:


Stack buffer overflow which is fixed around 4.3x or 4.4x. Does not require any privileges.
Stack buffer overflow which is fixed around 4.3x or 4.4x. Does not require any privileges.
=== Lv2 578 Syscall stack overflow ===
Stack buffer overflow which is fixed around 4.3x or 4.4x. Requires root privileges. Syscall is compiled with stack cookies.


Patched: [[4.4x_CEX|4.4x]]
Patched: [[4.4x_CEX|4.4x]]
Line 135: Line 89:
=== AES CTR vulnerability on SELFs (and ebootroms maybe?) ===
=== AES CTR vulnerability on SELFs (and ebootroms maybe?) ===


Sometimes SCE reused the same AES CTR keys and IVs in different [[Certified File|Certified Files]].
Sometimes SCE reused the same AES CTR keys and IVs in different [[Certified Files]].


See also [http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption].
See also [http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption].


See also [https://wiki.henkaku.xyz/vita/Vulnerabilities#AES_CTR_IV_reused_in_some_Certified_Files].
Patched: since PSVita prototype FWs as their [[Certified Files]] don't use AES CTR but instead AES CBC.


Patched: since some PS Vita prototype FWs as their [[Certified File|Certified Files]] started having always different IVs.
Maybe not patched on ebootroms.
 
Maybe not patched on PS3 ebootroms.


=== PARAM.SFO stack-based buffer overflow ===
=== PARAM.SFO stack-based buffer overflow ===
Line 283: Line 235:
Source: [http://support.bandainamcogames.com/index.php?/Knowledgebase/Article/View/216/233/afro-samurai-why-doesnt-my-game-start-up-ps3-only]
Source: [http://support.bandainamcogames.com/index.php?/Knowledgebase/Article/View/216/233/afro-samurai-why-doesnt-my-game-start-up-ps3-only]


Patched: in ([[VSH]]) since (unknown)
Patched: in Firmware ([[VSH]]) since (unknown)
 
== It is not a bug! It is a scekrit feature! ==
 
=== Renesas verify function works on 4 byte values in All renesas/nec SysCon chips ===
 
All NEC/Renesas syscon chips have their verify function working for a 4 byte array but 256 byte size, increasing the probability of finding the correct bytes as opposed to the intended 256 bytes.
 
=== (Universal) Renesas checksum function works on 256 byte values (ALL SYSCON CHIPS, stock, PSP, PS Vita, PS3, PS4) ===


Renesas checksum feature works on 256 byte values instead of the intended block size, which means glitching could be done in a narrower margin, making the efforts a lot easier. it is also possible to identify 256 byte constants contiguous to each other by their checksums.


{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)