Editing Vulnerabilities

== Unknown / unpatched ==

=== Hypervisor HTAB glitch ===

==== Credits ====
* geohot (2009-2011) for initial HTAB glitch
* xorloser (2009-2010) for XorHack and XorHack v2.0
* zecoxao (2023) for some tests and writeups
* Kafuu / aomsin2526 (2025) for reimplementation on recent hardware (superslim PS3) and software (4.92) revisions

==== Bug Description ====

See also the [[SPU LS Overflow Exploit]].

==== Analysis ====
* [https://www.psx-place.com/threads/using-hen-with-geohots-dangling-htab-glitch.39364/]
* [https://www.cs.cmu.edu/~dst/GeoHot/ geohot's archives]
* [https://web.archive.org/web/20100218142902/https://geohotps3.blogspot.com/2010/02/on-isolated-spus.html geohot's blog]
* [https://web.archive.org/web/20190624102738/http://xorloser.com/ xorloser's blog]
* [https://web.archive.org/web/20190127185922/http://xorloser.com/blog/wp-content/uploads/2010/03/xorhack.zip xorhack.zip by xorloser]
* [https://web.archive.org/web/20190118100330/http://xorloser.com/?p=254 XorHack: The PS3 Exploit Toolkit by xorloser]
* [https://web.archive.org/web/20190118100410/http://xorloser.com/?p=297 XorHack v2.0: The Updated PS3 Exploit Toolkit by xorloser]

==== Implementation ====
* [https://github.com/aomsin2526/BadHTAB BadHTAB PS3 GameOS Implementation of geohot's hypervisor HTAB glitch exploit by aomsin2526]

==== Patched ====
Not patchable because it is a hardware vulnerability.

=== WebKit parseFloat() type confusion leading to stack buffer overflow ===

==== Credits ====
* Zuk Avraham
* TODO

==== Bug Description ====
When inserting NaN with a parameter as an argument into parseFloat(), we can overflow the tiny buffer created by parseFloat().

==== Analysis ====
* [https://web.archive.org/web/20210521110132/https://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?tab=comments#comment-28458 WebKit PoC for PS3 released by xerpi through zecoxao in Playstationhax.xyz forum (2016-03-24)]

==== Implementation ====
* [https://github.com/PS3Xploit/PS3HEN PS3HEN on PS3 by the PS3Xploit team]
* [https://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html Writeup and PoC on Android 2.1 by Zuk Avraham]

==== Patched ====
Patched on PS3 FW 4.83. Remains exploitable on higher firmwares by installing old WebKit sprx files in hybrid PUP.

=== WebKit CSS font face source type confusion leading to read primitive ===

==== Credits ====
TODO

==== Bug Description ====
While parsing the source of a CSS font face, CSSParser::parseFontFaceSrc() assumes the value given is a string, but if we insert a specific double value into an exploitable function like insert() or format(), we can leak the memory via an overlap between two variables.

==== Implementation ====
* [https://github.com/PS3Xploit/PS3HEN PS3HEN on PS3 by the PS3Xploit team]
* [https://code.google.com/p/chromium/issues/detail?id=63866] initial bug report

==== Patched ====
Patched on PS3 FW 4.83. Remains exploitable on higher firmwares by installing old WebKit sprx files in hybrid PUP.

=== RSX VRAM Access ===

* [https://web.archive.org/web/*/http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28421]

==== Patched ====
Not Patched.

=== Memory corruption and NULL pointer in Unreal Tournament III 1.2 ===

* [http://cxsecurity.com/issue/WLB-2008070060]

Unsure if it applies to PS3.

=== MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ===

* [http://cxsecurity.com/issue/WLB-2010010162]

Unsure if it applies to PS3.

=== OpenPrinter() stack-based buffer overflow ===

* [http://seclists.org/fulldisclosure/2007/Jan/474]

==== Patched ====
?patched?

=== DOM flaw ===

http://seclists.org/fulldisclosure/2009/Jul/299

==== Patched ====
?patched?

=== PS3Xploit Kernel Exploit ===

==== Credits ====
* Team PS3Xploit
* TODO

==== Bug description ====
To be disclosed.

==== Implementation ====
* [https://github.com/PS3Xploit/PS3HEN PS3HEN on PS3 by the PS3Xploit team]

==== Patched ====
Not patched as of PS3 FW 4.90.

=== Leakage of PTCH body plaintext over SPI on all BGA SYSCONs ===

When reading the body via the EEPROM read command, in all cases, the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas.

==== Examples ====

===== MISO =====

<pre>
04 C8 34 30 BD E4 9F 27 16 DE 5C C1 E7 A3 DA 9C 
7F 5B 29 9A 5A 48 5C 14 ED B2 DE 28 84 43 68 82 
98 87 4E D4 62 51 01 A9 24 34 02 B3 FF 26 63 17 
77 8E 95 56 B1 5F 9F 22 93 46 DE 4E 3A 5E 8A D3
</pre>

===== MOSI =====

<pre>
3C 3A 04 3F 25 A6 68 09 02 00 04 00 00 00 00 00 (0x26B0)
3C 3A 04 3F 71 AD 00 00 09 00 00 00 00 00 00 00 (0x26C0)
3C 3A 04 3F 8E D5 75 0D 00 00 00 00 00 00 00 00 (0x26D0)
3C 3A 04 3F 80 86 48 0B 0B 00 03 00 00 00 00 00 (0x26E0)
</pre>

== Patched ==

=== Lv2 sys_fs_mount stack overflow ===

Stack buffer overflow with required privileges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.<br>
* [https://nwert.wordpress.com/2012/09/19/exploiting-lv2/ writeup]
* [https://web.archive.org/web/20141201184718/http://pastie.org/4755699 code]

Patched: sometime before [[4.40_CEX|4.40]] (only fw I checked)

=== RSX Syscall bug ===

In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.<br> however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.

Patched: [[4.40_CEX|4.40]]

=== Lv2 sys_prx_register_module stack overflow ===

Stack buffer overflow which is fixed around 4.3x or 4.4x. Does not require any privileges.

=== Lv2 578 Syscall stack overflow ===

Stack buffer overflow which is fixed around 4.3x or 4.4x. Requires root privileges. Syscall is compiled with stack cookies.

Patched: [[4.4x_CEX|4.4x]]

=== AES CTR vulnerability on SELFs (and ebootroms maybe?) ===

Sometimes SCE reused the same AES CTR keys and IVs in different [[Certified File|Certified Files]].

See also [http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption].

See also [https://wiki.henkaku.xyz/vita/Vulnerabilities#AES_CTR_IV_reused_in_some_Certified_Files].

Patched: since some PS Vita prototype FWs as their [[Certified File|Certified Files]] started having always different IVs.

Maybe not patched on PS3 ebootroms.

=== PARAM.SFO stack-based buffer overflow ===

* [http://seclists.org/fulldisclosure/2013/May/113]

Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later)

==== Proof of Concept ====

Unsigned code can be added to the [[PARAM.SFO]] because the console does not recognize special characters.

* [http://www.exploit-db.com/exploits/25718/]

Working on [[4.31_CEX|4.31]]. Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later).
 
PoC: PARAM.SFO
<pre>
PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4
��� �
$� C ��� @ (� V ��� � h� j ��
&#8364; p� t ��� &#8364; &#240;�
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE
TITLE
40ac78551a88fdc
SD
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]

Hackizeit: 1:33:07

ExpSkills: VL-LAB-TRAINING

Operation: 1%
Trojaners: 0%
... &#213;&#245;~\&#732;&#242;íA×éú�;óç� 40ac78551a88fdc
...
BLES00371-NARUTO_STORM-0
HACKINGBKM 1
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];
</pre>

=== AVP patch bypass exploit ===

Patched: since [[3.70_CEX|3.70]] and later.

=== PSN security intrusion ===

Patched: since [[3.61_CEX|3.61]] enforced password change

=== Sony PSN Account Service - Password Reset Vulnerability ===

* [http://www.vulnerability-lab.com/get_content.php?id=740]

Patched: since 2012-05-01

=== ECDSA private key non-random fail ===

See fail0verfl0w talk.

Patched: since [[3.56-1 CEX|3.56]]

=== JIG downgrade ===

Patched: since [[3.56-1 CEX|3.56]]

=== USB config heap-based buffer overflow (PSjailbreak/PSGroove) ===

Patched: since [[3.42_CEX|3.42]] and later

=== Leap year bug ===

Patched: since [[3.40_CEX|3.40]] and later

=== MP4 vulnerability ===

Patched: since [[3.21_CEX|3.21]] and later

=== Playback of Cinavia DRM protected titles ===

Patched: since [[3.10_CEX|3.10]] and later

=== Open Remote Play ===

Patched: since [[2.80_CEX|2.80]] and later

=== BD-J homebrew ===

Patched: since [[2.50_CEX|2.50]] and later

However, this "patched" claim is not precise enough and BD-JB like on PS4 and PS5 may be possible.

=== System Software Downgrade with hardware flasher ===

See also: [[Downgrading with Hardware flasher]].

Patched: since [[2.20_CEX|2.20]] and later (by adding [[CoreOS]] hashing in [[Syscon Hardware|Syscon]] to be checked by [[Hypervisor Reverse Engineering|hypervisor]]; worked around by patching hypervisor on [[3.56-1 CEX|3.56]] and lower capable consoles).

=== Full RSX access in OtherOS ===

Patched: since [[2.10_CEX|2.10]] and later

=== Web browser DoS via a large integer value for the length property of a Select object ===

* [http://www.cvedetails.com/cve/CVE-2009-2541/]

Patched: since 4 sept 2009

=== Remote Play UDP packets DoS ===

* [http://www.cvedetails.com/cve/CVE-2007-1728/ / http://cxsecurity.com/issue/WLB-2007030183]

Affected: [[1.60_CEX|2.10]] and PSP 3.10 OE-A

Patched: since 13 nov 2008

=== Resistance: Fall of Man network update exploit ===

Patched ?was the physical version actually patched?

Resistance: Fall of Man is a 2006 first-person shooter video game developed by Insomniac Games and published by Sony Computer Entertainment for the PlayStation 3. The game used a different system to download the game updates, by entering the multiplayer modes, unlike most titles which search for updates from the XMB or after starting them. This different system was required because at the time of development of the game the PS3 OS was not supporting game updates via XMB. The Resistance: Fall of Man update system contained a vulnerability.

As of December 11, 2008, all map packs for Resistance: Fall of Man were made available for free as a holiday gift from Insomniac due to the release of Resistance 2. All map packs are available for local split-screen multiplayer.

The map packs were removed from PlayStation Store in March 2014, although only in Europe. They are still available on PlayStation Store in USA although they cannot be used because of the aforementioned server closure. Since the game used a different system to download the game updates (by entering the multiplayer modes, unlike most titles which search for updates from the XMB or after starting them), and since the updates were required for DLC compatibility, the map packs became usable only by people who downloaded the updates before the server closure, in March 2014. Shortly after the closure of the game servers, a digital version of the game was released on PlayStation Store, exclusively in Europe. It comes with all game updates and map packs, and full compatibility with savedata from the physical edition.

=== Warhawk network update exploit ===

Patched ?was the physical version actually patched?

Warhawk was a 2007 online multiplayer third-person shooter video game developed by Incognito Entertainment and published by Sony Computer Entertainment for the PlayStation 3. It was the first PlayStation 3 game to be available both physically and digitally on the PlayStation Network.

The game used a different system to download the game updates, by entering the multiplayer modes, unlike most titles which search for updates from the XMB or after starting them. This different system was required because at the time of development of the game the PS3 OS was not supporting game updates via XMB. The Warhawk update system contained a vulnerability.

=== Game Bugs patched via Firmware ===

==== Afro Samurai Black Screen ====

The Afro Samurai game on PS3 gives a black screen as a failed attempt to call:
 cellAudioOutConfigure
 cellSysutilAvconfExt_FA611DF4

Occurs in [[3.01_CEX|Firmware 3.01]] 
 BLUS30264
 NPUB90215
 BLES00516

 In order to fix this problem, start up your PlayStation 3 system and while on the XMB (Cross Media Bar/System Menu), go to "Settings" and select "Sound Settings" from here select "Audio Multi-Output" and set this option to "OFF". You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.

Source: [http://support.bandainamcogames.com/index.php?/Knowledgebase/Article/View/216/233/afro-samurai-why-doesnt-my-game-start-up-ps3-only]

Patched: in ([[VSH]]) since (unknown but after 3.01)

== It is not a bug! It is a scekrit feature! ==

=== Renesas verify function works on 4 byte values in All renesas/nec SysCon chips ===

All NEC/Renesas syscon chips have their verify function working for a 4 byte array but 256 byte size, increasing the probability of finding the correct bytes as opposed to the intended 256 bytes.

=== (Universal) Renesas checksum function works on 256 byte values (ALL SYSCON CHIPS, stock, PSP, PS Vita, PS3, PS4) ===

Renesas checksum feature works on 256 byte values instead of the intended block size, which means glitching could be done in a narrower margin, making the efforts a lot easier. it is also possible to identify 256 byte constants contiguous to each other by their checksums.

{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>