Bugs & Vulnerabilities: Difference between revisions
No edit summary |
(added sfo POC 4.31) |
||
Line 1: | Line 1: | ||
Ps3 save data exploit | |||
Unsigned codencan be added to the sfo coz the console doesnt recognize special characters | |||
http://www.exploit-db.com/exploits/25718/ | |||
Firmwware target 4.31 | |||
Working on 4.31 | |||
PoC: PARAM.SFO | |||
PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4 ��� � | |||
$� C ��� @ (� V ��� � h� j �� | |||
€ p� t ��� € ð� | |||
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE | |||
40ac78551a88fdc | |||
SD | |||
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] | |||
Hackizeit: 1:33:07 | |||
ExpSkills: VL-LAB-TRAINING | |||
Operation: 1% | |||
Trojaners: 0% | |||
... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc | |||
... | |||
BLES00371-NARUTO_STORM-0 | |||
HACKINGBKM 1 | |||
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]; | |||
"rsx syscall bug" - in most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.<br> however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory. | "rsx syscall bug" - in most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.<br> however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory. | ||
Revision as of 06:18, 18 August 2014
Ps3 save data exploit
Unsigned codencan be added to the sfo coz the console doesnt recognize special characters
http://www.exploit-db.com/exploits/25718/ Firmwware target 4.31 Working on 4.31
PoC: PARAM.SFO
PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4 ��� � $� C ��� @ (� V ��� � h� j ��
€ p� t ��� € ð�
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE 40ac78551a88fdc SD PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]
Hackizeit: 1:33:07
ExpSkills: VL-LAB-TRAINING
Operation: 1% Trojaners: 0% ... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc ... BLES00371-NARUTO_STORM-0 HACKINGBKM 1 PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];
"rsx syscall bug" - in most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.
however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.
patched: 4.45
http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption CTR bugs on SELFs (and ebootroms maybe?)
patched: since Vita pre-retail 0.9.9.6 (SELFs, should match with ps3 firmware at release date), unknown (ebootroms)
http://cxsecurity.com/issue/WLB-2007030183 "Remote Play" Remote DoS Exploit
patched: ?
http://cxsecurity.com/issue/WLB-2008070060 Memory corruption and NULL pointer in Unreal Tournament III 1.2
unsure if applies to PS3?
http://cxsecurity.com/issue/WLB-2010010162 MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
unsure if applies to PS3?
http://seclists.org/fulldisclosure/2007/Jan/474 OpenPrinter() stack-based buffer overflow
patched: ?
http://seclists.org/fulldisclosure/2009/Jul/299 DOM flaw
patched: ?
http://seclists.org/fulldisclosure/2013/May/113 PARAM.SFO stack-based buffer overflow
patched: since 2012-05-01 (4.40 and later)
AVP patch bypass exploit
patched: since 3.70 and later
PSN security intrusion
patched: since 3.61 enforced password change
http://www.vulnerability-lab.com/get_content.php?id=740 Sony PSN Account Service - Password Reset Vulnerability
patched: since 2012-05-01
Private key nonrandom fail
patched: since 3.56
JIG downgrade
patched: since 3.56
USB config stack-based buffer overflow (PSjailbreak/PSGroove)
patched: since 3.42 and later
Lead year bug
patched: since 3.40 and later
MP4 vulnerability
patched: since 3.21 and later
Playback of Cinavia DRM protected titles
patched: since 3.10 and later
Open Remote Play
patched: since 2.80 and later
BD-J homebrew
patched: since 2.50 and later
Downgrading with Hardware flasher
patched: since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles)
Full RSX access in OtherOS
patched: since 2.10 and later