Vulnerabilities: Difference between revisions
CelesteBlue (talk | contribs) |
|||
(51 intermediate revisions by 10 users not shown) | |||
Line 1: | Line 1: | ||
== | <div class="toclimit-3"> | ||
__TOC__ | |||
</div> | |||
== Unpatched == | |||
=== | === XDR-DRAM exploit === | ||
==== Credits ==== | |||
* zecoxao (2015-05-10) for disclosing the vulnerability | |||
=== | ==== Analysis ==== | ||
* [https://consolecrunch.com/threads/ps3-xdr-dram-exploit.13978/ XDR-DRAM exploit write-up by zecoxao (2015-05-10)] | |||
==== Bug description ==== | |||
In every PS3 console, there is a serial data line on the console’s XDR chip used to initialize the RAM's test pattern. It has read/write mode and it is freely accessible. The address is obtained from the XDR interface. You can see it on service manual. You can write a payload to memory for example on a loaded game or in a game savedata. Then it will run the payload and do stuff. | |||
Some pictures of CMD, SCK, SDO and RST can be found (dead links). | |||
Whilst the hypervisor HTAB glitch has around 10 percents of chances of success, the XDR-DRAM exploit has 100 percents of success. | |||
See also [[XDR Configuration]]. | |||
==== Patched ==== | |||
Not patchable because it is a hardware vulnerability. | |||
=== Hypervisor HTAB glitch === | |||
==== Credits ==== | |||
* geohot (2009-2011) for initial HTAB glitch | |||
* xorloser (2009-2010) for XorHack and XorHack v2.0 | |||
* zecoxao (2023) for some tests and writeups | |||
* Kafuu / aomsin2526 (2025) for reimplementation on recent hardware (superslim PS3) and software (4.92) revisions | |||
* esc0rtd3w (2025-05) for some improvements | |||
==== Bug Description ==== | |||
See also the [[SPU LS Overflow Exploit]], [[Hypervisor_Reverse_Engineering#Exploiting_HV_with_memory_glitching_and_HV_call_lv1_undocumented_function_114]]. | |||
The hypervisor HTAB glitch has around 10 percents of chances of success. When it fails, it is necessary to reboot the PS3 hence this exploit can be long to trigger. | |||
Notes on [[Dumping_Metldr]]. The PS3 Hypervisor HTAB exploit allows us to write to isolated SPU and load the secure loader. After that we need to glitch the SPU processor to pass the ECDSA check on verify_header() function in metldr (any version of metldr) which checks the ECDSA signature of the secure loader. You need to glitch the signature verification when metldr loads the secure loader and execute your custom loader to dump the local store with metldr and eid-root-key. PS3 keys (including per-console ones) are inside the SPU isolated local store. You cannot dump them from XDR. If it works, our custom loader will be loaded and started and we will get isolated SPU local store content in the shared local store, which is accessible from the PPU side. | |||
==== Analysis ==== | |||
* [https://www.psx-place.com/threads/ps3hen-w-linux-overclocking-support-badhtab-a-hardware-software-based-hypervisor-lv1-exploit.47282] | |||
* [https://www.psx-place.com/threads/using-hen-with-geohots-dangling-htab-glitch.39364/] | |||
* [https://www.cs.cmu.edu/~dst/GeoHot/ geohot's archives] | |||
* [https://web.archive.org/web/20100218142902/https://geohotps3.blogspot.com/2010/02/on-isolated-spus.html geohot's blog] | |||
* [https://web.archive.org/web/20190624102738/http://xorloser.com/ xorloser's blog] | |||
* [https://web.archive.org/web/20190127185922/http://xorloser.com/blog/wp-content/uploads/2010/03/xorhack.zip xorhack.zip by xorloser] | |||
* [https://web.archive.org/web/20190118100330/http://xorloser.com/?p=254 XorHack: The PS3 Exploit Toolkit by xorloser] | |||
* [https://web.archive.org/web/20190118100410/http://xorloser.com/?p=297 XorHack v2.0: The Updated PS3 Exploit Toolkit by xorloser] | |||
==== Implementation ==== | |||
Current implementations support PS3 System Software versions from 4.70 to 4.92. | |||
* [https://github.com/esc0rtd3w/BadHTAB BadHTAB PS3 GameOS Implementation of geohot's hypervisor HTAB glitch exploit by esc0rtd3w] | |||
* [https://github.com/aomsin2526/BadHTAB BadHTAB PS3 GameOS Implementation of geohot's hypervisor HTAB glitch exploit by aomsin2526] | |||
==== Patched ==== | |||
Not patchable because it is a hardware vulnerability. | |||
=== SPU Local Storage access from other SPEs and PPE === | |||
==== Credits ==== | |||
* Confirmed by Shuffle2 (2011-04-22) | |||
==== Bug description ==== | |||
Normally, if the SPE is in isolation mode, then only the code running on this particular SPE should be allowed to access its Local Storage. However the high segment of the Local Storage is accessible from the other SPEs and the PPE. High segment of the SPU Local Storage can be accessed from the other SPEs and the PPE. | |||
==== SPE local store dump via software - LSPWN ==== | |||
* [https://gbatemp.net/download/lspwn-v0-1-ps3-spe-local-storage-dumper.25975/ lspwn.rar (60.96 KB)] | |||
LSPWN v0.1 by adrianc is a PS3 homebrew that dumps the local store of an spe to /dev_hdd0/game/LSPWN0ADC/USRDIR/localstore.bin. It is a neat PoC for developers, but also a noob friendly introduction to the SPE environment. Thanks to gitbrew, mathieulh, geohot, sonic iso, #ps3secret, uf6667, zerkman. | |||
'''Instructions:''' | |||
1. run the LSPWN application | |||
2. copy the dumped binary from the PS3 HDD using your preferred method (FTP, USB, socket, etc.) | |||
3. disassemble using IDA PRO and give a look at the local store | |||
'''Notes:''' | |||
- source code forthcoming after some cleanup (ever released?) | |||
- GUI in v0.2 release (ever released?) | |||
- support for isolation mode if there is demand | |||
==== Patched ==== | |||
'''No''' (probably unpatchable). | |||
=== WebKit parseFloat() type confusion leading to stack buffer overflow === | |||
==== Credits ==== | |||
* Zuk Avraham | |||
* TODO | |||
==== Bug Description ==== | |||
When inserting NaN with a parameter as an argument into parseFloat(), we can overflow the tiny buffer created by parseFloat(). | |||
==== Analysis ==== | |||
* [https://web.archive.org/web/20210521110132/https://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?tab=comments#comment-28458 WebKit PoC for PS3 released by xerpi through zecoxao in Playstationhax.xyz forum (2016-03-24)] | |||
==== Implementation ==== | |||
* [https://github.com/PS3Xploit/PS3HEN PS3HEN on PS3 by the PS3Xploit team] | |||
* [https://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html Writeup and PoC on Android 2.1 by Zuk Avraham] | |||
==== Patched ==== | |||
'''Yes''' since PS3 FW 4.83. Remains exploitable on higher System Software version by installing old WebKit SPRX files using an "hybrid" PUP. | |||
=== WebKit CSS font face source type confusion leading to read primitive === | |||
==== Credits ==== | |||
TODO | |||
==== Bug Description ==== | |||
While parsing the source of a CSS font face, CSSParser::parseFontFaceSrc() assumes the value given is a string, but if we insert a specific double value into an exploitable function like insert() or format(), we can leak the memory via an overlap between two variables. | |||
==== Implementation ==== | |||
* [https://github.com/PS3Xploit/PS3HEN PS3HEN on PS3 by the PS3Xploit team] | |||
* [https://code.google.com/p/chromium/issues/detail?id=63866 initial bug report] | |||
==== Patched ==== | |||
'''Yes''' since PS3 FW 4.83. Remains exploitable on higher System Software version by installing old WebKit SPRX files using an "hybrid" PUP. | |||
=== RSX VRAM Access exploit === | |||
==== Credits ==== | |||
* Discovered by AlexAltea and released on 2016-03-23. | |||
* Thanks a lot to @3141card, for his LV1 RE files, and to people from Nouveau/Envytools people, especially mwk. | |||
==== Bug description ==== | |||
Full RSX VRAM/IO access exploit allows usermode/lv2 access to the entire 256 MB RSX VRAM range and the entire RSX IO address space and works on all firmwares up to the last version. Particularly interesting, is that this allows to access the last 2 MB of VRAM, reserved only for the LV1 driver, and maybe slightly less interesting, accessing 'vsh.self' VRAM area and IO mapped memory. | |||
The requirements are quite hard to satisfy (many of you either don't need this, or can't run this) and it is only relevant for devs (so some do not need to care about it either). It just gives you access to something inaccessible before with usermode/supervisor privileges, nothing else. | |||
To execute the RSX VRAM Access exploit, you need either | |||
* a usermode entry point (e.g. web browser exploit) + NAND console (although probably if you have this, you already hacked it and have LV1 access). | |||
* or a LV2 entry point (e.g. rsxploit). You will need to replace the `sys_rsx_device_map` LV2 syscall (#675) with the `lv1_gpu_device_map` LV1 call in the source code of the PoC provided below (and remove all the GCM library code among other things). | |||
==== Analysis ==== | |||
* [https://web.archive.org/web/20210521110142/https://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?tab=comments#comment-28421 Release] | |||
* [https://github.com/AlexAltea/ps3autotests/blob/master/exploits/user_vram_access/user_vram_access.cpp Source code] | |||
==== Patched ==== | |||
'''No''' as of PS3 FW 4.92. | |||
=== pexploit === | |||
==== Credits ==== | |||
* KaKaRoTo for keeping the vulnerability private for years then disclosing it | |||
* flatz for PS3 IDPS research | |||
* TheDarkProgrammer for implementation of user-friendly tools | |||
==== Bug description ==== | |||
To be documented. | |||
See also [[KaKaRoTo_Kind_of_%C2%B4Jailbreak%C2%B4]]. | |||
==== Patched ==== | |||
'''Partially''' since PS3 FW ?4.75? (to be documented) | |||
=== MacOS X 10.5/10.6 libc/strtod(3) buffer overflow === | === MacOS X 10.5/10.6 libc/strtod(3) buffer overflow === | ||
* [http://cxsecurity.com/issue/WLB-2010010162] | |||
Unsure if it applies to PS3. | |||
=== OpenPrinter() stack-based buffer overflow === | === OpenPrinter() stack-based buffer overflow === | ||
Patched | * [http://seclists.org/fulldisclosure/2007/Jan/474] | ||
==== Patched ==== | |||
'''Maybe''' | |||
=== DOM flaw === | === DOM flaw === | ||
Patched: | * [http://seclists.org/fulldisclosure/2009/Jul/299] | ||
==== Patched ==== | |||
'''Maybe''' | |||
=== PS3Xploit Kernel Exploit === | |||
==== Credits ==== | |||
* Team PS3Xploit | |||
* TODO | |||
==== Bug description ==== | |||
To be documented. | |||
==== Implementation ==== | |||
* [https://github.com/PS3Xploit/PS3HEN PS3HEN on PS3 by the PS3Xploit team] | |||
==== Patched ==== | |||
'''No''' as of PS3 FW 4.90. | |||
=== Leakage of PTCH body plaintext over SPI on all BGA SYSCONs === | |||
When reading the body via the EEPROM read command, in all cases, the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas. | |||
==== Examples ==== | |||
===== MISO ===== | |||
<pre> | |||
04 C8 34 30 BD E4 9F 27 16 DE 5C C1 E7 A3 DA 9C | |||
7F 5B 29 9A 5A 48 5C 14 ED B2 DE 28 84 43 68 82 | |||
98 87 4E D4 62 51 01 A9 24 34 02 B3 FF 26 63 17 | |||
77 8E 95 56 B1 5F 9F 22 93 46 DE 4E 3A 5E 8A D3 | |||
</pre> | |||
===== MOSI ===== | |||
<pre> | |||
3C 3A 04 3F 25 A6 68 09 02 00 04 00 00 00 00 00 (0x26B0) | |||
3C 3A 04 3F 71 AD 00 00 09 00 00 00 00 00 00 00 (0x26C0) | |||
3C 3A 04 3F 8E D5 75 0D 00 00 00 00 00 00 00 00 (0x26D0) | |||
3C 3A 04 3F 80 86 48 0B 0B 00 03 00 00 00 00 00 (0x26E0) | |||
</pre> | |||
=== LV2 sys_fs_mount stack overflow === | |||
==== Analysis ==== | |||
* [https://nwert.wordpress.com/2012/09/19/exploiting-lv2/ writeup] | |||
==== Bug description ==== | |||
Stack buffer overflow with required privileges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.<br> | |||
==== Implementation ==== | |||
* [https://web.archive.org/web/20141201184718/http://pastie.org/4755699 code] | |||
== Patched == | ==== Patched ==== | ||
'''Yes''' sometime before [[4.40_CEX|4.40]] (only fw I checked) | |||
=== RSX | === RSX syscalls bug (rsxploit) === | ||
==== Credits ==== | |||
* Discovered by Hykem the Demon 2014-12-13. | |||
* Improved by Zer0Tolerance, IronMan and zecoxao on 2017-08-18. | |||
=== | ==== Analysis ==== | ||
* [https://www.psxhax.com/threads/playstation-3-rsxploit-is-now-updated-and-working-via-zecoxao.2675/ rsxploit update by Zer0Tolerance, IronMan and zecoxao (2017-08-18)] | |||
* [https://web.archive.org/web/20180125173546/https://playstationhax.xyz/forums/topic/1021-release-rsxploit-by-hykem-the-demon/?do=embed rsxploit release] | |||
* [https://www.elotrolado.net/hilo_ps3-rsxploit-by-hykem-the-demon-ps3-dev-leak-by-zecoxao-arrivesf_2060190 rsxploit release archive] | |||
==== Bug Description ==== | |||
There is a flaw in the sys_rsx_context_allocate LV2 syscall (#670) that leads to lv2 code execution. In most lv2 syscalls, Sony reduces a pointer to 32 bits and use a special function to write to that pointer. However, in certain RSX syscalls, Sony forgot about it, allowing the attacker to write to any part of lv2 memory. There is not just one unchecked pointer, but four! They are the context_id, lpar_dma_control, lpar_driver_info and lpar_reports pointers. We can write values at: | |||
* rsx_context + 0x04 (4Bytes) - context_id | |||
* rsx_context + 0x20 (8Bytes) - lpar_dma_control | |||
* rsx_context + 0x30 (8Bytes) - lpar_driver_info | |||
* rsx_context + 0x40 (8Bytes) - lpar_reports | |||
To properly specify a kernel address, use ULL for large numbers. | |||
=== | <pre> | ||
http:// | /* | ||
* sys_rsx_context_allocate() | |||
* @param context_id (OUT): RSX context. e.g. 0x55555555 (in vsh.self) | |||
* @param lpar_dma_control (OUT): Control register area. e.g. 0x60100000 (in vsh.self) | |||
* @param lpar_driver_info (OUT): RSX data like frequencies, sizes, version... e.g. 0x60200000 (in vsh.self) | |||
* @param lpar_reports (OUT): Report data area. e.g. 0x60300000 (in vsh.self) | |||
* @param mem_ctx (IN): mem_ctx given by sys_rsx_memory_allocate | |||
* @param system_mode (IN): ? | |||
*/ | |||
</pre> | |||
Instructions for the initial rsxploit PoC by hykem: | |||
*1- Change the pointer unk2 in rsx_bug.cpp (there is a comment there) | |||
*2- Compile with Visual Studio 2010 and official SDK | |||
*3- Load on proDG and analyze | |||
*4- ? | |||
==== Patched ==== | |||
'''Yes''' since PS3 [[4.40_CEX|4.40]]. The four flawed pointers are checked since PS3 FW 4.40. | |||
=== LV2 syscall 484 (sys_prx_register_module) stack overflow === | |||
LV2 Syscall 484 (sys_prx_register_module) contains a stack overflow. | |||
LV2 Syscall 484 does not require root privileges. | |||
==== Patched ==== | |||
'''Yes''' since 4.3x or [[4.4x_CEX|4.4x]]. | |||
=== LV2 Syscall 578 (sys_bluetooth) stack overflow === | |||
LV2 Syscall 578 (sys_bluetooth) contains a stack overflow. | |||
LV2 Syscall 578 requires root privileges and is compiled with stack cookies. | |||
==== Patched ==== | |||
'''Yes''' since 4.3x or [[4.4x_CEX|4.4x]]. | |||
=== AES CTR vulnerability on SELFs (and ebootroms maybe?) === | |||
Sometimes SCE reused the same AES CTR keys and IVs in different [[Certified File|Certified Files]]. | |||
See also [http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption]. | |||
See also [https://wiki.henkaku.xyz/vita/Vulnerabilities#AES_CTR_IV_reused_in_some_Certified_Files]. | |||
==== | ==== Patched ==== | ||
'''Yes''' since some PS Vita prototype FWs as their [[Certified File|Certified Files]] started having always different IVs. Maybe not patched on PS3 ebootroms. | |||
=== PARAM.SFO stack-based buffer overflow === | |||
http:// | ==== Analysis ==== | ||
* [http://seclists.org/fulldisclosure/2013/May/113] | |||
==== Proof of Concept ==== | |||
Unsigned code can be added to the [[PARAM.SFO]] because the console does not recognize special characters. | |||
* [http://www.exploit-db.com/exploits/25718/] | |||
PoC: PARAM.SFO | PoC: PARAM.SFO | ||
Line 75: | Line 331: | ||
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]; | PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]; | ||
</pre> | </pre> | ||
==== Patched ==== | |||
'''Yes''' since [[4.40_CEX|4.40]]. Working on [[4.31_CEX|4.31]]. | |||
=== AVP patch bypass exploit === | === AVP patch bypass exploit === | ||
Patched: since [[3.70_CEX|3.70]] and later | Patched: since [[3.70_CEX|3.70]] and later. | ||
=== PSN security intrusion === | === PSN security intrusion === | ||
Line 85: | Line 344: | ||
=== Sony PSN Account Service - Password Reset Vulnerability === | === Sony PSN Account Service - Password Reset Vulnerability === | ||
http://www.vulnerability-lab.com/get_content.php?id=740 | |||
* [http://www.vulnerability-lab.com/get_content.php?id=740] | |||
Patched: since 2012-05-01 | Patched: since 2012-05-01 | ||
=== | === ECDSA private key non-random fail === | ||
Patched: since [[3.56-1 CEX|3.56]] | See fail0verfl0w talk (TODO: add link). | ||
Patched: since [[3.56-1 CEX|3.56.1]] | |||
=== JIG downgrade === | === JIG downgrade === | ||
Line 97: | Line 359: | ||
Patched: since [[3.56-1 CEX|3.56]] | Patched: since [[3.56-1 CEX|3.56]] | ||
=== USB config | === USB config heap-based buffer overflow (PSjailbreak/PSGroove) === | ||
Patched | ==== Bug description ==== | ||
Using an AVR/PIC or another active USB device like a PSP, that runs specific code can exploit the USB descriptor parser of the PS3. | |||
See also [[ReDRM_/_Piracy_dongles]], [[PSJailbreak_Exploit_Payload_Reverse_Engineering]], [[PSGroove]]. | |||
==== Patched ==== | |||
'''Yes''' since [[3.42_CEX|3.42]]. | |||
=== Leap year bug === | === Leap year bug === | ||
Line 108: | Line 377: | ||
Patched: since [[3.21_CEX|3.21]] and later | Patched: since [[3.21_CEX|3.21]] and later | ||
=== CELL Reset Exploit === | |||
See [[CELL Reset Exploit]]. | |||
This vulnerability was documented on 12 March 2011 by Defyboy | |||
This exploit relies on the fact that RAM is not cleared on reset of the CELL processor. Simply pull the cell_reset line on the processor for around 60 ns and the CELL processor will reset without clearing RAM and begin the boot process again. This hack is largely useless except in special circumstances. | |||
Patched: it is not patched as of 3.55 but useless since [[3.15_CEX|3.15]] and later | |||
=== Playback of Cinavia DRM protected titles === | === Playback of Cinavia DRM protected titles === | ||
Line 121: | Line 400: | ||
Patched: since [[2.50_CEX|2.50]] and later | Patched: since [[2.50_CEX|2.50]] and later | ||
=== | However, this "patched" claim is not precise enough and BD-JB like on PS4 and PS5 may be possible. | ||
See also: [[Downgrading with Hardware flasher]] | |||
=== System Software Downgrade with hardware flasher === | |||
See also: [[Downgrading with Hardware flasher]]. | |||
Patched | ==== Patched ==== | ||
'''Yes''' since [[2.20_CEX|2.20]] and later (by adding [[CoreOS]] hashing in [[Syscon Hardware|Syscon]] to be checked by [[Hypervisor Reverse Engineering|hypervisor]]; worked around by patching hypervisor on [[3.56-1 CEX|3.56]] and lower capable consoles). | |||
=== Full RSX access in OtherOS === | === Full RSX access in OtherOS === | ||
Patched | ==== Patched ==== | ||
'''Yes''' since PS3 [[2.10_CEX|2.10]]. | |||
=== Web browser DoS via a large integer value for the length property of a Select object === | |||
==== Analysis ==== | |||
* [http://www.cvedetails.com/cve/CVE-2009-2541/] | |||
==== Patched ==== | |||
'''Yes''' since 2009-09-04. | |||
== Game vulnerabilities == | |||
=== Vulnerabilities in F.E.A.R. and F.E.A.R. 2: Project Origin === | |||
F.E.A.R., F.E.A.R. 2: Project Origin and F.E.A.R. 3 are games available on PS3. | |||
==== Credits ==== | |||
* Luigi Auriemma (luigi_auriemma) | |||
==== Implementation ==== | |||
* [https://aluigi.altervista.org/poc/fearless.zip PoC for FEAR and FEAR 2 on version <= 1.08] | |||
=== Call Of Duty: Modern Warfare 3 Null pointer dereference === | |||
==== Credits ==== | |||
* Luigi Auriemma (luigi_auriemma) | |||
==== Analysis ==== | |||
* [https://revuln.com/files/ReVuln_CoDMW3_null_pointer_dereference.pdf write-up for the Steam version] | |||
* [https://vimeo.com/440375446 PoC video for the Steam version] | |||
==== Implementation ==== | |||
* [https://aluigi.altervista.org/poc/codmw3null.zip Implementation for the Steam version] | |||
=== Electronic Arts Origin games vulnerabilities === | |||
Origin has a large number of games, and several of them are available exclusively | |||
on this platform, such as: | |||
* Battlefield 3 (PS3) | |||
* Crysis 3 (PS3) | |||
* Dead Space 3 (PS3) | |||
* FIFA 13 (PS3) | |||
* Mass Effect 3 (PS3) | |||
These games may be vulnerable on PS3 in case of a bug in the Origin client. | |||
==== Analysis ==== | |||
* [https://revuln.com/files/ReVuln_EA_Origin_Insecurity.pdf write-up] | |||
* [https://vimeo.com/61361586 PoC video for Crysis 3 on PC running the Origin launcher] | |||
=== Final Fantasy XIV A Realm Reborn network vulnerabilities === | |||
Maybe vulnerable via network. | |||
=== CryEngine 3 multiple vulnerabilities === | |||
==== Credits ==== | |||
* Luigi Auriemma (luigi_auriemma) | |||
* Donato Ferrante (dntbug) | |||
==== Bug description ==== | |||
There are two vulnerabilities in CryEngine 3 due to improper handling of fragmented packets via CryEngine. | |||
==== HEAP OVERFLOW VIA FRAGMENTED PACKETS ==== | |||
There is a heap overflow vulnerability, which can be triggered by sending a sequence of fragmented packets with opcode 0x93. By using this sequence an attacker is able to reach the following vulnerable code, and take control over the process execution. | |||
==== MEMORY CORRUPTION VIA FRAGMENTED PACKETS ==== | |||
There is a integer overflow vulnerability, which can be triggered by using a truncated fragment packet, which has a packet size lesser than 4. By sending, for instance a 2-byte packet, the following vulnerable code can be reached. | |||
Games that use CryEngine 3: | |||
* Crysis 2 | |||
==== Analysis ==== | |||
* [https://revuln.com/files/ReVuln_Game_Engines_0days_tale.pdf write-up] | |||
* [https://revuln.com/files/Ferrante_Auriemma_Multiplayer_Online_Games_Insecurity_WP.pdf write-up #2] | |||
* [https://revuln.com/files/Ferrante_Auriemma_Exploiting_Game_Engines.pdf slides] | |||
* [https://revuln.com/files/Ferrante_Auriemma_Multiplayer_Online_Games_Insecurity.pdf slides #2] | |||
* [https://revuln.com/files/Ferrante_Auriemma_0wning_Multiplayer_Online_Games.pdf slides #3] | |||
* [https://www.youtube.com/watch?v=cMnyzDPgphQ talk video] | |||
* [https://vimeo.com/53425372 PoC video] | |||
==== Implementation ==== | |||
* [https://aluigi.altervista.org/poc/cryengine3_1.zip CryEngine 3 PoC] | |||
=== Unreal Engine 3 === | |||
The third and current generation of the Unreal Engine (UE3) is designed for DirectX (versions 9-11 for Windows and Xbox 360), as well as systems using OpenGL, including the Sony PlayStation 3 and PlayStation Vita. | |||
==== Homefront ==== | |||
Homefront is based on a customized version of the Unreal Engine 3, with RCON [http://en.wikipedia.org/wiki/Remote_administration] support. It contains many vulnerabilities: | |||
* INVALID READ ACCESS: The RCON command CT followed by 0x7fffffff triggers an invalid read access, while attempting to read the address 0x7fffffff. | |||
* NULL POINTER: The RCON command CD triggers a NULL pointer. | |||
* 16-BIT ADJACENT MEMORY OVERWRITE: The RCON command CT followed by a negative number, allows the setting of 16-bit adjacent memory to 0. | |||
* STACK-BASED OVERFLOW: The RCON command CT followed by a negative number, can be used to trigger a stack-based overflow. | |||
==== Sanctum 2 ==== | |||
Sanctum 2 is maybe vulnerable since the first Sanctum was vulnerable and Sanctum 2 uses Unreal Engine 3 as well. | |||
==== Analysis ==== | |||
* [https://revuln.com/files/ReVuln_Game_Engines_0days_tale.pdf write-up] | |||
* [https://revuln.com/files/Ferrante_Auriemma_Multiplayer_Online_Games_Insecurity_WP.pdf write-up #2] | |||
* [https://revuln.com/files/Ferrante_Auriemma_Exploiting_Game_Engines.pdf slides] | |||
* [https://revuln.com/files/Ferrante_Auriemma_Multiplayer_Online_Games_Insecurity.pdf slides #2] | |||
* [https://revuln.com/files/Ferrante_Auriemma_0wning_Multiplayer_Online_Games.pdf slides #3] | |||
* [https://www.youtube.com/watch?v=cMnyzDPgphQ talk video] | |||
==== Implementation ==== | |||
* [https://aluigi.altervista.org/poc/homefront_1.txt Homefront PoC] | |||
* [https://aluigi.altervista.org/poc/sanctum_haunted_outofmemory.txt Sanctum PoC] | |||
=== idTech 4 === | |||
* https://en.wikipedia.org/wiki/Id_Tech_4 | |||
==== Bug description ==== | |||
The idTech 4 engine exposes a function named idBitMsg::ReadData, which can be used to achieve remote code execution against games using customized version of this engine. Some games, including Doom 3 are not affected by this issue. However, others such as Enemy Territory: Quake Wars and Brink, are affected due to customizations to the original idTech 4 engine. | |||
Games using the idTech 4 engine: | |||
* Enemy Territory: Quake Wars (PS3) -> vulnerable | |||
* Wolfenstein (PS3) | |||
* Brink (PS3) -> vulnerable | |||
* Doom 3: BFG Edition (PS3) | |||
==== Analysis ==== | |||
* [https://revuln.com/files/ReVuln_Game_Engines_0days_tale.pdf write-up] | |||
* [https://revuln.com/files/Ferrante_Auriemma_Multiplayer_Online_Games_Insecurity_WP.pdf write-up #2] | |||
* [https://revuln.com/files/Ferrante_Auriemma_Exploiting_Game_Engines.pdf slides] | |||
* [https://revuln.com/files/Ferrante_Auriemma_Multiplayer_Online_Games_Insecurity.pdf slides #2] | |||
* [https://revuln.com/files/Ferrante_Auriemma_0wning_Multiplayer_Online_Games.pdf slides #3] | |||
* [https://www.youtube.com/watch?v=cMnyzDPgphQ talk video] | |||
==== Implementation ==== | |||
* [https://aluigi.altervista.org/poc/idtech4carray.zip idTech 4 engine client array overflow PoC] | |||
* [https://aluigi.altervista.org/poc/etqwcbof.zip Enemy Territory: Quake Wars invalid URL buffer overflow PoC] | |||
* [https://aluigi.altervista.org/poc/brink_1.zip Brink PoC] | |||
=== Aliens vs. Predator (2010) multiple vulnerabilities === | |||
* https://en.wikipedia.org/wiki/Aliens_vs._Predator_(2010_video_game) | |||
==== Credits ==== | |||
* Luigi Auriemma | |||
==== Implementation ==== | |||
* [https://aluigi.altervista.org/poc/avp3dos.zip Aliens vs. Predator (2010) version <= 2.22 PoC] | |||
=== Star Trek D·A·C (Deathmatch. Assault. Conquest) DoS === | |||
==== Credits ==== | |||
* Luigi Auriemma | |||
==== Implementation ==== | |||
* [https://aluigi.altervista.org/poc/stduck.dat Star Trek D·A·C DoS PoC] | |||
=== Source game engine vulnerabilities === | |||
* https://en.wikipedia.org/wiki/Source_(game_engine) | |||
==== Credits ==== | |||
* Luigi Auriemma | |||
==== Implementation ==== | |||
* [https://aluigi.altervista.org/poc.htm many PoCs for the Source game engine] | |||
=== Techland Chrome Engine 4 DoS === | |||
* https://en.wikipedia.org/wiki/Techland#Chrome_Engine_4 | |||
==== Credits ==== | |||
* Luigi Auriemma | |||
==== Implementation ==== | |||
* [https://aluigi.altervista.org/poc/chromerda.zip Chrome Engine 4 Denial of Service PoC] | |||
=== Memory corruption and NULL pointer in Unreal Tournament III 1.2 === | |||
Unreal Tournament 3 (UT3) is a first-person arena shooter video game developed by Epic Games and published by Midway Games. | |||
==== Credits ==== | |||
* Luigi Auriemma | |||
==== Analysis ==== | |||
* [http://cxsecurity.com/issue/WLB-2008070060] | |||
==== Implementation ==== | |||
* [https://aluigi.altervista.org/poc/ut3mendo.zip Unreal Tournament 3 <= 1.2/1.3beta4 memory corruption and NULL pointer PoC] | |||
* [https://aluigi.altervista.org/poc/ut2004null.zip Unreal Tournament 2004 <= v3369 NULL pointer PoC] | |||
==== Patched ==== | |||
'''Probably''' with a game patch. | |||
=== Remote Play UDP packets DoS === | |||
* [http://www.cvedetails.com/cve/CVE-2007-1728/ / http://cxsecurity.com/issue/WLB-2007030183] | |||
Affected: PS3 [[1.60_CEX|1.60]], and PSP 3.10 (tested on 3.10 OE-A) | |||
==== Patched ==== | |||
'''Yes''' since 2008-11-13. | |||
=== Resistance: Fall of Man network update exploit === | === Resistance: Fall of Man network update exploit === | ||
Patched | Resistance: Fall of Man is a 2006 first-person shooter video game developed by Insomniac Games and published by Sony Computer Entertainment for the PlayStation 3. The game used a different system to download the game updates, by entering the multiplayer modes, unlike most titles which search for updates from the XMB or after starting them. This different system was required because at the time of development of the game the PS3 OS was not supporting game updates via XMB. The Resistance: Fall of Man update system contained a vulnerability. | ||
As of December 11, 2008, all map packs for Resistance: Fall of Man were made available for free as a holiday gift from Insomniac due to the release of Resistance 2. All map packs are available for local split-screen multiplayer. | |||
The map packs were removed from PlayStation Store in March 2014, although only in Europe. They are still available on PlayStation Store in USA although they cannot be used because of the aforementioned server closure. Since the game used a different system to download the game updates (by entering the multiplayer modes, unlike most titles which search for updates from the XMB or after starting them), and since the updates were required for DLC compatibility, the map packs became usable only by people who downloaded the updates before the server closure, in March 2014. Shortly after the closure of the game servers, a digital version of the game was released on PlayStation Store, exclusively in Europe. It comes with all game updates and map packs, and full compatibility with savedata from the physical edition. | |||
==== Patched ==== | |||
?Was the physical version actually patched? | |||
=== Warhawk network update exploit === | === Warhawk network update exploit === | ||
Patched | Warhawk was a 2007 online multiplayer third-person shooter video game developed by Incognito Entertainment and published by Sony Computer Entertainment for the PlayStation 3. It was the first PlayStation 3 game to be available both physically and digitally on the PlayStation Network. | ||
The game used a different system to download the game updates, by entering the multiplayer modes, unlike most titles which search for updates from the XMB or after starting them. This different system was required because at the time of development of the game the PS3 OS was not supporting game updates via XMB. The Warhawk update system contained a vulnerability. | |||
==== Patched ==== | |||
?Was the physical version actually patched? | |||
=== Unsorted network vulnerabilities === | |||
* https://aluigi.altervista.org/poc.htm | |||
== Game vulnerabilities patched via System Software update == | |||
=== Afro Samurai Black Screen === | |||
==== Analysis ==== | |||
* [http://support.bandainamcogames.com/index.php?/Knowledgebase/Article/View/216/233/afro-samurai-why-doesnt-my-game-start-up-ps3-only] | |||
==== Bug description ==== | |||
The Afro Samurai game on PS3 gives a black screen as a failed attempt to call: | |||
cellAudioOutConfigure | |||
cellSysutilAvconfExt_FA611DF4 | |||
Occurs in [[3.01_CEX|Firmware 3.01]] | |||
BLUS30264 | |||
NPUB90215 | |||
BLES00516 | |||
In order to fix this problem, start up your PlayStation 3 system and while on the XMB (Cross Media Bar/System Menu), go to "Settings" and select "Sound Settings" from here select "Audio Multi-Output" and set this option to "OFF". You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this. | |||
==== Patched ==== | |||
'''Yes''' in [[VSH]] since an unknown version but after PS3 FW [[3.01_CEX|3.01]]. | |||
= Syscon = | |||
== Renesas verify function works on 4 byte values in all Renesas/NEC SysCon chips == | |||
All NEC/Renesas syscon chips have their verify function working for a 4 byte array but 256 byte size, increasing the probability of finding the correct bytes as opposed to the intended 256 bytes. | |||
=== Patched === | |||
'''No''' because unpatchable. | |||
== (Universal) Renesas checksum function works on 256 byte values (all Syscon chips, stock, PSP, PS Vita, PS3, PS4) == | |||
Renesas checksum feature works on 256 byte values instead of the intended block size, which means glitching could be done in a narrower margin, making the efforts a lot easier. It is also possible to identify 256 byte constants contiguous to each other by their checksums. | |||
=== Patched === | |||
'''No''' because unpatchable. | |||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> | {{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> |
Latest revision as of 04:14, 4 May 2025
Unpatched[edit | edit source]
XDR-DRAM exploit[edit | edit source]
Credits[edit | edit source]
- zecoxao (2015-05-10) for disclosing the vulnerability
Analysis[edit | edit source]
Bug description[edit | edit source]
In every PS3 console, there is a serial data line on the console’s XDR chip used to initialize the RAM's test pattern. It has read/write mode and it is freely accessible. The address is obtained from the XDR interface. You can see it on service manual. You can write a payload to memory for example on a loaded game or in a game savedata. Then it will run the payload and do stuff.
Some pictures of CMD, SCK, SDO and RST can be found (dead links).
Whilst the hypervisor HTAB glitch has around 10 percents of chances of success, the XDR-DRAM exploit has 100 percents of success.
See also XDR Configuration.
Patched[edit | edit source]
Not patchable because it is a hardware vulnerability.
Hypervisor HTAB glitch[edit | edit source]
Credits[edit | edit source]
- geohot (2009-2011) for initial HTAB glitch
- xorloser (2009-2010) for XorHack and XorHack v2.0
- zecoxao (2023) for some tests and writeups
- Kafuu / aomsin2526 (2025) for reimplementation on recent hardware (superslim PS3) and software (4.92) revisions
- esc0rtd3w (2025-05) for some improvements
Bug Description[edit | edit source]
See also the SPU LS Overflow Exploit, Hypervisor_Reverse_Engineering#Exploiting_HV_with_memory_glitching_and_HV_call_lv1_undocumented_function_114.
The hypervisor HTAB glitch has around 10 percents of chances of success. When it fails, it is necessary to reboot the PS3 hence this exploit can be long to trigger.
Notes on Dumping_Metldr. The PS3 Hypervisor HTAB exploit allows us to write to isolated SPU and load the secure loader. After that we need to glitch the SPU processor to pass the ECDSA check on verify_header() function in metldr (any version of metldr) which checks the ECDSA signature of the secure loader. You need to glitch the signature verification when metldr loads the secure loader and execute your custom loader to dump the local store with metldr and eid-root-key. PS3 keys (including per-console ones) are inside the SPU isolated local store. You cannot dump them from XDR. If it works, our custom loader will be loaded and started and we will get isolated SPU local store content in the shared local store, which is accessible from the PPU side.
Analysis[edit | edit source]
- [1]
- [2]
- geohot's archives
- geohot's blog
- xorloser's blog
- xorhack.zip by xorloser
- XorHack: The PS3 Exploit Toolkit by xorloser
- XorHack v2.0: The Updated PS3 Exploit Toolkit by xorloser
Implementation[edit | edit source]
Current implementations support PS3 System Software versions from 4.70 to 4.92.
- BadHTAB PS3 GameOS Implementation of geohot's hypervisor HTAB glitch exploit by esc0rtd3w
- BadHTAB PS3 GameOS Implementation of geohot's hypervisor HTAB glitch exploit by aomsin2526
Patched[edit | edit source]
Not patchable because it is a hardware vulnerability.
SPU Local Storage access from other SPEs and PPE[edit | edit source]
Credits[edit | edit source]
- Confirmed by Shuffle2 (2011-04-22)
Bug description[edit | edit source]
Normally, if the SPE is in isolation mode, then only the code running on this particular SPE should be allowed to access its Local Storage. However the high segment of the Local Storage is accessible from the other SPEs and the PPE. High segment of the SPU Local Storage can be accessed from the other SPEs and the PPE.
SPE local store dump via software - LSPWN[edit | edit source]
LSPWN v0.1 by adrianc is a PS3 homebrew that dumps the local store of an spe to /dev_hdd0/game/LSPWN0ADC/USRDIR/localstore.bin. It is a neat PoC for developers, but also a noob friendly introduction to the SPE environment. Thanks to gitbrew, mathieulh, geohot, sonic iso, #ps3secret, uf6667, zerkman.
Instructions:
1. run the LSPWN application 2. copy the dumped binary from the PS3 HDD using your preferred method (FTP, USB, socket, etc.) 3. disassemble using IDA PRO and give a look at the local store
Notes:
- source code forthcoming after some cleanup (ever released?) - GUI in v0.2 release (ever released?) - support for isolation mode if there is demand
Patched[edit | edit source]
No (probably unpatchable).
WebKit parseFloat() type confusion leading to stack buffer overflow[edit | edit source]
Credits[edit | edit source]
- Zuk Avraham
- TODO
Bug Description[edit | edit source]
When inserting NaN with a parameter as an argument into parseFloat(), we can overflow the tiny buffer created by parseFloat().
Analysis[edit | edit source]
Implementation[edit | edit source]
Patched[edit | edit source]
Yes since PS3 FW 4.83. Remains exploitable on higher System Software version by installing old WebKit SPRX files using an "hybrid" PUP.
WebKit CSS font face source type confusion leading to read primitive[edit | edit source]
Credits[edit | edit source]
TODO
Bug Description[edit | edit source]
While parsing the source of a CSS font face, CSSParser::parseFontFaceSrc() assumes the value given is a string, but if we insert a specific double value into an exploitable function like insert() or format(), we can leak the memory via an overlap between two variables.
Implementation[edit | edit source]
Patched[edit | edit source]
Yes since PS3 FW 4.83. Remains exploitable on higher System Software version by installing old WebKit SPRX files using an "hybrid" PUP.
RSX VRAM Access exploit[edit | edit source]
Credits[edit | edit source]
- Discovered by AlexAltea and released on 2016-03-23.
- Thanks a lot to @3141card, for his LV1 RE files, and to people from Nouveau/Envytools people, especially mwk.
Bug description[edit | edit source]
Full RSX VRAM/IO access exploit allows usermode/lv2 access to the entire 256 MB RSX VRAM range and the entire RSX IO address space and works on all firmwares up to the last version. Particularly interesting, is that this allows to access the last 2 MB of VRAM, reserved only for the LV1 driver, and maybe slightly less interesting, accessing 'vsh.self' VRAM area and IO mapped memory.
The requirements are quite hard to satisfy (many of you either don't need this, or can't run this) and it is only relevant for devs (so some do not need to care about it either). It just gives you access to something inaccessible before with usermode/supervisor privileges, nothing else.
To execute the RSX VRAM Access exploit, you need either
- a usermode entry point (e.g. web browser exploit) + NAND console (although probably if you have this, you already hacked it and have LV1 access).
- or a LV2 entry point (e.g. rsxploit). You will need to replace the `sys_rsx_device_map` LV2 syscall (#675) with the `lv1_gpu_device_map` LV1 call in the source code of the PoC provided below (and remove all the GCM library code among other things).
Analysis[edit | edit source]
Patched[edit | edit source]
No as of PS3 FW 4.92.
pexploit[edit | edit source]
Credits[edit | edit source]
- KaKaRoTo for keeping the vulnerability private for years then disclosing it
- flatz for PS3 IDPS research
- TheDarkProgrammer for implementation of user-friendly tools
Bug description[edit | edit source]
To be documented.
See also KaKaRoTo_Kind_of_´Jailbreak´.
Patched[edit | edit source]
Partially since PS3 FW ?4.75? (to be documented)
MacOS X 10.5/10.6 libc/strtod(3) buffer overflow[edit | edit source]
Unsure if it applies to PS3.
OpenPrinter() stack-based buffer overflow[edit | edit source]
Patched[edit | edit source]
Maybe
DOM flaw[edit | edit source]
Patched[edit | edit source]
Maybe
PS3Xploit Kernel Exploit[edit | edit source]
Credits[edit | edit source]
- Team PS3Xploit
- TODO
Bug description[edit | edit source]
To be documented.
Implementation[edit | edit source]
Patched[edit | edit source]
No as of PS3 FW 4.90.
Leakage of PTCH body plaintext over SPI on all BGA SYSCONs[edit | edit source]
When reading the body via the EEPROM read command, in all cases, the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas.
Examples[edit | edit source]
MISO[edit | edit source]
04 C8 34 30 BD E4 9F 27 16 DE 5C C1 E7 A3 DA 9C 7F 5B 29 9A 5A 48 5C 14 ED B2 DE 28 84 43 68 82 98 87 4E D4 62 51 01 A9 24 34 02 B3 FF 26 63 17 77 8E 95 56 B1 5F 9F 22 93 46 DE 4E 3A 5E 8A D3
MOSI[edit | edit source]
3C 3A 04 3F 25 A6 68 09 02 00 04 00 00 00 00 00 (0x26B0) 3C 3A 04 3F 71 AD 00 00 09 00 00 00 00 00 00 00 (0x26C0) 3C 3A 04 3F 8E D5 75 0D 00 00 00 00 00 00 00 00 (0x26D0) 3C 3A 04 3F 80 86 48 0B 0B 00 03 00 00 00 00 00 (0x26E0)
LV2 sys_fs_mount stack overflow[edit | edit source]
Analysis[edit | edit source]
Bug description[edit | edit source]
Stack buffer overflow with required privileges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.
Implementation[edit | edit source]
Patched[edit | edit source]
Yes sometime before 4.40 (only fw I checked)
RSX syscalls bug (rsxploit)[edit | edit source]
Credits[edit | edit source]
- Discovered by Hykem the Demon 2014-12-13.
- Improved by Zer0Tolerance, IronMan and zecoxao on 2017-08-18.
Analysis[edit | edit source]
- rsxploit update by Zer0Tolerance, IronMan and zecoxao (2017-08-18)
- rsxploit release
- rsxploit release archive
Bug Description[edit | edit source]
There is a flaw in the sys_rsx_context_allocate LV2 syscall (#670) that leads to lv2 code execution. In most lv2 syscalls, Sony reduces a pointer to 32 bits and use a special function to write to that pointer. However, in certain RSX syscalls, Sony forgot about it, allowing the attacker to write to any part of lv2 memory. There is not just one unchecked pointer, but four! They are the context_id, lpar_dma_control, lpar_driver_info and lpar_reports pointers. We can write values at:
- rsx_context + 0x04 (4Bytes) - context_id
- rsx_context + 0x20 (8Bytes) - lpar_dma_control
- rsx_context + 0x30 (8Bytes) - lpar_driver_info
- rsx_context + 0x40 (8Bytes) - lpar_reports
To properly specify a kernel address, use ULL for large numbers.
/* * sys_rsx_context_allocate() * @param context_id (OUT): RSX context. e.g. 0x55555555 (in vsh.self) * @param lpar_dma_control (OUT): Control register area. e.g. 0x60100000 (in vsh.self) * @param lpar_driver_info (OUT): RSX data like frequencies, sizes, version... e.g. 0x60200000 (in vsh.self) * @param lpar_reports (OUT): Report data area. e.g. 0x60300000 (in vsh.self) * @param mem_ctx (IN): mem_ctx given by sys_rsx_memory_allocate * @param system_mode (IN): ? */
Instructions for the initial rsxploit PoC by hykem:
- 1- Change the pointer unk2 in rsx_bug.cpp (there is a comment there)
- 2- Compile with Visual Studio 2010 and official SDK
- 3- Load on proDG and analyze
- 4- ?
Patched[edit | edit source]
Yes since PS3 4.40. The four flawed pointers are checked since PS3 FW 4.40.
LV2 syscall 484 (sys_prx_register_module) stack overflow[edit | edit source]
LV2 Syscall 484 (sys_prx_register_module) contains a stack overflow.
LV2 Syscall 484 does not require root privileges.
Patched[edit | edit source]
Yes since 4.3x or 4.4x.
LV2 Syscall 578 (sys_bluetooth) stack overflow[edit | edit source]
LV2 Syscall 578 (sys_bluetooth) contains a stack overflow.
LV2 Syscall 578 requires root privileges and is compiled with stack cookies.
Patched[edit | edit source]
Yes since 4.3x or 4.4x.
AES CTR vulnerability on SELFs (and ebootroms maybe?)[edit | edit source]
Sometimes SCE reused the same AES CTR keys and IVs in different Certified Files.
See also [6].
See also [7].
Patched[edit | edit source]
Yes since some PS Vita prototype FWs as their Certified Files started having always different IVs. Maybe not patched on PS3 ebootroms.
PARAM.SFO stack-based buffer overflow[edit | edit source]
Analysis[edit | edit source]
Proof of Concept[edit | edit source]
Unsigned code can be added to the PARAM.SFO because the console does not recognize special characters.
PoC: PARAM.SFO
PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4 ��� � $� C ��� @ (� V ��� � h� j �� € p� t ��� € ð� ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE 40ac78551a88fdc SD PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] Hackizeit: 1:33:07 ExpSkills: VL-LAB-TRAINING Operation: 1% Trojaners: 0% ... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc ... BLES00371-NARUTO_STORM-0 HACKINGBKM 1 PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];
Patched[edit | edit source]
Yes since 4.40. Working on 4.31.
AVP patch bypass exploit[edit | edit source]
Patched: since 3.70 and later.
PSN security intrusion[edit | edit source]
Patched: since 3.61 enforced password change
Sony PSN Account Service - Password Reset Vulnerability[edit | edit source]
Patched: since 2012-05-01
ECDSA private key non-random fail[edit | edit source]
See fail0verfl0w talk (TODO: add link).
Patched: since 3.56.1
JIG downgrade[edit | edit source]
Patched: since 3.56
USB config heap-based buffer overflow (PSjailbreak/PSGroove)[edit | edit source]
Bug description[edit | edit source]
Using an AVR/PIC or another active USB device like a PSP, that runs specific code can exploit the USB descriptor parser of the PS3.
See also ReDRM_/_Piracy_dongles, PSJailbreak_Exploit_Payload_Reverse_Engineering, PSGroove.
Patched[edit | edit source]
Yes since 3.42.
Leap year bug[edit | edit source]
Patched: since 3.40 and later
MP4 vulnerability[edit | edit source]
Patched: since 3.21 and later
CELL Reset Exploit[edit | edit source]
See CELL Reset Exploit.
This vulnerability was documented on 12 March 2011 by Defyboy
This exploit relies on the fact that RAM is not cleared on reset of the CELL processor. Simply pull the cell_reset line on the processor for around 60 ns and the CELL processor will reset without clearing RAM and begin the boot process again. This hack is largely useless except in special circumstances.
Patched: it is not patched as of 3.55 but useless since 3.15 and later
[edit | edit source]
Patched: since 3.10 and later
Open Remote Play[edit | edit source]
Patched: since 2.80 and later
BD-J homebrew[edit | edit source]
Patched: since 2.50 and later
However, this "patched" claim is not precise enough and BD-JB like on PS4 and PS5 may be possible.
System Software Downgrade with hardware flasher[edit | edit source]
See also: Downgrading with Hardware flasher.
Patched[edit | edit source]
Yes since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles).
Full RSX access in OtherOS[edit | edit source]
Patched[edit | edit source]
Yes since PS3 2.10.
Web browser DoS via a large integer value for the length property of a Select object[edit | edit source]
Analysis[edit | edit source]
Patched[edit | edit source]
Yes since 2009-09-04.
Game vulnerabilities[edit | edit source]
Vulnerabilities in F.E.A.R. and F.E.A.R. 2: Project Origin[edit | edit source]
F.E.A.R., F.E.A.R. 2: Project Origin and F.E.A.R. 3 are games available on PS3.
Credits[edit | edit source]
- Luigi Auriemma (luigi_auriemma)
Implementation[edit | edit source]
Call Of Duty: Modern Warfare 3 Null pointer dereference[edit | edit source]
Credits[edit | edit source]
- Luigi Auriemma (luigi_auriemma)
Analysis[edit | edit source]
Implementation[edit | edit source]
Electronic Arts Origin games vulnerabilities[edit | edit source]
Origin has a large number of games, and several of them are available exclusively on this platform, such as:
- Battlefield 3 (PS3)
- Crysis 3 (PS3)
- Dead Space 3 (PS3)
- FIFA 13 (PS3)
- Mass Effect 3 (PS3)
These games may be vulnerable on PS3 in case of a bug in the Origin client.
Analysis[edit | edit source]
Final Fantasy XIV A Realm Reborn network vulnerabilities[edit | edit source]
Maybe vulnerable via network.
CryEngine 3 multiple vulnerabilities[edit | edit source]
Credits[edit | edit source]
- Luigi Auriemma (luigi_auriemma)
- Donato Ferrante (dntbug)
Bug description[edit | edit source]
There are two vulnerabilities in CryEngine 3 due to improper handling of fragmented packets via CryEngine.
HEAP OVERFLOW VIA FRAGMENTED PACKETS[edit | edit source]
There is a heap overflow vulnerability, which can be triggered by sending a sequence of fragmented packets with opcode 0x93. By using this sequence an attacker is able to reach the following vulnerable code, and take control over the process execution.
MEMORY CORRUPTION VIA FRAGMENTED PACKETS[edit | edit source]
There is a integer overflow vulnerability, which can be triggered by using a truncated fragment packet, which has a packet size lesser than 4. By sending, for instance a 2-byte packet, the following vulnerable code can be reached.
Games that use CryEngine 3:
- Crysis 2
Analysis[edit | edit source]
Implementation[edit | edit source]
Unreal Engine 3[edit | edit source]
The third and current generation of the Unreal Engine (UE3) is designed for DirectX (versions 9-11 for Windows and Xbox 360), as well as systems using OpenGL, including the Sony PlayStation 3 and PlayStation Vita.
Homefront[edit | edit source]
Homefront is based on a customized version of the Unreal Engine 3, with RCON [12] support. It contains many vulnerabilities:
- INVALID READ ACCESS: The RCON command CT followed by 0x7fffffff triggers an invalid read access, while attempting to read the address 0x7fffffff.
- NULL POINTER: The RCON command CD triggers a NULL pointer.
- 16-BIT ADJACENT MEMORY OVERWRITE: The RCON command CT followed by a negative number, allows the setting of 16-bit adjacent memory to 0.
- STACK-BASED OVERFLOW: The RCON command CT followed by a negative number, can be used to trigger a stack-based overflow.
Sanctum 2[edit | edit source]
Sanctum 2 is maybe vulnerable since the first Sanctum was vulnerable and Sanctum 2 uses Unreal Engine 3 as well.
Analysis[edit | edit source]
Implementation[edit | edit source]
idTech 4[edit | edit source]
Bug description[edit | edit source]
The idTech 4 engine exposes a function named idBitMsg::ReadData, which can be used to achieve remote code execution against games using customized version of this engine. Some games, including Doom 3 are not affected by this issue. However, others such as Enemy Territory: Quake Wars and Brink, are affected due to customizations to the original idTech 4 engine.
Games using the idTech 4 engine:
- Enemy Territory: Quake Wars (PS3) -> vulnerable
- Wolfenstein (PS3)
- Brink (PS3) -> vulnerable
- Doom 3: BFG Edition (PS3)
Analysis[edit | edit source]
Implementation[edit | edit source]
- idTech 4 engine client array overflow PoC
- Enemy Territory: Quake Wars invalid URL buffer overflow PoC
- Brink PoC
Aliens vs. Predator (2010) multiple vulnerabilities[edit | edit source]
Credits[edit | edit source]
- Luigi Auriemma
Implementation[edit | edit source]
Star Trek D·A·C (Deathmatch. Assault. Conquest) DoS[edit | edit source]
Credits[edit | edit source]
- Luigi Auriemma
Implementation[edit | edit source]
Source game engine vulnerabilities[edit | edit source]
Credits[edit | edit source]
- Luigi Auriemma
Implementation[edit | edit source]
Techland Chrome Engine 4 DoS[edit | edit source]
Credits[edit | edit source]
- Luigi Auriemma
Implementation[edit | edit source]
Memory corruption and NULL pointer in Unreal Tournament III 1.2[edit | edit source]
Unreal Tournament 3 (UT3) is a first-person arena shooter video game developed by Epic Games and published by Midway Games.
Credits[edit | edit source]
- Luigi Auriemma
Analysis[edit | edit source]
Implementation[edit | edit source]
- Unreal Tournament 3 <= 1.2/1.3beta4 memory corruption and NULL pointer PoC
- Unreal Tournament 2004 <= v3369 NULL pointer PoC
Patched[edit | edit source]
Probably with a game patch.
Remote Play UDP packets DoS[edit | edit source]
Affected: PS3 1.60, and PSP 3.10 (tested on 3.10 OE-A)
Patched[edit | edit source]
Yes since 2008-11-13.
Resistance: Fall of Man network update exploit[edit | edit source]
Resistance: Fall of Man is a 2006 first-person shooter video game developed by Insomniac Games and published by Sony Computer Entertainment for the PlayStation 3. The game used a different system to download the game updates, by entering the multiplayer modes, unlike most titles which search for updates from the XMB or after starting them. This different system was required because at the time of development of the game the PS3 OS was not supporting game updates via XMB. The Resistance: Fall of Man update system contained a vulnerability.
As of December 11, 2008, all map packs for Resistance: Fall of Man were made available for free as a holiday gift from Insomniac due to the release of Resistance 2. All map packs are available for local split-screen multiplayer.
The map packs were removed from PlayStation Store in March 2014, although only in Europe. They are still available on PlayStation Store in USA although they cannot be used because of the aforementioned server closure. Since the game used a different system to download the game updates (by entering the multiplayer modes, unlike most titles which search for updates from the XMB or after starting them), and since the updates were required for DLC compatibility, the map packs became usable only by people who downloaded the updates before the server closure, in March 2014. Shortly after the closure of the game servers, a digital version of the game was released on PlayStation Store, exclusively in Europe. It comes with all game updates and map packs, and full compatibility with savedata from the physical edition.
Patched[edit | edit source]
?Was the physical version actually patched?
Warhawk network update exploit[edit | edit source]
Warhawk was a 2007 online multiplayer third-person shooter video game developed by Incognito Entertainment and published by Sony Computer Entertainment for the PlayStation 3. It was the first PlayStation 3 game to be available both physically and digitally on the PlayStation Network.
The game used a different system to download the game updates, by entering the multiplayer modes, unlike most titles which search for updates from the XMB or after starting them. This different system was required because at the time of development of the game the PS3 OS was not supporting game updates via XMB. The Warhawk update system contained a vulnerability.
Patched[edit | edit source]
?Was the physical version actually patched?
Unsorted network vulnerabilities[edit | edit source]
Game vulnerabilities patched via System Software update[edit | edit source]
Afro Samurai Black Screen[edit | edit source]
Analysis[edit | edit source]
Bug description[edit | edit source]
The Afro Samurai game on PS3 gives a black screen as a failed attempt to call:
cellAudioOutConfigure cellSysutilAvconfExt_FA611DF4
Occurs in Firmware 3.01
BLUS30264 NPUB90215 BLES00516
In order to fix this problem, start up your PlayStation 3 system and while on the XMB (Cross Media Bar/System Menu), go to "Settings" and select "Sound Settings" from here select "Audio Multi-Output" and set this option to "OFF". You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.
Patched[edit | edit source]
Yes in VSH since an unknown version but after PS3 FW 3.01.
Syscon[edit | edit source]
Renesas verify function works on 4 byte values in all Renesas/NEC SysCon chips[edit | edit source]
All NEC/Renesas syscon chips have their verify function working for a 4 byte array but 256 byte size, increasing the probability of finding the correct bytes as opposed to the intended 256 bytes.
Patched[edit | edit source]
No because unpatchable.
(Universal) Renesas checksum function works on 256 byte values (all Syscon chips, stock, PSP, PS Vita, PS3, PS4)[edit | edit source]
Renesas checksum feature works on 256 byte values instead of the intended block size, which means glitching could be done in a narrower margin, making the efforts a lot easier. It is also possible to identify 256 byte constants contiguous to each other by their checksums.
Patched[edit | edit source]
No because unpatchable.