Bugs & Vulnerabilities: Difference between revisions

When reading the body via the EEPROM read command, in all cases, the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas.

Examples

MISO

04 C8 34 30 BD E4 9F 27 16 DE 5C C1 E7 A3 DA 9C 
7F 5B 29 9A 5A 48 5C 14 ED B2 DE 28 84 43 68 82 
98 87 4E D4 62 51 01 A9 24 34 02 B3 FF 26 63 17 
77 8E 95 56 B1 5F 9F 22 93 46 DE 4E 3A 5E 8A D3

MOSI

3C 3A 04 3F 25 A6 68 09 02 00 04 00 00 00 00 00 (0x26B0)
3C 3A 04 3F 71 AD 00 00 09 00 00 00 00 00 00 00 (0x26C0)
3C 3A 04 3F 8E D5 75 0D 00 00 00 00 00 00 00 00 (0x26D0)
3C 3A 04 3F 80 86 48 0B 0B 00 03 00 00 00 00 00 (0x26E0)

Patched

Lv2 sys_fs_mount stack overflow

Stack buffer overflow with required privileges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.

writeup
code

Patched: sometime before 4.40 (only fw I checked)

RSX Syscall bug

In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.
however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.

Patched: 4.40

AES CTR vulnerability on SELFs (and ebootroms maybe?)

Sometimes SCE reused the same AES CTR keys and IVs in different Certified Files.

PARAM.SFO stack-based buffer overflow

[7]

Patched: since 2012-05-01 (4.40 and later)

Proof of Concept

Unsigned code can be added to the PARAM.SFO because the console does not recognize special characters.

[8]

Working on 4.31. Patched: since 2012-05-01 (4.40 and later).

PoC: PARAM.SFO

PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4
��� �
$� C ��� @ (� V ��� � h� j ��
€ p� t ��� € ð�
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE
TITLE
40ac78551a88fdc
SD
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]

Hackizeit: 1:33:07

ExpSkills: VL-LAB-TRAINING

Operation: 1%
Trojaners: 0%
... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc
...
BLES00371-NARUTO_STORM-0
HACKINGBKM 1
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];

AVP patch bypass exploit

Patched: since 3.70 and later.

PSN security intrusion

Patched: since 3.61 enforced password change

Sony PSN Account Service - Password Reset Vulnerability

[9]

Patched: since 2012-05-01

ECDSA private key non-random fail

See fail0verfl0w talk.

Patched: since 3.56

JIG downgrade

Patched: since 3.56

USB config heap-based buffer overflow (PSjailbreak/PSGroove)

Patched: since 3.42 and later

Leap year bug

Patched: since 3.40 and later

MP4 vulnerability

Patched: since 3.21 and later

Playback of Cinavia DRM protected titles

Patched: since 3.10 and later

Open Remote Play

Patched: since 2.80 and later

BD-J homebrew

Patched: since 2.50 and later

System Software Downgrade with hardware flasher

Patched: since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles).

Full RSX access in OtherOS

Patched: since 2.10 and later

Web browser DoS via a large integer value for the length property of a Select object

[10]

Patched: since 4 sept 2009

Remote Play UDP packets DoS

/ http://cxsecurity.com/issue/WLB-2007030183

Affected: 2.10 and PSP 3.10 OE-A

Patched: since 13 nov 2008

Resistance: Fall of Man network update exploit

Patched

Warhawk network update exploit

Patched

Game Bugs patched via Firmware

Afro Samurai Black Screen

Black screen as a failed attempt to call:

cellAudioOutConfigure
cellSysutilAvconfExt_FA611DF4

Occours in Firmware 3.01

BLUS30264
NPUB90215
BLES00516

In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu)
go to "Settings" and select "Sound Settings" from here select "Audio Multi-Output" and set this option to "OFF". 
You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.

Source: [11]

Patched: in Firmware (VSH) since (unknown)

@@ Line 2: / Line 2: @@
 === Webkit buffer overflow ===
-http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28458
-<br>
+* [http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28458]
 Not Patched
 === RSX VRAM Access ===
-http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28421
-<br>
+* [http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28421]
 Not Patched
 === Memory corruption and NULL pointer in Unreal Tournament III 1.2 ===
-http://cxsecurity.com/issue/WLB-2008070060
-unsure if applies to PS3?
+* [http://cxsecurity.com/issue/WLB-2008070060]
+unsure if it applies to PS3
 === MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ===
-http://cxsecurity.com/issue/WLB-2010010162
-unsure if applies to PS3?
+* [http://cxsecurity.com/issue/WLB-2010010162]
+unsure if it applies to PS3
 === OpenPrinter() stack-based buffer overflow ===
-http://seclists.org/fulldisclosure/2007/Jan/474
+* [http://seclists.org/fulldisclosure/2007/Jan/474]
 Patched: ?
 === DOM flaw ===
 http://seclists.org/fulldisclosure/2009/Jul/299
 Patched: ?
-=== Kernel Exploit ===
+=== PS3xploit Kernel Exploit ===
 Unpatched: To be disclosed.
@@ Line 62: / Line 68: @@
 === Lv2 sys_fs_mount stack overflow ===
-Stack buffer overflow with required priveleges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.<br>
-https://nwert.wordpress.com/2012/09/19/exploiting-lv2/ <br>
+Stack buffer overflow with required privileges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.<br>
-http://pastie.org/4755699 <br>
+* [https://nwert.wordpress.com/2012/09/19/exploiting-lv2/ writeup]
+* [https://web.archive.org/web/20141201184718/http://pastie.org/4755699 code]
 Patched: sometime before [[4.40_CEX|4.40]] (only fw I checked)
 === RSX Syscall bug ===
 In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.<br> however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.
@@ Line 75: / Line 83: @@
 === AES CTR vulnerability on SELFs (and ebootroms maybe?) ===
-Sometimes SCE reused the same keys and IVs in different SELFs.
+Sometimes SCE reused the same AES CTR keys and IVs in different [[Certified Files]].
 See also [http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption].
-Patched: since PSVita prototype FW [http://www.vitadevwiki.com/index.php?title=00.996.090_DEX 0.996] (should match with PS3 firmware at release date)
+Patched: since PSVita prototype FWs as their [[Certified Files]] don't use AES CTR but instead AES CBC.
 Maybe not patched on ebootroms.
 === PARAM.SFO stack-based buffer overflow ===
-http://seclists.org/fulldisclosure/2013/May/113
+* [http://seclists.org/fulldisclosure/2013/May/113]
 Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later)
@@ Line 90: / Line 99: @@
 ==== Proof of Concept ====
-Unsigned code can be added to the [[PARAM.SFO]] because the console does not recognize special characters
+Unsigned code can be added to the [[PARAM.SFO]] because the console does not recognize special characters.
-http://www.exploit-db.com/exploits/25718/
+* [http://www.exploit-db.com/exploits/25718/]
-Working on [[4.31_CEX|4.31]], Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later)
+Working on [[4.31_CEX|4.31]]. Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later).
 PoC: PARAM.SFO
@@ Line 123: / Line 132: @@
 === AVP patch bypass exploit ===
-Patched: since [[3.70_CEX|3.70]] and later
+Patched: since [[3.70_CEX|3.70]] and later.
 === PSN security intrusion ===
@@ Line 130: / Line 139: @@
 === Sony PSN Account Service - Password Reset Vulnerability ===
-http://www.vulnerability-lab.com/get_content.php?id=740
+* [http://www.vulnerability-lab.com/get_content.php?id=740]
 Patched: since 2012-05-01
-=== Private key nonrandom fail ===
+=== ECDSA private key non-random fail ===
+See fail0verfl0w talk.
 Patched: since [[3.56-1 CEX|3.56]]
@@ Line 166: / Line 178: @@
 Patched: since [[2.50_CEX|2.50]] and later
-=== Downgrading with Hardware flasher ===
+=== System Software Downgrade with hardware flasher ===
-See also: [[Downgrading with Hardware flasher]]
-Patched: since [[2.20_CEX|2.20]] and later (by adding [[CoreOS]] hashing in [[Syscon Hardware|Syscon]] to be checked by [[Hypervisor Reverse Engineering|hypervisor]]; worked around by patching hypervisor on [[3.56-1 CEX|3.56]] and lower capable consoles)
+See also: [[Downgrading with Hardware flasher]].
+Patched: since [[2.20_CEX|2.20]] and later (by adding [[CoreOS]] hashing in [[Syscon Hardware|Syscon]] to be checked by [[Hypervisor Reverse Engineering|hypervisor]]; worked around by patching hypervisor on [[3.56-1 CEX|3.56]] and lower capable consoles).
 === Full RSX access in OtherOS ===
@@ Line 176: / Line 189: @@
 === Web browser DoS via a large integer value for the length property of a Select object ===
-http://www.cvedetails.com/cve/CVE-2009-2541/
+* [http://www.cvedetails.com/cve/CVE-2009-2541/]
 Patched: since 4 sept 2009
 === Remote Play UDP packets DoS ===
-http://www.cvedetails.com/cve/CVE-2007-1728/ / http://cxsecurity.com/issue/WLB-2007030183
+* [http://www.cvedetails.com/cve/CVE-2007-1728/ / http://cxsecurity.com/issue/WLB-2007030183]
 Affected: [[1.60_CEX|2.10]] and PSP 3.10 OE-A
@@ Line 194: / Line 209: @@
 Patched
 === Game Bugs patched via Firmware ===
@@ Line 208: / Line 222: @@
   NPUB90215
   BLES00516
   In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu)
@@ Line 214: / Line 227: @@
   You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.
-Source: http://support.bandainamcogames.com/index.php?/Knowledgebase/Article/View/216/233/afro-samurai-why-doesnt-my-game-start-up-ps3-only
+Source: [http://support.bandainamcogames.com/index.php?/Knowledgebase/Article/View/216/233/afro-samurai-why-doesnt-my-game-start-up-ps3-only]
 Patched: in Firmware ([[VSH]]) since (unknown)

Bugs & Vulnerabilities: Difference between revisions

Revision as of 23:15, 27 May 2020

Unknown / unpatched

Webkit buffer overflow

RSX VRAM Access

Memory corruption and NULL pointer in Unreal Tournament III 1.2

MacOS X 10.5/10.6 libc/strtod(3) buffer overflow

OpenPrinter() stack-based buffer overflow

DOM flaw

PS3xploit Kernel Exploit

Leakage of PTCH body plaintext over SPI on all BGA SYSCONs

Examples

MISO

MOSI

Patched

Lv2 sys_fs_mount stack overflow

RSX Syscall bug

AES CTR vulnerability on SELFs (and ebootroms maybe?)

PARAM.SFO stack-based buffer overflow

Proof of Concept

AVP patch bypass exploit

PSN security intrusion

Sony PSN Account Service - Password Reset Vulnerability

ECDSA private key non-random fail

JIG downgrade

USB config heap-based buffer overflow (PSjailbreak/PSGroove)

Leap year bug

MP4 vulnerability

Playback of Cinavia DRM protected titles

Open Remote Play

BD-J homebrew

System Software Downgrade with hardware flasher

Full RSX access in OtherOS

Web browser DoS via a large integer value for the length property of a Select object

Remote Play UDP packets DoS

Resistance: Fall of Man network update exploit

Warhawk network update exploit

Game Bugs patched via Firmware

Afro Samurai Black Screen

Navigation menu

Search