Bugs & Vulnerabilities: Difference between revisions
Line 37: | Line 37: | ||
=== Leakage of PTCH body plaintext over SPI on some BGA SYSCONs === | === Leakage of PTCH body plaintext over SPI on some BGA SYSCONs === | ||
When reading the body via the EEPROM read command, in some cases (like DEB-001 and DIA-001 boards), the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. | When reading the body via the EEPROM read command, in some cases (like DEB-001 and DIA-001 boards), the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas. | ||
== Patched == | == Patched == |
Revision as of 16:36, 11 August 2019
Unknown / unpatched
Webkit buffer overflow
RSX VRAM Access
Memory corruption and NULL pointer in Unreal Tournament III 1.2
http://cxsecurity.com/issue/WLB-2008070060
unsure if applies to PS3?
MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
http://cxsecurity.com/issue/WLB-2010010162
unsure if applies to PS3?
OpenPrinter() stack-based buffer overflow
http://seclists.org/fulldisclosure/2007/Jan/474
Patched: ?
DOM flaw
http://seclists.org/fulldisclosure/2009/Jul/299
Patched: ?
Kernel Exploit
Unpatched: To be disclosed.
Leakage of PTCH body plaintext over SPI on some BGA SYSCONs
When reading the body via the EEPROM read command, in some cases (like DEB-001 and DIA-001 boards), the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas.
Patched
Lv2 sys_fs_mount stack overflow
Stack buffer overflow with required priveleges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.
https://nwert.wordpress.com/2012/09/19/exploiting-lv2/
http://pastie.org/4755699
Patched: sometime before 4.40 (only fw I checked)
RSX Syscall bug
In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.
however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.
Patched: 4.40
CTR bugs on SELFs (and ebootroms maybe?)
http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption CTR bugs on SELFs
Patched: since Vita pre-retail 0.9.9.6 (SELFs, should match with ps3 firmware at release date), unknown (ebootroms)
PARAM.SFO stack-based buffer overflow
http://seclists.org/fulldisclosure/2013/May/113
Patched: since 2012-05-01 (4.40 and later)
Proof of Concept
Unsigned code can be added to the PARAM.SFO because the console does not recognize special characters
http://www.exploit-db.com/exploits/25718/
Working on 4.31, Patched: since 2012-05-01 (4.40 and later)
PoC: PARAM.SFO
PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4 ��� � $� C ��� @ (� V ��� � h� j �� € p� t ��� € ð� ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE 40ac78551a88fdc SD PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] Hackizeit: 1:33:07 ExpSkills: VL-LAB-TRAINING Operation: 1% Trojaners: 0% ... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc ... BLES00371-NARUTO_STORM-0 HACKINGBKM 1 PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];
AVP patch bypass exploit
Patched: since 3.70 and later
PSN security intrusion
Patched: since 3.61 enforced password change
Sony PSN Account Service - Password Reset Vulnerability
http://www.vulnerability-lab.com/get_content.php?id=740
Patched: since 2012-05-01
Private key nonrandom fail
Patched: since 3.56
JIG downgrade
Patched: since 3.56
USB config heap-based buffer overflow (PSjailbreak/PSGroove)
Patched: since 3.42 and later
Leap year bug
Patched: since 3.40 and later
MP4 vulnerability
Patched: since 3.21 and later
Patched: since 3.10 and later
Open Remote Play
Patched: since 2.80 and later
BD-J homebrew
Patched: since 2.50 and later
Downgrading with Hardware flasher
See also: Downgrading with Hardware flasher
Patched: since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles)
Full RSX access in OtherOS
Patched: since 2.10 and later
Web browser DoS via a large integer value for the length property of a Select object
http://www.cvedetails.com/cve/CVE-2009-2541/
Patched: since 4 sept 2009
Remote Play UDP packets DoS
http://www.cvedetails.com/cve/CVE-2007-1728/ / http://cxsecurity.com/issue/WLB-2007030183
Affected: 2.10 and PSP 3.10 OE-A
Patched: since 13 nov 2008
Resistance: Fall of Man network update exploit
Patched
Warhawk network update exploit
Patched
Game Bugs patched via Firmware
Afro Samurai Black Screen
Black screen as a failed attempt to call:
cellAudioOutConfigure cellSysutilAvconfExt_FA611DF4
Occours in Firmware 3.01
BLUS30264 NPUB90215 BLES00516
In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu) go to "Settings" and select "Sound Settings" from here select "Audio Multi-Output" and set this option to "OFF". You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.
Patched: in Firmware (VSH) since (unknown)