Bugs & Vulnerabilities

From PS3 Developer wiki
Revision as of 06:18, 18 August 2014 by Anonymous (Privacy policy) (added sfo POC 4.31)
Jump to navigation Jump to search

Ps3 save data exploit

Unsigned codencan be added to the sfo coz the console doesnt recognize special characters

http://www.exploit-db.com/exploits/25718/ Firmwware target 4.31 Working on 4.31


PoC: PARAM.SFO

PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � �  % � � � �� , � � � �� 4 ��� � $� C ��� @ (� V ��� � h� j �� 

  €   p�  t ���   €   ð�

ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE 40ac78551a88fdc SD PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]

Hackizeit: 1:33:07

ExpSkills: VL-LAB-TRAINING

Operation: 1% Trojaners: 0% ... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc ... BLES00371-NARUTO_STORM-0 HACKINGBKM 1 PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];


"rsx syscall bug" - in most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.
however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.

patched: 4.45

http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption CTR bugs on SELFs (and ebootroms maybe?)

patched: since Vita pre-retail 0.9.9.6 (SELFs, should match with ps3 firmware at release date), unknown (ebootroms)

http://cxsecurity.com/issue/WLB-2007030183 "Remote Play" Remote DoS Exploit
patched: ?

http://cxsecurity.com/issue/WLB-2008070060 Memory corruption and NULL pointer in Unreal Tournament III 1.2
unsure if applies to PS3?

http://cxsecurity.com/issue/WLB-2010010162 MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
unsure if applies to PS3?

http://seclists.org/fulldisclosure/2007/Jan/474 OpenPrinter() stack-based buffer overflow
patched: ?

http://seclists.org/fulldisclosure/2009/Jul/299 DOM flaw
patched: ?

http://seclists.org/fulldisclosure/2013/May/113 PARAM.SFO stack-based buffer overflow
patched: since 2012-05-01 (4.40 and later)

AVP patch bypass exploit
patched: since 3.70 and later

PSN security intrusion patched: since 3.61 enforced password change

http://www.vulnerability-lab.com/get_content.php?id=740 Sony PSN Account Service - Password Reset Vulnerability
patched: since 2012-05-01

Private key nonrandom fail
patched: since 3.56

JIG downgrade
patched: since 3.56

USB config stack-based buffer overflow (PSjailbreak/PSGroove)
patched: since 3.42 and later

Lead year bug
patched: since 3.40 and later

MP4 vulnerability
patched: since 3.21 and later

Playback of Cinavia DRM protected titles
patched: since 3.10 and later

Open Remote Play
patched: since 2.80 and later

BD-J homebrew
patched: since 2.50 and later

Downgrading with Hardware flasher
patched: since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles)

Full RSX access in OtherOS
patched: since 2.10 and later


General
Hypervisor
Services
Plugin
Interfaces
ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin · np_multisignin_plugin · np_sns_plugin · npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin
Emulation
Extended
features
Online
Hardware
SC
CELL
RAM
SB
HDD
BD
Tools
Strings
files
dumps
Reference
Keys & Seeds
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Bugs_%26_Vulnerabilities&oldid=29835"