Bugs & Vulnerabilities: Difference between revisions
Jump to navigation
Jump to search
(added sfo POC 4.31) |
mNo edit summary |
||
| Line 1: | Line 1: | ||
=== RSX Syscall bug === | |||
In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.<br> however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory. | |||
Unsigned | patched: 4.45 | ||
=== CTR bugs on SELFs (and ebootroms maybe?) === | |||
http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption CTR bugs on SELFs | |||
patched: since Vita pre-retail 0.9.9.6 (SELFs, should match with ps3 firmware at release date), unknown (ebootroms) | |||
=== Remote DoS Exploit === | |||
http://cxsecurity.com/issue/WLB-2007030183 | |||
patched: ? | |||
=== Memory corruption and NULL pointer in Unreal Tournament III 1.2 === | |||
http://cxsecurity.com/issue/WLB-2008070060 | |||
unsure if applies to PS3? | |||
=== MacOS X 10.5/10.6 libc/strtod(3) buffer overflow === | |||
http://cxsecurity.com/issue/WLB-2010010162 | |||
unsure if applies to PS3? | |||
=== OpenPrinter() stack-based buffer overflow === | |||
http://seclists.org/fulldisclosure/2007/Jan/474 | |||
patched: ? | |||
=== DOM flaw === | |||
http://seclists.org/fulldisclosure/2009/Jul/299 | |||
patched: ? | |||
=== PARAM.SFO stack-based buffer overflow === | |||
http://seclists.org/fulldisclosure/2013/May/113 | |||
patched: since 2012-05-01 (4.40 and later) | |||
==== Proof of Concept ==== | |||
Unsigned code can be added to the [[PARAM.SFO]] because the console does not recognize special characters | |||
http://www.exploit-db.com/exploits/25718/ | http://www.exploit-db.com/exploits/25718/ | ||
Working on 4.31, Patched: since 2012-05-01 (4.40 and later) | |||
PoC: PARAM.SFO | PoC: PARAM.SFO | ||
<pre> | |||
PSF�� | PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4 | ||
$� | ��� � | ||
$� C ��� @ (� V ��� � h� j �� | |||
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE | € p� t ��� € ð� | ||
40ac78551a88fdc | ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE | ||
SD | TITLE | ||
40ac78551a88fdc | |||
SD | |||
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] | PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] | ||
Hackizeit: 1:33:07 | Hackizeit: 1:33:07 | ||
ExpSkills: VL-LAB-TRAINING | ExpSkills: VL-LAB-TRAINING | ||
Operation: 1% | Operation: 1% | ||
Trojaners: 0% | Trojaners: 0% | ||
... | ... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc | ||
... | ... | ||
BLES00371-NARUTO_STORM-0 | BLES00371-NARUTO_STORM-0 | ||
HACKINGBKM 1 | HACKINGBKM 1 | ||
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]; | PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]; | ||
</pre> | |||
=== AVP patch bypass exploit === | |||
patched: since 3.70 and later | |||
patched: since | |||
=== PSN security intrusion === | |||
patched: since 3.61 enforced password change | |||
http:// | === Sony PSN Account Service - Password Reset Vulnerability === | ||
http://www.vulnerability-lab.com/get_content.php?id=740 | |||
patched: since 2012-05-01 | |||
=== Private key nonrandom fail === | |||
patched: since 3.56 | |||
patched: since 3. | |||
=== JIG downgrade === | |||
patched: since 3.56 | patched: since 3.56 | ||
=== USB config stack-based buffer overflow (PSjailbreak/PSGroove) === | |||
patched: since 3.42 and later | patched: since 3.42 and later | ||
=== Leap year bug === | |||
patched: since 3.40 and later | patched: since 3.40 and later | ||
MP4 vulnerability | === MP4 vulnerability === | ||
patched: since 3.21 and later | patched: since 3.21 and later | ||
Playback of Cinavia DRM protected titles | === Playback of Cinavia DRM protected titles === | ||
patched: since 3.10 and later | patched: since 3.10 and later | ||
Open Remote Play | === Open Remote Play === | ||
patched: since 2.80 and later | patched: since 2.80 and later | ||
BD-J homebrew | === BD-J homebrew === | ||
patched: since 2.50 and later | patched: since 2.50 and later | ||
[[Downgrading with Hardware flasher]] | === Downgrading with Hardware flasher === | ||
See also: [[Downgrading with Hardware flasher]] | |||
patched: since 2.20 and later (by adding [[CoreOS]] hashing in [[Syscon Hardware|Syscon]] to be checked by [[Hypervisor Reverse Engineering|hypervisor]]; worked around by patching hypervisor on 3.56 and lower capable consoles) | patched: since 2.20 and later (by adding [[CoreOS]] hashing in [[Syscon Hardware|Syscon]] to be checked by [[Hypervisor Reverse Engineering|hypervisor]]; worked around by patching hypervisor on 3.56 and lower capable consoles) | ||
Full RSX access in OtherOS | === Full RSX access in OtherOS === | ||
patched: since 2.10 and later | patched: since 2.10 and later | ||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> | {{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> | ||
Revision as of 08:30, 18 August 2014
RSX Syscall bug
In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.
however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.
patched: 4.45
CTR bugs on SELFs (and ebootroms maybe?)
http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption CTR bugs on SELFs
patched: since Vita pre-retail 0.9.9.6 (SELFs, should match with ps3 firmware at release date), unknown (ebootroms)
Remote DoS Exploit
http://cxsecurity.com/issue/WLB-2007030183 patched: ?
Memory corruption and NULL pointer in Unreal Tournament III 1.2
http://cxsecurity.com/issue/WLB-2008070060
unsure if applies to PS3?
MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
http://cxsecurity.com/issue/WLB-2010010162
unsure if applies to PS3?
OpenPrinter() stack-based buffer overflow
http://seclists.org/fulldisclosure/2007/Jan/474
patched: ?
DOM flaw
http://seclists.org/fulldisclosure/2009/Jul/299
patched: ?
PARAM.SFO stack-based buffer overflow
http://seclists.org/fulldisclosure/2013/May/113
patched: since 2012-05-01 (4.40 and later)
Proof of Concept
Unsigned code can be added to the PARAM.SFO because the console does not recognize special characters
http://www.exploit-db.com/exploits/25718/
Working on 4.31, Patched: since 2012-05-01 (4.40 and later)
PoC: PARAM.SFO
PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4 ��� � $� C ��� @ (� V ��� � h� j �� € p� t ��� € ð� ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE 40ac78551a88fdc SD PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] Hackizeit: 1:33:07 ExpSkills: VL-LAB-TRAINING Operation: 1% Trojaners: 0% ... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc ... BLES00371-NARUTO_STORM-0 HACKINGBKM 1 PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];
AVP patch bypass exploit
patched: since 3.70 and later
PSN security intrusion
patched: since 3.61 enforced password change
Sony PSN Account Service - Password Reset Vulnerability
http://www.vulnerability-lab.com/get_content.php?id=740
patched: since 2012-05-01
Private key nonrandom fail
patched: since 3.56
JIG downgrade
patched: since 3.56
USB config stack-based buffer overflow (PSjailbreak/PSGroove)
patched: since 3.42 and later
Leap year bug
patched: since 3.40 and later
MP4 vulnerability
patched: since 3.21 and later
patched: since 3.10 and later
Open Remote Play
patched: since 2.80 and later
BD-J homebrew
patched: since 2.50 and later
Downgrading with Hardware flasher
See also: Downgrading with Hardware flasher
patched: since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles)
Full RSX access in OtherOS
patched: since 2.10 and later
