Bugs & Vulnerabilities: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
CelesteBlue (talk | contribs) No edit summary |
||
| (27 intermediate revisions by 10 users not shown) | |||
| Line 1: | Line 1: | ||
== Unknown / unpatched == | |||
=== Webkit buffer overflow === | |||
http:// | * [http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28458] | ||
Not Patched | |||
=== RSX VRAM Access === | |||
* [http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28421] | |||
Not Patched | |||
=== Memory corruption and NULL pointer in Unreal Tournament III 1.2 === | |||
* [http://cxsecurity.com/issue/WLB-2008070060] | |||
unsure if it applies to PS3 | |||
=== MacOS X 10.5/10.6 libc/strtod(3) buffer overflow === | |||
* [http://cxsecurity.com/issue/WLB-2010010162] | |||
unsure if it applies to PS3 | |||
=== OpenPrinter() stack-based buffer overflow === | |||
* [http://seclists.org/fulldisclosure/2007/Jan/474] | |||
patched: since 2.10 and later | |||
Patched: ? | |||
=== DOM flaw === | |||
http://seclists.org/fulldisclosure/2009/Jul/299 | |||
Patched: ? | |||
=== PS3xploit Kernel Exploit === | |||
Unpatched: To be disclosed. | |||
=== Leakage of PTCH body plaintext over SPI on all BGA SYSCONs === | |||
When reading the body via the EEPROM read command, in all cases, the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas. | |||
==== Examples ==== | |||
===== MISO ===== | |||
<pre> | |||
04 C8 34 30 BD E4 9F 27 16 DE 5C C1 E7 A3 DA 9C | |||
7F 5B 29 9A 5A 48 5C 14 ED B2 DE 28 84 43 68 82 | |||
98 87 4E D4 62 51 01 A9 24 34 02 B3 FF 26 63 17 | |||
77 8E 95 56 B1 5F 9F 22 93 46 DE 4E 3A 5E 8A D3 | |||
</pre> | |||
===== MOSI ===== | |||
<pre> | |||
3C 3A 04 3F 25 A6 68 09 02 00 04 00 00 00 00 00 (0x26B0) | |||
3C 3A 04 3F 71 AD 00 00 09 00 00 00 00 00 00 00 (0x26C0) | |||
3C 3A 04 3F 8E D5 75 0D 00 00 00 00 00 00 00 00 (0x26D0) | |||
3C 3A 04 3F 80 86 48 0B 0B 00 03 00 00 00 00 00 (0x26E0) | |||
</pre> | |||
== Patched == | |||
=== Lv2 sys_fs_mount stack overflow === | |||
Stack buffer overflow with required privileges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.<br> | |||
* [https://nwert.wordpress.com/2012/09/19/exploiting-lv2/ writeup] | |||
* [https://web.archive.org/web/20141201184718/http://pastie.org/4755699 code] | |||
Patched: sometime before [[4.40_CEX|4.40]] (only fw I checked) | |||
=== RSX Syscall bug === | |||
In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.<br> however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory. | |||
Patched: [[4.40_CEX|4.40]] | |||
=== AES CTR vulnerability on SELFs (and ebootroms maybe?) === | |||
Sometimes SCE reused the same AES CTR keys and IVs in different [[Certified Files]]. | |||
See also [http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption]. | |||
Patched: since PSVita prototype FWs as their [[Certified Files]] don't use AES CTR but instead AES CBC. | |||
Maybe not patched on ebootroms. | |||
=== PARAM.SFO stack-based buffer overflow === | |||
* [http://seclists.org/fulldisclosure/2013/May/113] | |||
Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later) | |||
==== Proof of Concept ==== | |||
Unsigned code can be added to the [[PARAM.SFO]] because the console does not recognize special characters. | |||
* [http://www.exploit-db.com/exploits/25718/] | |||
Working on [[4.31_CEX|4.31]]. Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later). | |||
PoC: PARAM.SFO | |||
<pre> | |||
PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4 | |||
��� � | |||
$� C ��� @ (� V ��� � h� j �� | |||
€ p� t ��� € ð� | |||
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE | |||
TITLE | |||
40ac78551a88fdc | |||
SD | |||
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] | |||
Hackizeit: 1:33:07 | |||
ExpSkills: VL-LAB-TRAINING | |||
Operation: 1% | |||
Trojaners: 0% | |||
... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc | |||
... | |||
BLES00371-NARUTO_STORM-0 | |||
HACKINGBKM 1 | |||
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]; | |||
</pre> | |||
=== AVP patch bypass exploit === | |||
Patched: since [[3.70_CEX|3.70]] and later. | |||
=== PSN security intrusion === | |||
Patched: since [[3.61_CEX|3.61]] enforced password change | |||
=== Sony PSN Account Service - Password Reset Vulnerability === | |||
* [http://www.vulnerability-lab.com/get_content.php?id=740] | |||
Patched: since 2012-05-01 | |||
=== ECDSA private key non-random fail === | |||
See fail0verfl0w talk. | |||
Patched: since [[3.56-1 CEX|3.56]] | |||
=== JIG downgrade === | |||
Patched: since [[3.56-1 CEX|3.56]] | |||
=== USB config heap-based buffer overflow (PSjailbreak/PSGroove) === | |||
Patched: since [[3.42_CEX|3.42]] and later | |||
=== Leap year bug === | |||
Patched: since [[3.40_CEX|3.40]] and later | |||
=== MP4 vulnerability === | |||
Patched: since [[3.21_CEX|3.21]] and later | |||
=== Playback of Cinavia DRM protected titles === | |||
Patched: since [[3.10_CEX|3.10]] and later | |||
=== Open Remote Play === | |||
Patched: since [[2.80_CEX|2.80]] and later | |||
=== BD-J homebrew === | |||
Patched: since [[2.50_CEX|2.50]] and later | |||
=== System Software Downgrade with hardware flasher === | |||
See also: [[Downgrading with Hardware flasher]]. | |||
Patched: since [[2.20_CEX|2.20]] and later (by adding [[CoreOS]] hashing in [[Syscon Hardware|Syscon]] to be checked by [[Hypervisor Reverse Engineering|hypervisor]]; worked around by patching hypervisor on [[3.56-1 CEX|3.56]] and lower capable consoles). | |||
=== Full RSX access in OtherOS === | |||
Patched: since [[2.10_CEX|2.10]] and later | |||
=== Web browser DoS via a large integer value for the length property of a Select object === | |||
* [http://www.cvedetails.com/cve/CVE-2009-2541/] | |||
Patched: since 4 sept 2009 | |||
=== Remote Play UDP packets DoS === | |||
* [http://www.cvedetails.com/cve/CVE-2007-1728/ / http://cxsecurity.com/issue/WLB-2007030183] | |||
Affected: [[1.60_CEX|2.10]] and PSP 3.10 OE-A | |||
Patched: since 13 nov 2008 | |||
=== Resistance: Fall of Man network update exploit === | |||
Patched | |||
=== Warhawk network update exploit === | |||
Patched | |||
=== Game Bugs patched via Firmware === | |||
==== Afro Samurai Black Screen ==== | |||
Black screen as a failed attempt to call: | |||
cellAudioOutConfigure | |||
cellSysutilAvconfExt_FA611DF4 | |||
Occours in [[3.01_CEX|Firmware 3.01]] | |||
BLUS30264 | |||
NPUB90215 | |||
BLES00516 | |||
In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu) | |||
go to "Settings" and select "Sound Settings" from here select "Audio Multi-Output" and set this option to "OFF". | |||
You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this. | |||
Source: [http://support.bandainamcogames.com/index.php?/Knowledgebase/Article/View/216/233/afro-samurai-why-doesnt-my-game-start-up-ps3-only] | |||
Patched: in Firmware ([[VSH]]) since (unknown) | |||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> | |||
Revision as of 00:15, 28 May 2020
Unknown / unpatched
Webkit buffer overflow
Not Patched
RSX VRAM Access
Not Patched
Memory corruption and NULL pointer in Unreal Tournament III 1.2
unsure if it applies to PS3
MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
unsure if it applies to PS3
OpenPrinter() stack-based buffer overflow
Patched: ?
DOM flaw
http://seclists.org/fulldisclosure/2009/Jul/299
Patched: ?
PS3xploit Kernel Exploit
Unpatched: To be disclosed.
Leakage of PTCH body plaintext over SPI on all BGA SYSCONs
When reading the body via the EEPROM read command, in all cases, the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas.
Examples
MISO
04 C8 34 30 BD E4 9F 27 16 DE 5C C1 E7 A3 DA 9C 7F 5B 29 9A 5A 48 5C 14 ED B2 DE 28 84 43 68 82 98 87 4E D4 62 51 01 A9 24 34 02 B3 FF 26 63 17 77 8E 95 56 B1 5F 9F 22 93 46 DE 4E 3A 5E 8A D3
MOSI
3C 3A 04 3F 25 A6 68 09 02 00 04 00 00 00 00 00 (0x26B0) 3C 3A 04 3F 71 AD 00 00 09 00 00 00 00 00 00 00 (0x26C0) 3C 3A 04 3F 8E D5 75 0D 00 00 00 00 00 00 00 00 (0x26D0) 3C 3A 04 3F 80 86 48 0B 0B 00 03 00 00 00 00 00 (0x26E0)
Patched
Lv2 sys_fs_mount stack overflow
Stack buffer overflow with required privileges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.
Patched: sometime before 4.40 (only fw I checked)
RSX Syscall bug
In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.
however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.
Patched: 4.40
AES CTR vulnerability on SELFs (and ebootroms maybe?)
Sometimes SCE reused the same AES CTR keys and IVs in different Certified Files.
See also [6].
Patched: since PSVita prototype FWs as their Certified Files don't use AES CTR but instead AES CBC.
Maybe not patched on ebootroms.
PARAM.SFO stack-based buffer overflow
Patched: since 2012-05-01 (4.40 and later)
Proof of Concept
Unsigned code can be added to the PARAM.SFO because the console does not recognize special characters.
Working on 4.31. Patched: since 2012-05-01 (4.40 and later).
PoC: PARAM.SFO
PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4 ��� � $� C ��� @ (� V ��� � h� j �� € p� t ��� € ð� ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE 40ac78551a88fdc SD PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] Hackizeit: 1:33:07 ExpSkills: VL-LAB-TRAINING Operation: 1% Trojaners: 0% ... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc ... BLES00371-NARUTO_STORM-0 HACKINGBKM 1 PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];
AVP patch bypass exploit
Patched: since 3.70 and later.
PSN security intrusion
Patched: since 3.61 enforced password change
Sony PSN Account Service - Password Reset Vulnerability
Patched: since 2012-05-01
ECDSA private key non-random fail
See fail0verfl0w talk.
Patched: since 3.56
JIG downgrade
Patched: since 3.56
USB config heap-based buffer overflow (PSjailbreak/PSGroove)
Patched: since 3.42 and later
Leap year bug
Patched: since 3.40 and later
MP4 vulnerability
Patched: since 3.21 and later
Patched: since 3.10 and later
Open Remote Play
Patched: since 2.80 and later
BD-J homebrew
Patched: since 2.50 and later
System Software Downgrade with hardware flasher
See also: Downgrading with Hardware flasher.
Patched: since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles).
Full RSX access in OtherOS
Patched: since 2.10 and later
Web browser DoS via a large integer value for the length property of a Select object
Patched: since 4 sept 2009
Remote Play UDP packets DoS
Affected: 2.10 and PSP 3.10 OE-A
Patched: since 13 nov 2008
Resistance: Fall of Man network update exploit
Patched
Warhawk network update exploit
Patched
Game Bugs patched via Firmware
Afro Samurai Black Screen
Black screen as a failed attempt to call:
cellAudioOutConfigure cellSysutilAvconfExt_FA611DF4
Occours in Firmware 3.01
BLUS30264 NPUB90215 BLES00516
In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu) go to "Settings" and select "Sound Settings" from here select "Audio Multi-Output" and set this option to "OFF". You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.
Source: [11]
Patched: in Firmware (VSH) since (unknown)
