Bugs & Vulnerabilities

From PS3 Developer wiki
Jump to navigation Jump to search

Unknown / unpatched

Remote DoS Exploit

http://cxsecurity.com/issue/WLB-2007030183

Patched: ?

Memory corruption and NULL pointer in Unreal Tournament III 1.2

http://cxsecurity.com/issue/WLB-2008070060

unsure if applies to PS3?

MacOS X 10.5/10.6 libc/strtod(3) buffer overflow

http://cxsecurity.com/issue/WLB-2010010162

unsure if applies to PS3?

OpenPrinter() stack-based buffer overflow

http://seclists.org/fulldisclosure/2007/Jan/474

Patched: ?

DOM flaw

http://seclists.org/fulldisclosure/2009/Jul/299

Patched: ?

Patched

RSX Syscall bug

In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.
however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.

Patched: 4.45

CTR bugs on SELFs (and ebootroms maybe?)

http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption CTR bugs on SELFs

Patched: since Vita pre-retail 0.9.9.6 (SELFs, should match with ps3 firmware at release date), unknown (ebootroms)

PARAM.SFO stack-based buffer overflow

http://seclists.org/fulldisclosure/2013/May/113

Patched: since 2012-05-01 (4.40 and later)

Proof of Concept

Unsigned code can be added to the PARAM.SFO because the console does not recognize special characters

http://www.exploit-db.com/exploits/25718/

Working on 4.31, Patched: since 2012-05-01 (4.40 and later)

PoC: PARAM.SFO 

PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4
��� �
$� C ��� @ (� V ��� � h� j ��
€ p� t ��� € ð�
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE
TITLE
40ac78551a88fdc
SD
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]

Hackizeit: 1:33:07

ExpSkills: VL-LAB-TRAINING

Operation: 1%
Trojaners: 0%
... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc
...
BLES00371-NARUTO_STORM-0
HACKINGBKM 1
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];

AVP patch bypass exploit

Patched: since 3.70 and later

PSN security intrusion

Patched: since 3.61 enforced password change

Sony PSN Account Service - Password Reset Vulnerability

http://www.vulnerability-lab.com/get_content.php?id=740

Patched: since 2012-05-01

Private key nonrandom fail

Patched: since 3.56

JIG downgrade

Patched: since 3.56

USB config stack-based buffer overflow (PSjailbreak/PSGroove)

Patched: since 3.42 and later

Leap year bug

Patched: since 3.40 and later

MP4 vulnerability

Patched: since 3.21 and later

Playback of Cinavia DRM protected titles

Patched: since 3.10 and later

Open Remote Play

Patched: since 2.80 and later

BD-J homebrew

Patched: since 2.50 and later

Downgrading with Hardware flasher

See also: Downgrading with Hardware flasher

Patched: since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles)

Full RSX access in OtherOS

Patched: since 2.10 and later

Resistance: Fall of Man network update exploit

Patched

Warhawk network update exploit

Patched


General
Hypervisor
Services
Plugin
Interfaces
ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin · np_multisignin_plugin · np_sns_plugin · npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin
Emulation
Extended
features
Online
Hardware
SC
CELL
RAM
SB
HDD
BD
Tools
Strings
files
dumps
Reference
Keys & Seeds
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Bugs_%26_Vulnerabilities&oldid=29839"