Editing Bugs
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
== Theoretical Hardware Attacks == | |||
= Theoretical Hardware Attacks = | |||
We already know for certain someone out there has hacked the SAMU or stolen Sony's keys because of leaked decrypted kernels. These are some end-all hardware solutions to hack the PS4, theorized by golden. I give a score out of 10 for each. | We already know for certain someone out there has hacked the SAMU or stolen Sony's keys because of leaked decrypted kernels. These are some end-all hardware solutions to hack the PS4, theorized by golden. I give a score out of 10 for each. | ||
Line 39: | Line 37: | ||
Look at Blueborne and CVE-2017-0781. There are probably some bugs in the Sony/FreeBSD Bluetooth stack. Sony has a habit of ruining their own copy and paste. One of the reasons fail0verflow decided to attack the DS4 controller firmware was because it had a nice interface to the kernel which could contain bugs. | Look at Blueborne and CVE-2017-0781. There are probably some bugs in the Sony/FreeBSD Bluetooth stack. Sony has a habit of ruining their own copy and paste. One of the reasons fail0verflow decided to attack the DS4 controller firmware was because it had a nice interface to the kernel which could contain bugs. | ||
= Software Bugs = | == Software Bugs == | ||
=== SnagFilms === | === SnagFilms === | ||
Line 84: | Line 82: | ||
PATCHED: Sony has hotfixed this exploit via content hashing the file while in transit. Some people have managed to reverse the hotfix but the method is not known. The PS4 checks the content hash HTTP header from the HMAC header. | PATCHED: Sony has hotfixed this exploit via content hashing the file while in transit. Some people have managed to reverse the hotfix but the method is not known. The PS4 checks the content hash HTTP header from the HMAC header. | ||
When you launch | When you launch Vidnow for the first time it gets http://sceecatalogs.vidzone.tv/386/vidzone_386_US.db.psarc. This file is 5MB. | ||
This file loads into a | This file loads into a 60k tcp buffer. No checks are done at all on the files size/hash/contents. Therefore, it is possible to redirect Vidnow to load a substitute file. When vidnow is redirected to load a large enough file the TCP Window buffer is overrun,somewhere between byte 34,125,000 and 35,000,000 of the substitute file. Despite the buffer overflow and crash, the substitute data is still transmitted and the application only throws the exception when another tcp packet is sent. As a result, the application crashes and the console locks up for a minute. Directly before the console resumes normal operations after the crash, an unusually large number of tcp (RST) packets are sent. While no exploit that makes use of this crash is currently available, a carefully crafted file '''may''' be able to exploit this or similar issues to gain code execution, among other things. | ||
==== Crash Timeline ==== | ==== Crash Timeline ==== | ||
Line 98: | Line 94: | ||
17:17:48.500567000 Response | 17:17:48.500567000 Response | ||
17:17:50.356427000 (System no longer locked up) Console Regains Control (74 byte packet sent) | 17:17:50.356427000 (System no longer locked up) Console Regains Control (74 byte packet sent) | ||
17:17:50.357555000 Contacts Crashlog Server / System Operation Resumes | 17:17:50.357555000 Contacts Crashlog Server/System Operation Resumes | ||
=== Leap second 23:59:60 bug === | === Leap second 23:59:60 bug === | ||
Line 116: | Line 112: | ||
</pre> | </pre> | ||
= | == Reference sites == | ||
* http://www.vulnerability-lab.com/ | * http://www.vulnerability-lab.com/ |