Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 100: | Line 100: | ||
== Usermode Exploits (Game Savedata) == | == Usermode Exploits (Game Savedata) == | ||
=== PS2 games savedata exploits === | === PS2 games savedata exploits === | ||
See [https://www.psdevwiki.com/ps2/Vulnerabilities#PS2_Savedata_exploits PS2 savedata exploits on PS2 Dev Wiki]. | See [https://www.psdevwiki.com/ps2/Vulnerabilities#PS2_Savedata_exploits PS2 savedata exploits on PS2 Dev Wiki]. | ||
Official PS2onPS4 games sold on Bluray Discs: | Official PS2onPS4 games sold on Bluray Discs: | ||
* Jak X Combat Racing™® UP9000-CUSA07842 | * Jak X Combat Racing™® UP9000-CUSA07842 | ||
* Jak II UP9000-CUSA07840 | * Jak II UP9000-CUSA07840 | ||
* Jak 3 UP9000-CUSA07841 | * Jak 3 UP9000-CUSA07841 | ||
* | * Jak and Daxter: The Precursor Legacy™ UP9000-CUSA02522_00-SCUS971240000001 https://image.api.playstation.com/cdn/UP9000/CUSA02522_00/o9zJoXqpd4lzarjIbvvZLFjYGLsLvqCp.png | ||
* Psychonauts UP2154-CUSA03881 | * Psychonauts UP2154-CUSA03881 | ||
* Red Faction | * Red Faction 2 UP4389-CUSA06405 | ||
* | * Red Faction UP4389-CUSA06402 | ||
* Star Wars Racers Revenge UP1082-CUSA03474 | |||
* STAR WARS™ BOUNTY HUNTER™ (US version) UP1082-CUSA03472_00-SLUS204200000001 | * STAR WARS™ BOUNTY HUNTER™ (US version) UP1082-CUSA03472_00-SLUS204200000001 | ||
* STAR WARS™ BOUNTY HUNTER™ (EU version) EP1006-CUSA03493_00-SLES508310000001 | * STAR WARS™ BOUNTY HUNTER™ (EU version) EP1006-CUSA03493_00-SLES508310000001 | ||
* | * Indigo Prophecy™ UP1642-CUSA04798 | ||
* | * ADK Damashii UP0576-CUSA03783 | ||
* | * Fu'un Super Combo v2 UP0576-CUSA03784 | ||
* | * METAL SLUG ANTHOLOGY™ (US version by Limited Run #364) UP0576-CUSA03749_00-SLUS215500000001 https://image.api.playstation.com/cdn/UP0576/CUSA03749_00/ImHDRENlttkdiXlm3K8ejNVgLURd3uTw.png | ||
* METAL SLUG ANTHOLOGY™ (EU version by SNK) EP0576-CUSA04156_00-SLES546770000001 https://image.api.playstation.com/cdn/EP0576/CUSA04156_00/NN7npbsEvxIRGI8lBVhm9I5BwFzdGlOK.png | |||
* Destroy All Humans! (2005) (PS2 Classic by Limited Run #370, not to be confused with the remake EP4389-CUSA14910_00-DAH1REMAKEEU0000) UP4389-CUSA05232_00-SLUS209450000001 https://image.api.playstation.com/cdn/UP4389/CUSA05232_00/XrgVkqoR5rvZk4tAGi2j7OFfHpAZWKUu.png | |||
These PS2onPS4 games can be bought online directly via Limited Run Games for brand new or for example on Ebay for second hand or like new. | These PS2onPS4 games can be bought online directly via Limited Run Games for brand new or for example on Ebay for second hand or like new. | ||
=== PS4/PS5 PS2emu sandbox escape (mast1c0re) === | === PS4/PS5 PS2emu sandbox escape (mast1c0re) === | ||
Line 374: | Line 255: | ||
Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60. | Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60. | ||
=== FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to | === FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to arbitrary RW === | ||
==== Credits ==== | ==== Credits ==== | ||
Line 386: | Line 267: | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
* TODO | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
Line 406: | Line 282: | ||
* Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013) | * Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013) | ||
* Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14) | * Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14) | ||
* | * Anonymous for making an OOM PoC for webkit-gtk, PS4 and PS5 (2023-10-03) then making an arbitrary RW PoC (PSFree) for webkit-gtk, PS4 6.00-9.60 and PS5 1.00-5.50 (2023-10-24) | ||
* CelesteBlue for testing and porting | * CelesteBlue for testing and porting anonymous' PSFree to PS4 6.00-9.60 and PS5 1.00-5.50 (2023-11-04) | ||
==== Analysis ==== | ==== Analysis ==== | ||
Line 461: | Line 337: | ||
* Simple PoC for ASAN webkit-gtk by Maddie Stone in Maddie Stone's writeups | * Simple PoC for ASAN webkit-gtk by Maddie Stone in Maddie Stone's writeups | ||
* [https://github.com/springsec/CVE-2022-22620/blob/main/CVE-2022-22620_infoleak_exploit.html Information leak PoC for webkit-gtk by springsec] | * [https://github.com/springsec/CVE-2022-22620/blob/main/CVE-2022-22620_infoleak_exploit.html Information leak PoC for webkit-gtk by springsec] | ||
* [https://discord.com OOM PoC for PS4 and PS5 by | * [https://discord.com OOM PoC for PS4 and PS5 by anonymous on ps4-dev discord (to mirror)] | ||
* [https://discord.com Arbitrary RW PoC (PSFree) for PS4 6.00-9.60 and PS5 1.00-5.50 by | * [https://discord.com Arbitrary RW PoC (PSFree) for PS4 6.00-9.60 and PS5 1.00-5.50 by anonymous on ps4-dev discord (to mirror)] | ||
==== Patched ==== | ==== Patched ==== | ||
Line 802: | Line 678: | ||
==== Tested ==== | ==== Tested ==== | ||
Works on 3.15, 3.50 FW. Maybe working on 3.51 FW. | Works on 3.15, 3.50 FW. Maybe working on 3.51 FW. | ||
---- | ---- | ||