Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 100: | Line 100: | ||
== Usermode Exploits (Game Savedata) == | == Usermode Exploits (Game Savedata) == | ||
=== PS2 games savedata exploits === | === PS2 games savedata exploits === | ||
Line 152: | Line 120: | ||
* Forbidden Siren | * Forbidden Siren | ||
* Fu'un Super Combo UP0576-CUSA03784_00-SLPS257810000001 https://image.api.playstation.com/cdn/UP0576/CUSA03784_00/QWsetumZLYupFHsOIkoGbKYpySGBdtlp.png | * Fu'un Super Combo UP0576-CUSA03784_00-SLPS257810000001 https://image.api.playstation.com/cdn/UP0576/CUSA03784_00/QWsetumZLYupFHsOIkoGbKYpySGBdtlp.png | ||
* Ghosthunter (English, Japanese) UP9000- | * Ghosthunter (English, Japanese) UP9000-PPSA21974_00-SLUS209930000000 https://image.api.playstation.com/vulcan/ap/rnd/202406/0519/64b26d812ffbfec1acffeaa7d3a61effb12400fff2d95935.png | ||
* GTA III | * GTA III | ||
* GTA Vice City | * GTA Vice City | ||
Line 165: | Line 133: | ||
* Jak X: Combat Racing | * Jak X: Combat Racing | ||
* Kinetica UP9000-CUSA01725_00-SCUS971320000001 https://image.api.playstation.com/cdn/UP9000/CUSA01725_00/EKH34FKOEt3dTXLCiccuawdS8iGIqGLF.png | * Kinetica UP9000-CUSA01725_00-SCUS971320000001 https://image.api.playstation.com/cdn/UP9000/CUSA01725_00/EKH34FKOEt3dTXLCiccuawdS8iGIqGLF.png | ||
* Manhunt | * Manhunt | ||
* Max Payne | * Max Payne | ||
* Metal Slug Anthology | * Metal Slug Anthology | ||
* Okage: Shadow King | * Okage: Shadow King, minimum SDK 3.508.000 | ||
* PaRappa the Rapper 2 | * PaRappa the Rapper 2 | ||
* Primal | * Primal | ||
Line 180: | Line 150: | ||
* Rogue Galaxy | * Rogue Galaxy | ||
* Samurai Shodown VI | * Samurai Shodown VI | ||
* Star Ocean Till The End Of Time | * Star Ocean Till The End Of Time | ||
* Star Wars Bounty Hunter | * Star Wars Bounty Hunter | ||
Line 187: | Line 156: | ||
EP1006-CUSA03494_00-SLES503710000001 | EP1006-CUSA03494_00-SLES503710000001 | ||
https://image.api.playstation.com/cdn/EP1006/CUSA03494_00/9MsXVY5UULzSHB5BTreuKhwep3KZwvQP.png | https://image.api.playstation.com/cdn/EP1006/CUSA03494_00/9MsXVY5UULzSHB5BTreuKhwep3KZwvQP.png | ||
* STAR WARS The Clone Wars UP1082- | * STAR WARS The Clone Wars UP1082-PPSA21985_00-SLUS205100000000 https://image.api.playstation.com/vulcan/ap/rnd/202404/2320/798b83df229613be009a6a9a191606a04846b32eab781c14.png | ||
* The King of Fighters Collection: The Orochi Saga | * The King of Fighters Collection: The Orochi Saga | ||
* The King of Fighters '98 Ultimate Match | * The King of Fighters '98 Ultimate Match | ||
Line 193: | Line 162: | ||
* The Mark of Kri | * The Mark of Kri | ||
* The Warriors | * The Warriors | ||
* Tomb Raider: Legend UP8489- | * Tomb Raider: Legend UP8489-PPSA22453_00-SLUS212030000000 https://image.api.playstation.com/vulcan/ap/rnd/202405/0816/1d9bea712b88097f61b829fac5e96f956fb67225be456f36.png | ||
* Twisted Metal: Black | * Twisted Metal: Black | ||
* War of the Monsters | * War of the Monsters | ||
* Wild Arms 3 | * Wild Arms 3 | ||
Official PS2onPS4 games sold on Bluray Discs: | Official PS2onPS4 games sold on Bluray Discs: | ||
Line 218: | Line 185: | ||
* STAR WARS™ BOUNTY HUNTER™ (US version) UP1082-CUSA03472_00-SLUS204200000001 | * STAR WARS™ BOUNTY HUNTER™ (US version) UP1082-CUSA03472_00-SLUS204200000001 | ||
* STAR WARS™ BOUNTY HUNTER™ (EU version) EP1006-CUSA03493_00-SLES508310000001 | * STAR WARS™ BOUNTY HUNTER™ (EU version) EP1006-CUSA03493_00-SLES508310000001 | ||
* Star Wars Racer Revenge UP1082-CUSA03474, | * Star Wars Racer Revenge UP1082-CUSA03474, minimum SDK 3.508.000 | ||
* The King of Fighters '98 Ultimate Match (by Limited Run #344) UP0576-CUSA03751_00-SLUS218160000001 https://image.api.playstation.com/cdn/UP0576/CUSA03751_00/bp4LfKIjcVTMfKP3O4LrDJHWzY6vZDar.png | * The King of Fighters '98 Ultimate Match (by Limited Run #344) UP0576-CUSA03751_00-SLUS218160000001 https://image.api.playstation.com/cdn/UP0576/CUSA03751_00/bp4LfKIjcVTMfKP3O4LrDJHWzY6vZDar.png | ||
* The King of Fighters 2000 (by Limited Run #386) UP0576-CUSA03748_00-SLUS208340000001 https://image.api.playstation.com/cdn/UP0576/CUSA03748_00/tvXJmFqa9zkXAAKCij20B3spadkqGuka.png | * The King of Fighters 2000 (by Limited Run #386) UP0576-CUSA03748_00-SLUS208340000001 https://image.api.playstation.com/cdn/UP0576/CUSA03748_00/tvXJmFqa9zkXAAKCij20B3spadkqGuka.png | ||
Line 224: | Line 191: | ||
These PS2onPS4 games can be bought online directly via Limited Run Games for brand new or for example on Ebay for second hand or like new. | These PS2onPS4 games can be bought online directly via Limited Run Games for brand new or for example on Ebay for second hand or like new. | ||
=== PS4/PS5 PS2emu sandbox escape (mast1c0re) === | === PS4/PS5 PS2emu sandbox escape (mast1c0re) === | ||
Line 374: | Line 322: | ||
Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60. | Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60. | ||
=== FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to | === FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to arbitrary RW === | ||
==== Credits ==== | ==== Credits ==== | ||
Line 386: | Line 334: | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
* TODO | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
Line 406: | Line 349: | ||
* Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013) | * Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013) | ||
* Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14) | * Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14) | ||
* | * Anonymous for making an OOM PoC for webkit-gtk, PS4 and PS5 (2023-10-03) then making an arbitrary RW PoC (PSFree) for webkit-gtk, PS4 6.00-9.60 and PS5 1.00-5.50 (2023-10-24) | ||
* CelesteBlue for testing and porting | * CelesteBlue for testing and porting anonymous' PSFree to PS4 6.00-9.60 and PS5 1.00-5.50 (2023-11-04) | ||
==== Analysis ==== | ==== Analysis ==== | ||
Line 461: | Line 404: | ||
* Simple PoC for ASAN webkit-gtk by Maddie Stone in Maddie Stone's writeups | * Simple PoC for ASAN webkit-gtk by Maddie Stone in Maddie Stone's writeups | ||
* [https://github.com/springsec/CVE-2022-22620/blob/main/CVE-2022-22620_infoleak_exploit.html Information leak PoC for webkit-gtk by springsec] | * [https://github.com/springsec/CVE-2022-22620/blob/main/CVE-2022-22620_infoleak_exploit.html Information leak PoC for webkit-gtk by springsec] | ||
* [https://discord.com OOM PoC for PS4 and PS5 by | * [https://discord.com OOM PoC for PS4 and PS5 by anonymous on ps4-dev discord (to mirror)] | ||
* [https://discord.com Arbitrary RW PoC (PSFree) for PS4 6.00-9.60 and PS5 1.00-5.50 by | * [https://discord.com Arbitrary RW PoC (PSFree) for PS4 6.00-9.60 and PS5 1.00-5.50 by anonymous on ps4-dev discord (to mirror)] | ||
==== Patched ==== | ==== Patched ==== | ||
Line 802: | Line 745: | ||
==== Tested ==== | ==== Tested ==== | ||
Works on 3.15, 3.50 FW. Maybe working on 3.51 FW. | Works on 3.15, 3.50 FW. Maybe working on 3.51 FW. | ||
---- | ---- | ||