Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 35: | Line 35: | ||
NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object. | NetworkRequest.BeginGetResponse(AsyncCallback callback) invokes callback with <code>SecurityCritical</code> allowing for a privilege escalation. Unfortunately, Sony closed down the scoreboards feature <ref>http://community.eu.playstation.com/t5/Announcements-Events/PSM-scoreboard-service-is-closing/td-p/21263959</ref> which means that Network.AuthGetTicket() fails and Network.CreateRequest() cannot be invoked. There is no other way of creating a NetworkRequest object. | ||
using System; | using System; | ||
using System.Security; | using System.Security; | ||
Line 67: | Line 67: | ||
} | } | ||
} | } | ||
== System == | == System == | ||
Line 75: | Line 75: | ||
=== Stack buffer overflow in sceSblDmac5EncDec === | === Stack buffer overflow in sceSblDmac5EncDec === | ||
(16/09/2014) | (16/09/2014) | ||
might have found one | might have found one | ||
SceSblDmac5Mgr_sceSblDmac5EncDec | SceSblDmac5Mgr_sceSblDmac5EncDec | ||
Line 88: | Line 88: | ||
bad news is it got patched in 1.80 | bad news is it got patched in 1.80 | ||
they also added a isShell check | they also added a isShell check | ||
'''Consensus''': Confirmed exploitable before 1.80. YEAH! | '''Consensus''': Confirmed exploitable before 1.80. YEAH! | ||
=== sceIoDevctl does not clear stack buffer === | === sceIoDevctl does not clear stack buffer === | ||
(24/11/2014) | (24/11/2014) | ||
Line 122: | Line 97: | ||
Then call devctl and get upto 0x3FF bytes of that stack! | Then call devctl and get upto 0x3FF bytes of that stack! | ||
sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, WINDOW_BASE+0x10, 0x3FF); | sceIoDevctl("sdstor0:", 5, "xmc-lp-ign-userext", 0x14, WINDOW_BASE+0x10, 0x3FF); | ||
store(RET, WINDOW_BASE+0x4); | store(RET, WINDOW_BASE+0x4); | ||
=== Syscall handler doesn't check syscall number === | === Syscall handler doesn't check syscall number === | ||
Line 133: | Line 106: | ||
(03/07/2015) A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed. | (03/07/2015) A large syscall number passed in R12 can overflow syscall table and cause an arbitrary function pointer to be dereferenced and executed. | ||
This was patched | This was patched somewhere >1.60. | ||
=== Heap use-after-free in sceNetSyscallIoctl === | === Heap use-after-free in sceNetSyscallIoctl === | ||
Line 141: | Line 114: | ||
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end: | When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end: | ||
v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))( | v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))( | ||
socket, | socket, | ||
Line 147: | Line 120: | ||
flags_, | flags_, | ||
mem_); | mem_); | ||
Confirmed exploitable on 3.60 still. | |||
== Non-secure Kernel Loader == | == Non-secure Kernel Loader == | ||
Line 156: | Line 129: | ||
== Secure Kernel == | == Secure Kernel == | ||
== Hardware == | == Hardware == | ||
Line 176: | Line 135: | ||
== F00D Processor == | == F00D Processor == | ||
== References == | == References == |