Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 92: Line 92:
'''Consensus''': Confirmed exploitable before 1.80. YEAH!
'''Consensus''': Confirmed exploitable before 1.80. YEAH!


=== GcAuthMgr checks only KeyID > 0x8001 not >= 0x8001 !! ===
allows for a prototype keyset to be used, which is derived from bbmac 0x345
and skips the last step to derive using 0x348. thus instead the master key
gc auth keys are derived using a constant that is obtainable..
<source>
  ret = bigmac_aes256_cmac_to_keyring(key_1,0x21,0x345);
  if (ret == 0) {
    memcpy(&enc_dec_buf,input,0x20);
    ret = bigmac_encrypt_aes128_using_keyslot(bigmac_temp,&enc_dec_buf,0x20,0x21);
    if (ret == 0) {
      memcpy(out,bigmac_temp,0x10);
      if (key_id == 1) {
        memcpy(&enc_dec_buf,out,0x10);
        ret = bigmac_aes128cbc_decrypt_to_keyslot(&enc_dec_buf,iv,0x24,0x348);
        if (ret == 0) {
          *key_id_to_use = 2;
        }
      }
      else {
        *key_id_to_use = 1;
      }
    }
  }
  return ret;
</source>
=== sceIoDevctl does not clear stack buffer ===
=== sceIoDevctl does not clear stack buffer ===
(24/11/2014)
(24/11/2014)
Line 141: Line 116:
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:
When passed proper arguments, sceNetSyscallIoctl will execute a function from the socket's vtable at the end:


<source>
<pre>
       v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(
       v13 = (*(int (__fastcall **)(int, signed int, unsigned int, char *))(*(_DWORD *)(socket + 24) + 28))(
               socket,
               socket,
Line 147: Line 122:
               flags_,
               flags_,
               mem_);
               mem_);
</source>
</pre>


Fixed in 3.63.
Fixed in 3.63.
Line 194: Line 169:


(I copied the octopus from an ASCII art page: http://ascii.co.uk/art/octopus)
(I copied the octopus from an ASCII art page: http://ascii.co.uk/art/octopus)
=== Disclosed by Yifan Lu ===
Yifan Lu has written an article on how to exploit the F00D processor on their personal blog (11/01/2019).
https://yifan.lu/2019/01/11/the-first-f00d-exploit/


== References ==
== References ==
Please note that all contributions to Vita Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see Vita Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)