FailMail: Difference between revisions

From Vita Developer wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Introduction ==
FailMail is an Exploit in the PS Vita Mail application that allowed for System Uri Calling, (which resulted in an Arbitrary File Read) and Arbitrary File Writing. It was patched in [[3.55]] and above firmwares.
FailMail is an Exploit in the PSVita Mail application,
that allowed for System Uri Calling, (which resulted in an Arbitrary File Read) and Arbitrary File Writing
It was patched in [[3.55]] and above firmware's


== Remnants in later firmware ==
= Remnants in later firmware =
The FailMail exploit was never entirely patched, they blocked they simply made the email application only have access to the ux0:/calendar folder.
 
the System URI Functionality was also fixed. You can still dump files from ux0:/calendar using email attachments,  
The FailMail exploit was never entirely patched. Sony simply made the email application only have access to the ux0:/calendar folder. The System URI Functionality was also fixed. You can still dump files from ux0:/calendar using email attachments, the only 'interesting' file in there is "ux0:/calendar/calendar.db" - the calendar apps database.
the only 'interesting' file in there is "ux0:/calendar/calendar.db" - the calendar apps database.
to dump it you can do the following:
to dump it you can do the following:
1- create an event in the calendar with the description set to 'email:send?attach=ux0:/calendar/calendar.db'
1- create an event in the calendar with the description set to 'email:send?attach=ux0:/calendar/calendar.db'    
2- click on the 3 "dots" and press "Send via E-Mail"
2- click on the 3 "dots" and press "Send via E-Mail"          
3- send it to an email you have access to
3- send it to an email you have access to
you can now download it on a PC or other device, its a SQLLite3 file. so any sqllite database browser should be able to open it.


== Arbitrary File Writing ==
You can now download it on a PC or other device. It is a SQLLite3 file, so any SQLite database browser should be able to open it.
This is achieved by making the name of the attachment be "../../../" and then the path to the file you wanted to overwrite
 
this worked because on [[3.55]] email attachments are saved to ux0:/temp/email/ as there full name which would become ux0:/temp/email/../../../ux0:/id.dat which would overwrite id.dat.  
= Impact and applications =
however, in 3.55 and above, there is an additional check to get the filename of the email excluding the path and write it there with that name instead, and in later firmwares, you cant do "../" to leave the current partition either.
 
See also https://github.com/TeamFAPS/PSVita-MaILFail/blob/main/README.md#impact (to wikify here).
 
== Arbitrary File Write ==
 
This is achieved by making the name of the attachment be "../../../" and then the path to the file you wanted to overwrite. This worked because on [[3.55]] email attachments are saved to ux0:/temp/email/ as their full name, which would become ux0:/temp/email/../../../ux0:/id.dat, overwriting id.dat. However, in 3.55 and above, there is an additional check to get the filename of the email excluding the path and write it there with that name instead, and in later firmwares, you cannot do "../" to leave the current partition either.
 
== Arbitrary File Read ==


== System URI Calling ==
To wikify from https://github.com/TeamFAPS/PSVita-MaILFail/blob/main/README.md#mailfail-arbitrary-file-read.
(system uri's are URI's defined in param.sfo surrounded by triangle brackets. and they can only be run by the system and not the browser)
 
This was achieved simply by receiving an email with an <a href to a System URI for example. if you did <a href="psnreg:">Run PSN Reg</a>
== System URI Call ==
when you clicked the link inside the email app. it'd run it, this was also fixed in [[3.55]] simply by adding a check if the URI you clicked on
 
is not a SYSTEM uri.
System URI's are URI's defined in param.sfo surrounded by triangle brackets, and they can only be run by the System applications, not by the web browser. This exploit was achieved simply by receiving an email with an <a href> to a System URI for example. If you put <a href="psnreg:">Run PSN Reg</a>, when you clicked the link inside the email app, it would execute this URI. This was also fixed in PS Vita System Software version [[3.55]] simply by adding a check that require any URI in the email application to be a System URI.
    
    
There was also a bug that came about because of this that allowed you to dump any file you wanted, if you called 'email:send?attach=' and then a path to a file you could add any file on the system that you wanted as an attachment and then send it to yourself. this was addressed in [[3.57]] where now the email application can only attach files from photo0: and ux0:/calendar anywhere else will result in a 0byte file being sent.
There was also a bug that came about because of this that allowed you to dump any file you wanted, if you called 'email:send?attach=' and then a path to a file you could add any file on the system that you wanted as an attachment and then send it to yourself. this was addressed in [[3.57]] where now the email application can only attach files from photo0: and ux0:/calendar anywhere else will result in a 0byte file being sent.
= Implementations =
See [https://github.com/TeamFAPS/PSVita-MaILFail PSVita-MaILFail by Team FAPS CelesteBlue]. It is a toolset to exploit the PS Vita MaILFail vulnerability, allowing arbitrary file read and write on the PS Vita storage.

Latest revision as of 21:57, 24 October 2024

FailMail is an Exploit in the PS Vita Mail application that allowed for System Uri Calling, (which resulted in an Arbitrary File Read) and Arbitrary File Writing. It was patched in 3.55 and above firmwares.

Remnants in later firmware[edit | edit source]

The FailMail exploit was never entirely patched. Sony simply made the email application only have access to the ux0:/calendar folder. The System URI Functionality was also fixed. You can still dump files from ux0:/calendar using email attachments, the only 'interesting' file in there is "ux0:/calendar/calendar.db" - the calendar apps database. to dump it you can do the following: 1- create an event in the calendar with the description set to 'email:send?attach=ux0:/calendar/calendar.db' 2- click on the 3 "dots" and press "Send via E-Mail" 3- send it to an email you have access to

You can now download it on a PC or other device. It is a SQLLite3 file, so any SQLite database browser should be able to open it.

Impact and applications[edit | edit source]

See also https://github.com/TeamFAPS/PSVita-MaILFail/blob/main/README.md#impact (to wikify here).

Arbitrary File Write[edit | edit source]

This is achieved by making the name of the attachment be "../../../" and then the path to the file you wanted to overwrite. This worked because on 3.55 email attachments are saved to ux0:/temp/email/ as their full name, which would become ux0:/temp/email/../../../ux0:/id.dat, overwriting id.dat. However, in 3.55 and above, there is an additional check to get the filename of the email excluding the path and write it there with that name instead, and in later firmwares, you cannot do "../" to leave the current partition either.

Arbitrary File Read[edit | edit source]

To wikify from https://github.com/TeamFAPS/PSVita-MaILFail/blob/main/README.md#mailfail-arbitrary-file-read.

System URI Call[edit | edit source]

System URI's are URI's defined in param.sfo surrounded by triangle brackets, and they can only be run by the System applications, not by the web browser. This exploit was achieved simply by receiving an email with an <a href> to a System URI for example. If you put <a href="psnreg:">Run PSN Reg</a>, when you clicked the link inside the email app, it would execute this URI. This was also fixed in PS Vita System Software version 3.55 simply by adding a check that require any URI in the email application to be a System URI.

There was also a bug that came about because of this that allowed you to dump any file you wanted, if you called 'email:send?attach=' and then a path to a file you could add any file on the system that you wanted as an attachment and then send it to yourself. this was addressed in 3.57 where now the email application can only attach files from photo0: and ux0:/calendar anywhere else will result in a 0byte file being sent.

Implementations[edit | edit source]

See PSVita-MaILFail by Team FAPS CelesteBlue. It is a toolset to exploit the PS Vita MaILFail vulnerability, allowing arbitrary file read and write on the PS Vita storage.