Bugs & Vulnerabilities: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(add old and patched lv2 exploit)
No edit summary
 
(20 intermediate revisions by 8 users not shown)
Line 1: Line 1:
== Unknown / unpatched ==
== Unknown / unpatched ==


=== Webkit buffer overflow ===
=== WebKit parseFloat() type confusion leading to stack buffer overflow ===
http://playstationhax.it/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28458
 
<br>
==== Credits ====
Not Patched
* Zuk Avraham
* TODO
 
==== Bug Description ====
When inserting NaN with a parameter as an argument into parseFloat(), we can overflow the tiny buffer created by parseFloat().
 
==== Analysis ====
* [https://web.archive.org/web/20210521110132/https://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?tab=comments#comment-28458 WebKit PoC for PS3 released by xerpi through zecoxao in Playstationhax.xyz forum (2016-03-24)]
 
==== Implementation ====
* [https://github.com/PS3Xploit/PS3HEN PS3HEN on PS3 by the PS3Xploit team]
* [https://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html Writeup and PoC on Android 2.1 by Zuk Avraham]
 
==== Patched ====
Patched on PS3 FW 4.83. Remains exploitable on higher firmwares by installing old WebKit sprx files in hybrid PUP.
 
=== WebKit CSS font face source type confusion leading to read primitive ===
 
==== Credits ====
TODO
 
==== Bug Description ====
While parsing the source of a CSS font face, CSSParser::parseFontFaceSrc() assumes the value given is a string, but if we insert a specific double value into an exploitable function like insert() or format(), we can leak the memory via an overlap between two variables.
 
==== Implementation ====
* [https://github.com/PS3Xploit/PS3HEN PS3HEN on PS3 by the PS3Xploit team]
* [https://code.google.com/p/chromium/issues/detail?id=63866] initial bug report
 
==== Patched ====
Patched on PS3 FW 4.83. Remains exploitable on higher firmwares by installing old WebKit sprx files in hybrid PUP.


=== RSX VRAM Access ===
=== RSX VRAM Access ===
http://playstationhax.it/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28421
 
<br>
* [https://web.archive.org/web/*/http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28421]
Not Patched
 
==== Patched ====
Not Patched.


=== Memory corruption and NULL pointer in Unreal Tournament III 1.2 ===
=== Memory corruption and NULL pointer in Unreal Tournament III 1.2 ===
http://cxsecurity.com/issue/WLB-2008070060


unsure if applies to PS3?
* [http://cxsecurity.com/issue/WLB-2008070060]
 
Unsure if it applies to PS3.


=== MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ===
=== MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ===
http://cxsecurity.com/issue/WLB-2010010162


unsure if applies to PS3?
* [http://cxsecurity.com/issue/WLB-2010010162]
 
Unsure if it applies to PS3.


=== OpenPrinter() stack-based buffer overflow ===
=== OpenPrinter() stack-based buffer overflow ===
http://seclists.org/fulldisclosure/2007/Jan/474


Patched: ?
* [http://seclists.org/fulldisclosure/2007/Jan/474]
 
==== Patched ====
?patched?


=== DOM flaw ===
=== DOM flaw ===
http://seclists.org/fulldisclosure/2009/Jul/299
http://seclists.org/fulldisclosure/2009/Jul/299


Patched: ?
==== Patched ====
?patched?
 
=== PS3Xploit Kernel Exploit ===
 
==== Credits ====
* Team PS3Xploit
* TODO
 
==== Bug description ====
To be disclosed.
 
==== Implementation ====
* [https://github.com/PS3Xploit/PS3HEN PS3HEN on PS3 by the PS3Xploit team]
 
==== Patched ====
Not patched as of PS3 FW 4.90.
 
=== Leakage of PTCH body plaintext over SPI on all BGA SYSCONs ===
 
When reading the body via the EEPROM read command, in all cases, the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas.
 
==== Examples ====
 
===== MISO =====
 
<pre>
04 C8 34 30 BD E4 9F 27 16 DE 5C C1 E7 A3 DA 9C
7F 5B 29 9A 5A 48 5C 14 ED B2 DE 28 84 43 68 82
98 87 4E D4 62 51 01 A9 24 34 02 B3 FF 26 63 17
77 8E 95 56 B1 5F 9F 22 93 46 DE 4E 3A 5E 8A D3
</pre>
 
===== MOSI =====
 
<pre>
3C 3A 04 3F 25 A6 68 09 02 00 04 00 00 00 00 00 (0x26B0)
3C 3A 04 3F 71 AD 00 00 09 00 00 00 00 00 00 00 (0x26C0)
3C 3A 04 3F 8E D5 75 0D 00 00 00 00 00 00 00 00 (0x26D0)
3C 3A 04 3F 80 86 48 0B 0B 00 03 00 00 00 00 00 (0x26E0)
</pre>


== Patched ==
== Patched ==


=== Lv2 sys_fs_mount stack overflow ===
=== Lv2 sys_fs_mount stack overflow ===
Stack buffer overflow with required priveleges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.<br>
 
https://nwert.wordpress.com/2012/09/19/exploiting-lv2/ <br>
Stack buffer overflow with required privileges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.<br>
http://pastie.org/4755699 <br>
* [https://nwert.wordpress.com/2012/09/19/exploiting-lv2/ writeup]
* [https://web.archive.org/web/20141201184718/http://pastie.org/4755699 code]


Patched: sometime before [[4.40_CEX|4.40]] (only fw I checked)
Patched: sometime before [[4.40_CEX|4.40]] (only fw I checked)


=== RSX Syscall bug ===
=== RSX Syscall bug ===
In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.<br> however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.
In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.<br> however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.


Patched: [[4.45_CEX|4.45]]
Patched: [[4.40_CEX|4.40]]
 
=== Lv2 sys_prx_register_module stack overflow ===
 
Stack buffer overflow which is fixed around 4.3x or 4.4x. Does not require any privileges.
 
=== Lv2 578 Syscall stack overflow ===
 
Stack buffer overflow which is fixed around 4.3x or 4.4x. Requires root privileges. Syscall is compiled with stack cookies.


=== CTR bugs on SELFs (and ebootroms maybe?) ===
Patched: [[4.4x_CEX|4.4x]]
http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption CTR bugs on SELFs


Patched: since Vita pre-retail [http://www.vitadevwiki.com/index.php?title=00.996.090_DEX 0.9.9.6] (SELFs, should match with ps3 firmware at release date), unknown (ebootroms)
=== AES CTR vulnerability on SELFs (and ebootroms maybe?) ===
 
Sometimes SCE reused the same AES CTR keys and IVs in different [[Certified File|Certified Files]].
 
See also [http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption].
 
See also [https://wiki.henkaku.xyz/vita/Vulnerabilities#AES_CTR_IV_reused_in_some_Certified_Files].
 
Patched: since some PS Vita prototype FWs as their [[Certified File|Certified Files]] started having always different IVs.
 
Maybe not patched on PS3 ebootroms.


=== PARAM.SFO stack-based buffer overflow ===
=== PARAM.SFO stack-based buffer overflow ===
http://seclists.org/fulldisclosure/2013/May/113
 
* [http://seclists.org/fulldisclosure/2013/May/113]


Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later)
Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later)
Line 57: Line 153:
==== Proof of Concept ====
==== Proof of Concept ====


Unsigned code can be added to the [[PARAM.SFO]] because the console does not recognize special characters
Unsigned code can be added to the [[PARAM.SFO]] because the console does not recognize special characters.


http://www.exploit-db.com/exploits/25718/
* [http://www.exploit-db.com/exploits/25718/]


Working on [[4.31_CEX|4.31]], Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later)
Working on [[4.31_CEX|4.31]]. Patched: since 2012-05-01 ([[4.40_CEX|4.40]] and later).
   
   
PoC: PARAM.SFO
PoC: PARAM.SFO
Line 90: Line 186:
=== AVP patch bypass exploit ===
=== AVP patch bypass exploit ===


Patched: since [[3.70_CEX|3.70]] and later
Patched: since [[3.70_CEX|3.70]] and later.


=== PSN security intrusion ===
=== PSN security intrusion ===
Line 97: Line 193:


=== Sony PSN Account Service - Password Reset Vulnerability ===
=== Sony PSN Account Service - Password Reset Vulnerability ===
http://www.vulnerability-lab.com/get_content.php?id=740  
 
* [http://www.vulnerability-lab.com/get_content.php?id=740]


Patched: since 2012-05-01
Patched: since 2012-05-01


=== Private key nonrandom fail ===
=== ECDSA private key non-random fail ===
 
See fail0verfl0w talk.


Patched: since [[3.56-1 CEX|3.56]]
Patched: since [[3.56-1 CEX|3.56]]
Line 109: Line 208:
Patched: since [[3.56-1 CEX|3.56]]
Patched: since [[3.56-1 CEX|3.56]]


=== USB config stack-based buffer overflow (PSjailbreak/PSGroove) ===
=== USB config heap-based buffer overflow (PSjailbreak/PSGroove) ===


Patched: since [[3.42_CEX|3.42]] and later
Patched: since [[3.42_CEX|3.42]] and later
Line 133: Line 232:
Patched: since [[2.50_CEX|2.50]] and later
Patched: since [[2.50_CEX|2.50]] and later


=== Downgrading with Hardware flasher ===
=== System Software Downgrade with hardware flasher ===
See also: [[Downgrading with Hardware flasher]]


Patched: since [[2.20_CEX|2.20]] and later (by adding [[CoreOS]] hashing in [[Syscon Hardware|Syscon]] to be checked by [[Hypervisor Reverse Engineering|hypervisor]]; worked around by patching hypervisor on [[3.56-1 CEX|3.56]] and lower capable consoles)
See also: [[Downgrading with Hardware flasher]].
 
Patched: since [[2.20_CEX|2.20]] and later (by adding [[CoreOS]] hashing in [[Syscon Hardware|Syscon]] to be checked by [[Hypervisor Reverse Engineering|hypervisor]]; worked around by patching hypervisor on [[3.56-1 CEX|3.56]] and lower capable consoles).


=== Full RSX access in OtherOS ===
=== Full RSX access in OtherOS ===
Line 143: Line 243:


=== Web browser DoS via a large integer value for the length property of a Select object ===
=== Web browser DoS via a large integer value for the length property of a Select object ===
http://www.cvedetails.com/cve/CVE-2009-2541/
 
* [http://www.cvedetails.com/cve/CVE-2009-2541/]


Patched: since 4 sept 2009
Patched: since 4 sept 2009


=== Remote Play UDP packets DoS ===
=== Remote Play UDP packets DoS ===
http://www.cvedetails.com/cve/CVE-2007-1728/ / http://cxsecurity.com/issue/WLB-2007030183
 
* [http://www.cvedetails.com/cve/CVE-2007-1728/ / http://cxsecurity.com/issue/WLB-2007030183]


Affected: [[1.60_CEX|2.10]] and PSP 3.10 OE-A
Affected: [[1.60_CEX|2.10]] and PSP 3.10 OE-A
Line 161: Line 263:


Patched
Patched


=== Game Bugs patched via Firmware ===
=== Game Bugs patched via Firmware ===
Line 175: Line 276:
  NPUB90215
  NPUB90215
  BLES00516
  BLES00516


  In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu)
  In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu)
Line 181: Line 281:
  You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.
  You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.


Source: http://support.bandainamcogames.com/index.php?/Knowledgebase/Article/View/216/233/afro-samurai-why-doesnt-my-game-start-up-ps3-only
Source: [http://support.bandainamcogames.com/index.php?/Knowledgebase/Article/View/216/233/afro-samurai-why-doesnt-my-game-start-up-ps3-only]
 
Patched: in ([[VSH]]) since (unknown)
 
== It is not a bug! It is a scekrit feature! ==
 
=== Renesas verify function works on 4 byte values in All renesas/nec SysCon chips ===
 
All NEC/Renesas syscon chips have their verify function working for a 4 byte array but 256 byte size, increasing the probability of finding the correct bytes as opposed to the intended 256 bytes.


Patched: in Firmware ([[VSH]]) since (unknown)
=== (Universal) Renesas checksum function works on 256 byte values (ALL SYSCON CHIPS, stock, PSP, PS Vita, PS3, PS4) ===


Renesas checksum feature works on 256 byte values instead of the intended block size, which means glitching could be done in a narrower margin, making the efforts a lot easier. it is also possible to identify 256 byte constants contiguous to each other by their checksums.


{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 07:43, 9 May 2023

Unknown / unpatched[edit | edit source]

WebKit parseFloat() type confusion leading to stack buffer overflow[edit | edit source]

Credits[edit | edit source]

  • Zuk Avraham
  • TODO

Bug Description[edit | edit source]

When inserting NaN with a parameter as an argument into parseFloat(), we can overflow the tiny buffer created by parseFloat().

Analysis[edit | edit source]

Implementation[edit | edit source]

Patched[edit | edit source]

Patched on PS3 FW 4.83. Remains exploitable on higher firmwares by installing old WebKit sprx files in hybrid PUP.

WebKit CSS font face source type confusion leading to read primitive[edit | edit source]

Credits[edit | edit source]

TODO

Bug Description[edit | edit source]

While parsing the source of a CSS font face, CSSParser::parseFontFaceSrc() assumes the value given is a string, but if we insert a specific double value into an exploitable function like insert() or format(), we can leak the memory via an overlap between two variables.

Implementation[edit | edit source]

Patched[edit | edit source]

Patched on PS3 FW 4.83. Remains exploitable on higher firmwares by installing old WebKit sprx files in hybrid PUP.

RSX VRAM Access[edit | edit source]

Patched[edit | edit source]

Not Patched.

Memory corruption and NULL pointer in Unreal Tournament III 1.2[edit | edit source]

Unsure if it applies to PS3.

MacOS X 10.5/10.6 libc/strtod(3) buffer overflow[edit | edit source]

Unsure if it applies to PS3.

OpenPrinter() stack-based buffer overflow[edit | edit source]

Patched[edit | edit source]

?patched?

DOM flaw[edit | edit source]

http://seclists.org/fulldisclosure/2009/Jul/299

Patched[edit | edit source]

?patched?

PS3Xploit Kernel Exploit[edit | edit source]

Credits[edit | edit source]

  • Team PS3Xploit
  • TODO

Bug description[edit | edit source]

To be disclosed.

Implementation[edit | edit source]

Patched[edit | edit source]

Not patched as of PS3 FW 4.90.

Leakage of PTCH body plaintext over SPI on all BGA SYSCONs[edit | edit source]

When reading the body via the EEPROM read command, in all cases, the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas.

Examples[edit | edit source]

MISO[edit | edit source]
04 C8 34 30 BD E4 9F 27 16 DE 5C C1 E7 A3 DA 9C 
7F 5B 29 9A 5A 48 5C 14 ED B2 DE 28 84 43 68 82 
98 87 4E D4 62 51 01 A9 24 34 02 B3 FF 26 63 17 
77 8E 95 56 B1 5F 9F 22 93 46 DE 4E 3A 5E 8A D3
MOSI[edit | edit source]
3C 3A 04 3F 25 A6 68 09 02 00 04 00 00 00 00 00 (0x26B0)
3C 3A 04 3F 71 AD 00 00 09 00 00 00 00 00 00 00 (0x26C0)
3C 3A 04 3F 8E D5 75 0D 00 00 00 00 00 00 00 00 (0x26D0)
3C 3A 04 3F 80 86 48 0B 0B 00 03 00 00 00 00 00 (0x26E0)

Patched[edit | edit source]

Lv2 sys_fs_mount stack overflow[edit | edit source]

Stack buffer overflow with required privileges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.

Patched: sometime before 4.40 (only fw I checked)

RSX Syscall bug[edit | edit source]

In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.
however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.

Patched: 4.40

Lv2 sys_prx_register_module stack overflow[edit | edit source]

Stack buffer overflow which is fixed around 4.3x or 4.4x. Does not require any privileges.

Lv2 578 Syscall stack overflow[edit | edit source]

Stack buffer overflow which is fixed around 4.3x or 4.4x. Requires root privileges. Syscall is compiled with stack cookies.

Patched: 4.4x

AES CTR vulnerability on SELFs (and ebootroms maybe?)[edit | edit source]

Sometimes SCE reused the same AES CTR keys and IVs in different Certified Files.

See also [6].

See also [7].

Patched: since some PS Vita prototype FWs as their Certified Files started having always different IVs.

Maybe not patched on PS3 ebootroms.

PARAM.SFO stack-based buffer overflow[edit | edit source]

Patched: since 2012-05-01 (4.40 and later)

Proof of Concept[edit | edit source]

Unsigned code can be added to the PARAM.SFO because the console does not recognize special characters.

Working on 4.31. Patched: since 2012-05-01 (4.40 and later).

PoC: PARAM.SFO

PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4
��� �
$� C ��� @ (� V ��� � h� j ��
€ p� t ��� € ð�
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE
TITLE
40ac78551a88fdc
SD
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]

Hackizeit: 1:33:07

ExpSkills: VL-LAB-TRAINING

Operation: 1%
Trojaners: 0%
... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc
...
BLES00371-NARUTO_STORM-0
HACKINGBKM 1
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];

AVP patch bypass exploit[edit | edit source]

Patched: since 3.70 and later.

PSN security intrusion[edit | edit source]

Patched: since 3.61 enforced password change

Sony PSN Account Service - Password Reset Vulnerability[edit | edit source]

Patched: since 2012-05-01

ECDSA private key non-random fail[edit | edit source]

See fail0verfl0w talk.

Patched: since 3.56

JIG downgrade[edit | edit source]

Patched: since 3.56

USB config heap-based buffer overflow (PSjailbreak/PSGroove)[edit | edit source]

Patched: since 3.42 and later

Leap year bug[edit | edit source]

Patched: since 3.40 and later

MP4 vulnerability[edit | edit source]

Patched: since 3.21 and later

Playback of Cinavia DRM protected titles[edit | edit source]

Patched: since 3.10 and later

Open Remote Play[edit | edit source]

Patched: since 2.80 and later

BD-J homebrew[edit | edit source]

Patched: since 2.50 and later

System Software Downgrade with hardware flasher[edit | edit source]

See also: Downgrading with Hardware flasher.

Patched: since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles).

Full RSX access in OtherOS[edit | edit source]

Patched: since 2.10 and later

Web browser DoS via a large integer value for the length property of a Select object[edit | edit source]

Patched: since 4 sept 2009

Remote Play UDP packets DoS[edit | edit source]

Affected: 2.10 and PSP 3.10 OE-A

Patched: since 13 nov 2008

Resistance: Fall of Man network update exploit[edit | edit source]

Patched

Warhawk network update exploit[edit | edit source]

Patched

Game Bugs patched via Firmware[edit | edit source]

Afro Samurai Black Screen[edit | edit source]

Black screen as a failed attempt to call:

cellAudioOutConfigure
cellSysutilAvconfExt_FA611DF4

Occours in Firmware 3.01

BLUS30264
NPUB90215
BLES00516
In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu)
go to "Settings" and select "Sound Settings" from here select "Audio Multi-Output" and set this option to "OFF". 
You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.

Source: [12]

Patched: in (VSH) since (unknown)

It is not a bug! It is a scekrit feature![edit | edit source]

Renesas verify function works on 4 byte values in All renesas/nec SysCon chips[edit | edit source]

All NEC/Renesas syscon chips have their verify function working for a 4 byte array but 256 byte size, increasing the probability of finding the correct bytes as opposed to the intended 256 bytes.

(Universal) Renesas checksum function works on 256 byte values (ALL SYSCON CHIPS, stock, PSP, PS Vita, PS3, PS4)[edit | edit source]

Renesas checksum feature works on 256 byte values instead of the intended block size, which means glitching could be done in a narrower margin, making the efforts a lot easier. it is also possible to identify 256 byte constants contiguous to each other by their checksums.