Bugs & Vulnerabilities
Unknown / unpatched
Webkit buffer overflow
RSX VRAM Access
Memory corruption and NULL pointer in Unreal Tournament III 1.2
http://cxsecurity.com/issue/WLB-2008070060
unsure if applies to PS3?
MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
http://cxsecurity.com/issue/WLB-2010010162
unsure if applies to PS3?
OpenPrinter() stack-based buffer overflow
http://seclists.org/fulldisclosure/2007/Jan/474
Patched: ?
DOM flaw
http://seclists.org/fulldisclosure/2009/Jul/299
Patched: ?
Patched
RSX Syscall bug
In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.
however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.
Patched: 4.45
CTR bugs on SELFs (and ebootroms maybe?)
http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption CTR bugs on SELFs
Patched: since Vita pre-retail 0.9.9.6 (SELFs, should match with ps3 firmware at release date), unknown (ebootroms)
PARAM.SFO stack-based buffer overflow
http://seclists.org/fulldisclosure/2013/May/113
Patched: since 2012-05-01 (4.40 and later)
Proof of Concept
Unsigned code can be added to the PARAM.SFO because the console does not recognize special characters
http://www.exploit-db.com/exploits/25718/
Working on 4.31, Patched: since 2012-05-01 (4.40 and later)
PoC: PARAM.SFO
PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4 ��� � $� C ��� @ (� V ��� � h� j �� € p� t ��� € ð� ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE 40ac78551a88fdc SD PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] Hackizeit: 1:33:07 ExpSkills: VL-LAB-TRAINING Operation: 1% Trojaners: 0% ... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc ... BLES00371-NARUTO_STORM-0 HACKINGBKM 1 PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];
AVP patch bypass exploit
Patched: since 3.70 and later
PSN security intrusion
Patched: since 3.61 enforced password change
Sony PSN Account Service - Password Reset Vulnerability
http://www.vulnerability-lab.com/get_content.php?id=740
Patched: since 2012-05-01
Private key nonrandom fail
Patched: since 3.56
JIG downgrade
Patched: since 3.56
USB config stack-based buffer overflow (PSjailbreak/PSGroove)
Patched: since 3.42 and later
Leap year bug
Patched: since 3.40 and later
MP4 vulnerability
Patched: since 3.21 and later
Patched: since 3.10 and later
Open Remote Play
Patched: since 2.80 and later
BD-J homebrew
Patched: since 2.50 and later
Downgrading with Hardware flasher
See also: Downgrading with Hardware flasher
Patched: since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles)
Full RSX access in OtherOS
Patched: since 2.10 and later
Web browser DoS via a large integer value for the length property of a Select object
http://www.cvedetails.com/cve/CVE-2009-2541/
Patched: since 4 sept 2009
Remote Play UDP packets DoS
http://www.cvedetails.com/cve/CVE-2007-1728/ / http://cxsecurity.com/issue/WLB-2007030183
Affected: 2.10 and PSP 3.10 OE-A
Patched: since 13 nov 2008
Resistance: Fall of Man network update exploit
Patched
Warhawk network update exploit
Patched
Game Bugs patched via Firmware
Afro Samurai Black Screen
Black screen as a failed attempt to call:
cellAudioOutConfigure cellSysutilAvconfExt_FA611DF4
Occours in Firmware 3.01
BLUS30264 NPUB90215 BLES00516
In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu) go to "Settings" and select "Sound Settings" from here select "Audio Multi-Output" and set this option to "OFF". You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.
Patched: in Firmware (VSH) since (unknown)