Usermode[edit | edit source]

Internet Browser[edit | edit source]

Bug in nested loop requests out of a standard tag (Vulnerability Laboratory ID 187) leading to DoS and PS3 OS crash[edit | edit source]

Credits[edit | edit source]

• Anonymous for discovering the vulnerability and publicly disclosing it (2011-06-18)

Analysis[edit | edit source]

• Write-up and PoC by Anonymous (2011-06-18)

Bug description[edit | edit source]

A denial of service vulnerability is detected on the PS3 Internet Browser. The bug is located in the browser when including specific nested loop requests out of a standard tag. After exploitation of the web browser, the System Software crashes via heap freeze when memory full on main menu switch back.

Implementation[edit | edit source]

• Write-up and PoC by Anonymous (2011-06-18)

Patched[edit | edit source]

Maybe around 2011-06-18 but anyway not useful except for DoS.

Unlimited value of HTMLSelect.length() (CVE-2009-1692, CVE-2009-2541, GSEC-TZO-26-2009) leading to DoS and PS3 OS crash[edit | edit source]

Credits[edit | edit source]

• Thierry Zoller for discovering the vulnerability and publicly disclosing it (2008-10-19)

Analysis[edit | edit source]

• Bugzilla report (2008-10-19)
• CVE-2009-2541 details

Bug description[edit | edit source]

The PS3 Web browser can make the PS3 crash via a large integer value set for the length property of a Select object in a JavaScript script.

Implementation[edit | edit source]

• Write-up and PoC by Thierry Zoller (2009)

Patched[edit | edit source]

Maybe around 2009-09-04 but anyway not useful except for DoS.

PlayStation Network[edit | edit source]

PSN Account[edit | edit source]

PSN security intrusion[edit | edit source]

Patched[edit | edit source]

Yes since 3.61 enforced password change

Sony PSN Account Service - Password Reset Vulnerability[edit | edit source]

• [1]

Patched[edit | edit source]

Yes since 2012-05-01.

Syscon Firmware[edit | edit source]

RTC[edit | edit source]

2015 leap year bug[edit | edit source]

To be documented.

The PS3 may be affected by the "leap second 23:59:60" bug that happens when the clock gets at 2015 June 30, 23h 59m 60s.

Could it be used for anything else than DoS?

Patched[edit | edit source]

Maybe.

2010 leap year bug[edit | edit source]

To be documented by diffing PS3 3.30 and 3.40 PUPs, notably the RTC module and the FAT PS3 Syscon firmware patch.

The PS3 is affected by the 2010 leap year bug that happens when the clock gets at 2010 February 28, 23h 59m 60s.

The bug caused the console to treat 2010 as a leap year and so change the date at midnight GMT to 29 February rather than 1 March. The new, slimline PS3s were not affected.

"The current date and time could not be obtained. (8001050F)" As a consequence, another error triggered is "An error has occurred. You have been signed out of PlayStation Network (8001050F)".

Could it be used for anything else than DoS? CelesteBlue's hypothesis is that the bug causes a reset of one of the RTC clocks (secure, network, user-defined, etc.) to Jan 1, 2000, whilst other are not, and that difference is detected by the console as a security issue so it disables PlayStation Network access, and probably also Dev/Test Kit activation as long as the clock are not synchronized again.

• https://www.theregister.com/2010/03/02/ps3_psn_access_bug_bypassed/
• https://www.wired.com/2010/03/apocalyps3/
• https://web.archive.org/web/20100302165710/http://blog.us.playstation.com/2010/03/latest-info-on-playstation-network-status/
• https://web.archive.org/web/20120415101201/http://www.gamesradar.com/psn-error-8001050f-sonys-official-response/
• https://www.youtube.com/watch?v=1CJ9Q8bG-0s

Patched[edit | edit source]

Yes since 3.40. It was probably patched via a RTC module update and/or a Syscon firmware update.

Unsorted[edit | edit source]

Either usermode or DRM piracy[edit | edit source]

MP4 format video files security vulnerability[edit | edit source]

To be documented by diffing PS3 3.20 and 3.21 MP4 decoding libraries.

From PlayStation®3 system software version 3.21 official changelog: "The PlayStation®3 system software version 3.21 update includes the following: [...] A security patch was added to address security vulnerabilities that may occur when playing MP4 format video files."

It is unsure what Sony means by "security vulnerability" here. It could be a bypass of video files DRM protections, and not DoS or arbitrary code execution.

Patched[edit | edit source]

Yes since 3.21.

v e Reverse engineering General Bluedisk EID0 reDRM · Boot Order · Boot Memory Type · Bugs · Vulnerabilities · Dumping Bootldr · Dumping Metldr · Files on the PS3 · KaKaRoTo_Kind_of_´Jailbreak´ · PS3Cobra Payload Reverse Engineering · PS3UserCheat · QA Flagging · ReDRM / Piracy dongles · Revoke List · RSOD Fix‎ · rtcalarm.dat · Whitelisting · VTRM Hypervisor Hypervisor Reverse Engineering · Repository Nodes · RSX LV1 Info Services Appliance Information Manager · AV Manager · Dispatcher Manager · Factory Data Manager · Indi Info Manager · SB Manager · SC Manager · Secure LPAR Loader · Secure Profile Loader · Secure RTC Manager · Security Policy Manager · Storage Manager · Update Manager · Updater Frontend · USB Dongle Authenticator · User Token Manager · Virtual TRM Manager Plugin Interfaces ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin · np_multisignin_plugin · np_sns_plugin · npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin Emulation General PS1 Emulation  ·  PS2 Emulation  ·  PS2 Emulation/PS2 Config Commands  ·  PSP Emulation  ·  Sega Saturn Emulation  ·  Neo Geo Emulation Compatibility Lists PS1 Classics Emulator Compatibility List  ·  PS2 Classics Emulator Compatibility List  ·  PS2 GXemu Emulator Compatibility List  ·  PS2 Emulation/PS2 Games Masterlist  ·  PSP HD & Minis Emulator Compatibility List  ·  Sega Saturn Emulator Compatibility List PS Classics Configuration Files PS1 Classics Configuration Files (Official)  ·  PS1 Classics Configuration Files (Unofficial)  ·  PS2 Classics Configuration Files (Official)  ·  PS2 Classics Configuration Files (Unofficial)  ·  PSP HD & Minis Configuration Files (Official)  ·  PSP HD & Minis Configuration Files (Unofficial) Manuals PS2 Classics Manuals Extended features Printer support · Remote Play · String Viewer · Web Browser · XMB In-game background music · PS3 and PSVita Cross Functions · Widgets · Life with PlayStation · PlayView · XMB Manuals Online Consoleban · Environments · Online Connections · PSN · PSN Handshake Signup · X-I-5-Ticket Hardware SC SC Communication · SC EEPROM · Remarry Syscon · Syscon Thermal Configs · Syscon SPI CELL Cell Configuration Ring · CELL Reset Exploit · CellBE Hardware Implementation Registers · Unlocking the 8th SPE · SPU Isolated Modules Reverse Engineering · SPU LS Overflow Exploit RAM XDR Configuration · Rambus Registers SB ENCDEC Device Reverse Engineering HDD HDD Encryption BD Bluray disc · Basic Bluray disc authentication procedure · BD Drive Reverse Engineering · Disc Identification/Serialization Data · ODE · Remarry Bluray Drive Tools IDA pro disassembler and debugger · CCAPI · 0x000EAEB0 · Ps3.xml · Nids.txt · Nids all.txt · Unknown nids.txt · Fnids.idh Strings files emer_init · aim spu module‎ · lv1‎ · hdd_copy · eurus_fw · lv0 · factory data mngr dumps lv2 dump (Rebug 4.46) · lv1 dump (Rebug 4.46) · bootldr dump (2.70) · Network Loading of lv1ldr and above executables Reference Archaic · Drk_notes · Canaries Keys & Seeds Keys · Per Console Keys · Fail Keys · Seeds · ECDSA binaries · AES binaries · DES binaries · Cryptography Tricks