Difference between revisions of "Bugs & Vulnerabilities"

From PS3 Developer wiki
Jump to: navigation, search
m (To be disclosed. :))
(Leakage of PTCH body plaintext over SPI on some BGA SYSCONs)
(2 intermediate revisions by the same user not shown)
Line 34: Line 34:
  
 
Unpatched: To be disclosed.
 
Unpatched: To be disclosed.
 +
 +
=== Leakage of PTCH body plaintext over SPI on some BGA SYSCONs ===
 +
 +
When reading the body via the EEPROM read command, in some cases (like DEB-001 and DIA-001 boards), the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface.
  
 
== Patched ==
 
== Patched ==

Revision as of 11:30, 11 August 2019

Unknown / unpatched

Webkit buffer overflow

http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28458
Not Patched

RSX VRAM Access

http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28421
Not Patched

Memory corruption and NULL pointer in Unreal Tournament III 1.2

http://cxsecurity.com/issue/WLB-2008070060

unsure if applies to PS3?

MacOS X 10.5/10.6 libc/strtod(3) buffer overflow

http://cxsecurity.com/issue/WLB-2010010162

unsure if applies to PS3?

OpenPrinter() stack-based buffer overflow

http://seclists.org/fulldisclosure/2007/Jan/474

Patched: ?

DOM flaw

http://seclists.org/fulldisclosure/2009/Jul/299

Patched: ?

Kernel Exploit

Unpatched: To be disclosed.

Leakage of PTCH body plaintext over SPI on some BGA SYSCONs

When reading the body via the EEPROM read command, in some cases (like DEB-001 and DIA-001 boards), the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface.

Patched

Lv2 sys_fs_mount stack overflow

Stack buffer overflow with required priveleges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.
https://nwert.wordpress.com/2012/09/19/exploiting-lv2/
http://pastie.org/4755699

Patched: sometime before 4.40 (only fw I checked)

RSX Syscall bug

In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.
however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.

Patched: 4.40

CTR bugs on SELFs (and ebootroms maybe?)

http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption CTR bugs on SELFs

Patched: since Vita pre-retail 0.9.9.6 (SELFs, should match with ps3 firmware at release date), unknown (ebootroms)

PARAM.SFO stack-based buffer overflow

http://seclists.org/fulldisclosure/2013/May/113

Patched: since 2012-05-01 (4.40 and later)

Proof of Concept

Unsigned code can be added to the PARAM.SFO because the console does not recognize special characters

http://www.exploit-db.com/exploits/25718/

Working on 4.31, Patched: since 2012-05-01 (4.40 and later)

PoC: PARAM.SFO

PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4
��� �
$� C ��� @ (� V ��� � h� j ��
€ p� t ��� € ð�
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE
TITLE
40ac78551a88fdc
SD
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]

Hackizeit: 1:33:07

ExpSkills: VL-LAB-TRAINING

Operation: 1%
Trojaners: 0%
... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc
...
BLES00371-NARUTO_STORM-0
HACKINGBKM 1
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];

AVP patch bypass exploit

Patched: since 3.70 and later

PSN security intrusion

Patched: since 3.61 enforced password change

Sony PSN Account Service - Password Reset Vulnerability

http://www.vulnerability-lab.com/get_content.php?id=740

Patched: since 2012-05-01

Private key nonrandom fail

Patched: since 3.56

JIG downgrade

Patched: since 3.56

USB config heap-based buffer overflow (PSjailbreak/PSGroove)

Patched: since 3.42 and later

Leap year bug

Patched: since 3.40 and later

MP4 vulnerability

Patched: since 3.21 and later

Playback of Cinavia DRM protected titles

Patched: since 3.10 and later

Open Remote Play

Patched: since 2.80 and later

BD-J homebrew

Patched: since 2.50 and later

Downgrading with Hardware flasher

See also: Downgrading with Hardware flasher

Patched: since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles)

Full RSX access in OtherOS

Patched: since 2.10 and later

Web browser DoS via a large integer value for the length property of a Select object

http://www.cvedetails.com/cve/CVE-2009-2541/

Patched: since 4 sept 2009

Remote Play UDP packets DoS

http://www.cvedetails.com/cve/CVE-2007-1728/ / http://cxsecurity.com/issue/WLB-2007030183

Affected: 2.10 and PSP 3.10 OE-A

Patched: since 13 nov 2008

Resistance: Fall of Man network update exploit

Patched

Warhawk network update exploit

Patched


Game Bugs patched via Firmware

Afro Samurai Black Screen

Black screen as a failed attempt to call:

cellAudioOutConfigure
cellSysutilAvconfExt_FA611DF4

Occours in Firmware 3.01

BLUS30264
NPUB90215
BLES00516


In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu)
go to "Settings" and select "Sound Settings" from here select "Audio Multi-Output" and set this option to "OFF". 
You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.

Source: http://support.bandainamcogames.com/index.php?/Knowledgebase/Article/View/216/233/afro-samurai-why-doesnt-my-game-start-up-ps3-only

Patched: in Firmware (VSH) since (unknown)