Difference between revisions of "Bugs & Vulnerabilities"

From PS3 Developer wiki
Jump to: navigation, search
(Leakage of PTCH body plaintext over SPI on some BGA SYSCONs)
(Leakage of PTCH body plaintext over SPI on some BGA SYSCONs)
Line 37: Line 37:
 
=== Leakage of PTCH body plaintext over SPI on some BGA SYSCONs ===
 
=== Leakage of PTCH body plaintext over SPI on some BGA SYSCONs ===
  
When reading the body via the EEPROM read command, in some cases (like DEB-001 and DIA-001 boards), the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface.
+
When reading the body via the EEPROM read command, in some cases (like DEB-001 and DIA-001 boards), the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas.
  
 
== Patched ==
 
== Patched ==

Revision as of 15:36, 11 August 2019

Unknown / unpatched

Webkit buffer overflow

http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28458
Not Patched

RSX VRAM Access

http://playstationhax.xyz/forums/topic/2807-release-full-rsx-vramio-access-exploit/?do=findComment&comment=28421
Not Patched

Memory corruption and NULL pointer in Unreal Tournament III 1.2

http://cxsecurity.com/issue/WLB-2008070060

unsure if applies to PS3?

MacOS X 10.5/10.6 libc/strtod(3) buffer overflow

http://cxsecurity.com/issue/WLB-2010010162

unsure if applies to PS3?

OpenPrinter() stack-based buffer overflow

http://seclists.org/fulldisclosure/2007/Jan/474

Patched: ?

DOM flaw

http://seclists.org/fulldisclosure/2009/Jul/299

Patched: ?

Kernel Exploit

Unpatched: To be disclosed.

Leakage of PTCH body plaintext over SPI on some BGA SYSCONs

When reading the body via the EEPROM read command, in some cases (like DEB-001 and DIA-001 boards), the MISO of the SPI will leak the plaintext of the PTCH body to someone who might be interacting with the EEPROM interface. Note that this ONLY happens when SC interacts with patch body and some specific areas.

Patched

Lv2 sys_fs_mount stack overflow

Stack buffer overflow with required priveleges when passing a length greater than 10. It now checks for length less than or equal to 10. If larger than 10, the length gets set to 10.
https://nwert.wordpress.com/2012/09/19/exploiting-lv2/
http://pastie.org/4755699

Patched: sometime before 4.40 (only fw I checked)

RSX Syscall bug

In most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.
however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory.

Patched: 4.40

CTR bugs on SELFs (and ebootroms maybe?)

http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption CTR bugs on SELFs

Patched: since Vita pre-retail 0.9.9.6 (SELFs, should match with ps3 firmware at release date), unknown (ebootroms)

PARAM.SFO stack-based buffer overflow

http://seclists.org/fulldisclosure/2013/May/113

Patched: since 2012-05-01 (4.40 and later)

Proof of Concept

Unsigned code can be added to the PARAM.SFO because the console does not recognize special characters

http://www.exploit-db.com/exploits/25718/

Working on 4.31, Patched: since 2012-05-01 (4.40 and later)

PoC: PARAM.SFO

PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4
��� �
$� C ��� @ (� V ��� � h� j ��
€ p� t ��� € ð�
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE
TITLE
40ac78551a88fdc
SD
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]

Hackizeit: 1:33:07

ExpSkills: VL-LAB-TRAINING

Operation: 1%
Trojaners: 0%
... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc
...
BLES00371-NARUTO_STORM-0
HACKINGBKM 1
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];

AVP patch bypass exploit

Patched: since 3.70 and later

PSN security intrusion

Patched: since 3.61 enforced password change

Sony PSN Account Service - Password Reset Vulnerability

http://www.vulnerability-lab.com/get_content.php?id=740

Patched: since 2012-05-01

Private key nonrandom fail

Patched: since 3.56

JIG downgrade

Patched: since 3.56

USB config heap-based buffer overflow (PSjailbreak/PSGroove)

Patched: since 3.42 and later

Leap year bug

Patched: since 3.40 and later

MP4 vulnerability

Patched: since 3.21 and later

Playback of Cinavia DRM protected titles

Patched: since 3.10 and later

Open Remote Play

Patched: since 2.80 and later

BD-J homebrew

Patched: since 2.50 and later

Downgrading with Hardware flasher

See also: Downgrading with Hardware flasher

Patched: since 2.20 and later (by adding CoreOS hashing in Syscon to be checked by hypervisor; worked around by patching hypervisor on 3.56 and lower capable consoles)

Full RSX access in OtherOS

Patched: since 2.10 and later

Web browser DoS via a large integer value for the length property of a Select object

http://www.cvedetails.com/cve/CVE-2009-2541/

Patched: since 4 sept 2009

Remote Play UDP packets DoS

http://www.cvedetails.com/cve/CVE-2007-1728/ / http://cxsecurity.com/issue/WLB-2007030183

Affected: 2.10 and PSP 3.10 OE-A

Patched: since 13 nov 2008

Resistance: Fall of Man network update exploit

Patched

Warhawk network update exploit

Patched


Game Bugs patched via Firmware

Afro Samurai Black Screen

Black screen as a failed attempt to call:

cellAudioOutConfigure
cellSysutilAvconfExt_FA611DF4

Occours in Firmware 3.01

BLUS30264
NPUB90215
BLES00516


In order to correct this problem start up your Playstation 3 system and while on the XMB (Cross Media Bar/System Menu)
go to "Settings" and select "Sound Settings" from here select "Audio Multi-Output" and set this option to "OFF". 
You should be able to play the Afro Samurai Demo or update the retail game properly to the latest patch after this.

Source: http://support.bandainamcogames.com/index.php?/Knowledgebase/Article/View/216/233/afro-samurai-why-doesnt-my-game-start-up-ps3-only

Patched: in Firmware (VSH) since (unknown)