Editing FailMail

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
== Introduction ==
== Introduction ==
FailMail is an Exploit in the PSVita Mail application,
FailMail is an Exploit in the PSVita Mail application,
that allowed for System Uri Calling, (which resulted in an Arbitrary File Read) and Arbitrary File Writing
that allowed for System Uri Calling, (which resulted in Arbitrary file Dumping) and Arbitrary File Writing
It was patched in [[3.55]] and above firmware's
It was patched in [[3.55]] and above firmware's
== Remnants in later firmware ==
The FailMail exploit was never entirely patched, they blocked they simply made the email application only have access to the ux0:/calendar folder.
the System URI Functionality was also fixed. You can still dump files from ux0:/calendar using email attachments,
the only 'interesting' file in there is "ux0:/calendar/calendar.db" - the calendar apps database.
to dump it you can do the following:
1- create an event in the calendar with the description set to 'email:send?attach=ux0:/calendar/calendar.db'   
2- click on the 3 "dots" and press "Send via E-Mail"         
3- send it to an email you have access to     
you can now download it on a PC or other device, its a SQLLite3 file. so any sqllite database browser should be able to open it.


== Arbitrary File Writing ==
== Arbitrary File Writing ==
This is achieved by making the name of the attachment be "../../../" and then the path to the file you wanted to overwrite,   
This is achieved by making the name of the attachment be "../../../" and then the path to the file you wanted to overwrite,   
this worked because on [[3.55]] email attachments are saved to ux0:/temp/email/ as there full name which would become ux0:/temp/email/../../../ux0:/id.dat which would overwrite id.dat.  
this worked because on [[3.55]] email attachments are saved to ux0:/temp/email/ as there full name which would become ux0:/temp/email/../../../ux0:/id.dat which would overwrite id.dat.  
however, in 3.55 and above, there is an additional check to get the filename of the email excluding the path and write it there with that name instead, and in later firmwares, you cant do "../" to leave the current partition either.
however, in 3.55 and above, there is an additional check to get the filename of the email excluding the path and write it there with that name instead


== System URI Calling ==
== System URI Calling ==
Please note that all contributions to Vita Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see Vita Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/vita/FailMail"