Avcontent.db. Arbitrary Delete.: Difference between revisions
(Created page with "== Introduction == The PlayStation Vita has a few apps for displaying various media formats. primarily the Photos, Videos, and Music applications, you can load images into the...") |
|||
(13 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Introduction == | == Introduction == | ||
This is a disclosure of an vulnerability "Li" discovered back in 2019. | |||
The PlayStation Vita has a few apps for displaying various media formats. | The PlayStation Vita has a few apps for displaying various media formats. | ||
primarily the Photos, Videos, and Music applications, you can load images into these apps | primarily the Photos, Videos, and Music applications, you can load images into these apps | ||
media files require "promotion" to be put into these apps | media files require "promotion" to be put into these apps | ||
basically each of the media apps has a sqllite3 database called 'avcontent.db' inside | basically each of the media apps has a sqllite3 database called 'avcontent.db' inside ux0:mms/ | ||
== Arbitrary Delete == | == Arbitrary Delete == | ||
By editing the avcontent.db you can change the | using this you can delete any file from any *writable* partition on the PSVita. | ||
if you then delete it inside the app, it will not only delete the entry from the database, but it will delete that underlying file as well. | |||
By editing the tbl_VPContent inside avcontent.db you can change the "content_path" and "content_path_extension" columns to be whatever path you want to delete. . . | |||
if you then delete it inside the corresponding media app, it will not only delete the entry from the database, | |||
but it will delete that underlying file as well. | |||
== Arbitrary Read == | == Arbitrary Read == | ||
Using the | By editing the tbl_VPContent inside avcontent.db you can change the "content_path" and "content_path_extension" columns | ||
and then copying it with CMA, however this only worked with files inside ux0: | to the path you want to read . . . | ||
files outside there would not work, | |||
Using the photo app i was able to read arbitrary files by changing the path in the avcontent.db, | |||
and then copying it with CMA, however this only worked with files inside ux0: | |||
files outside there would not work. | |||
other stuff i tried: | |||
- doing it on a photo, and trying to "Upload" it to a website, but the web browser is sandboxed so this did not work. | |||
- Attaching a injected photo to an email and sending it, didnt seem to work, just 0bytes possibly [[FailMail]] lead to this being fixed?? | |||
== Exploitation == | == Exploitation == | ||
Ultimately this trick is kinda useless, it requires having access to the memory card to write a hacked avcontent.db in the first place, which if you had you can delete whatever you want anyway? | Ultimately this trick is kinda useless, it requires having access to the memory card to write a hacked avcontent.db in the first place, which if you had you can delete whatever you want anyway? | ||
(it could also be done with CMA i guess), so it'd only be useful for removing files from say ur0 | (it could also be done with CMA i guess), so it'd only be useful for removing files from say ur0) | ||
an interesting idea is to setup a SQL Trigger on delete to automatically put the entry back into the database, this way you could delete any file over and over again. | an interesting idea is to setup a SQL Trigger on delete to automatically put the entry back into the database, this way you could delete any file over and over again. | ||
this could be used to make a sort of 'unlink memory card' feature, that works even without hacks. but by the time i had this idea, there was already h-encore2.. | this could be used to make a sort of 'unlink memory card' feature, that works even without hacks. but by the time i had this idea, there was already h-encore2.. |
Latest revision as of 05:45, 12 May 2022
Introduction[edit | edit source]
This is a disclosure of an vulnerability "Li" discovered back in 2019.
The PlayStation Vita has a few apps for displaying various media formats. primarily the Photos, Videos, and Music applications, you can load images into these apps media files require "promotion" to be put into these apps
basically each of the media apps has a sqllite3 database called 'avcontent.db' inside ux0:mms/
Arbitrary Delete[edit | edit source]
using this you can delete any file from any *writable* partition on the PSVita.
By editing the tbl_VPContent inside avcontent.db you can change the "content_path" and "content_path_extension" columns to be whatever path you want to delete. . .
if you then delete it inside the corresponding media app, it will not only delete the entry from the database, but it will delete that underlying file as well.
Arbitrary Read[edit | edit source]
By editing the tbl_VPContent inside avcontent.db you can change the "content_path" and "content_path_extension" columns to the path you want to read . . .
Using the photo app i was able to read arbitrary files by changing the path in the avcontent.db, and then copying it with CMA, however this only worked with files inside ux0: files outside there would not work.
other stuff i tried:
- doing it on a photo, and trying to "Upload" it to a website, but the web browser is sandboxed so this did not work.
- Attaching a injected photo to an email and sending it, didnt seem to work, just 0bytes possibly FailMail lead to this being fixed??
Exploitation[edit | edit source]
Ultimately this trick is kinda useless, it requires having access to the memory card to write a hacked avcontent.db in the first place, which if you had you can delete whatever you want anyway? (it could also be done with CMA i guess), so it'd only be useful for removing files from say ur0)
an interesting idea is to setup a SQL Trigger on delete to automatically put the entry back into the database, this way you could delete any file over and over again. this could be used to make a sort of 'unlink memory card' feature, that works even without hacks. but by the time i had this idea, there was already h-encore2..