lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 May 2013 18:29:34 +0300
From: Julius Kivimäki <julius.kivimaki@...il.com>
To: Vulnerability Lab <research@...nerability-lab.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Sony PS3 Firmware v4.31 - Code Execution
	Vulnerability

So, wanna tell me what exactly is critical about you being able to inject
marquee tags into your savefile names?


2013/5/21 Vulnerability Lab <research@...nerability-lab.com>

> Title:
> ======
> Sony PS3 Firmware v4.31 - Code Execution Vulnerability
>
>
> Date:
> =====
> 2013-05-12
>
>
> References:
> ===========
> http://www.vulnerability-lab.com/get_content.php?id=767
>
>
> VL-ID:
> =====
> 767
>
>
> Common Vulnerability Scoring System:
> ====================================
> 6.5
>
>
> Introduction:
> =============
> The PlayStation 3 is the third home video game console produced by Sony
> Computer Entertainment and the successor to the
> PlayStation 2 as part of the PlayStation series. The PlayStation 3
> competes with Microsoft`s Xbox 360 and Nintendo`s Wii
> as part of the seventh generation of video game consoles. It was first
> released on November 11, 2006, in Japan, with
> international markets following shortly thereafter.
>
> Major features of the console include its unified online gaming service,
> the PlayStation Network, its multimedia capabilities,
> connectivity with the PlayStation Portable, and its use of the Blu-ray
> Disc as its primary storage medium.
>
> (Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_3 )
>
>
> PlayStation Network, often abbreviated as PSN, is an online multiplayer
> gaming and digital media delivery service provided/run
> by Sony Computer Entertainment for use with the PlayStation 3, PlayStation
> Portable, and PlayStation Vita video game consoles.
> The PlayStation Network is the video game portion of the Sony
> Entertainment Network.
>
> (Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_Network)
>
>
> Abstract:
> =========
> The Vulnerability Laboratory Research Team discovered a code execution
> vulnerability in the official Playstation3 v4.31 Firmware.
>
>
> Report-Timeline:
> ================
> 2012-10-26:     Researcher Notification & Coordination
> 2012-11-18:     Vendor Notification 1
> 2012-12-14:     Vendor Notification 2
> 2012-01-18:     Vendor Notification 3
> 2012-**-**:     Vendor Response/Feedback
> 2012-05-01:     Vendor Fix/Patch by Check
> 2012-05-13:     Public Disclosure
>
>
> Status:
> ========
> Published
>
>
> Affected Products:
> ==================
> Sony
> Product: Playstation 3 4.31
>
>
> Exploitation-Technique:
> =======================
> Local
>
>
> Severity:
> =========
> High
>
>
> Details:
> ========
> A local code execution vulnerability is detected in the official
> Playstation3 v4.31 Firmware.
> The vulnerability allows local attackers to inject and execute code out of
> vulnerable ps3 menu main web context.
>
> There are 3 types of save games for the sony ps3. The report is only bound
> to the .sfo save games of the Playstation3.
> The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or
> PS3 HD) to display movable text like marquees,
> in combination with a video, sound and the (path) background picture.
> Normally the ps3 firmware parse the redisplayed
> save game values & detail information text when processing to load it via
> usb/ps3-hd. The import ps3 preview filtering
> can be bypassed via a splitted char by char injection of script code or
> system (ps3 firmware) specific commands.
>
> The attacker syncronize his computer (to change the usb context) with USB
> (Save Game) and connects to the network
> (USB, COMPUTER, PS3), updates the save game via computer and can execute
> the context directly out of the ps3 savegame preview
> listing menu (SUB/HD). The exploitation requires local system access, a
> manipulated .sfo file, an usb device. The attacker
> can only use the given byte size of the saved string (attribute values) to
> inject his own commands or script code.
>
> The ps3 filter system of the SpeicherDaten (DienstProgramm) module does
> not recognize special chars and does not provide
> any kind of input restrictions. Attackers can manipulate the .sfo file of
> a save game to execute system specific commands
> or inject malicious persistent script code.
>
> Successful exploitation of the vulnerability can result in persistent but
> local system command executions, psn session
> hijacking, persistent phishing attacks, external redirect out of the
> vulnerable module, stable persistent save game preview
> listing context manipulation.
>
>
> Vulnerable Section(s):
>                                 [+] PS Menu > Game (Spiel)
>
> Vulnerable Module(s):
>                                 [+] SpeicherDaten (DienstProgramm) PS3 >
> USB Gerät
>
> Affected Section(s):
>                                 [+] Title - Save Game Preview Resource
> (Detail Listing)
>
>
> Proof of Concept:
> =================
> The firmware preview listing validation vulnerability can be exploited by
> local attackers and with low or medium required user interaction.
> For demonstration or reproduce ...
>
> The attacker needs to sync his computer (to change the usb context) with
> USB (Save Game) and connects to the network
> (USB, COMPUTER, +PS3), updates the save game via computer and can execute
> the context directly out of the ps3 savegame preview
> listing menu (SUB/HD). The exploitation requires local system access, a
> manipulated .sfo file, an usb device. The attacker
> can only use the given byte size of the saved string (attribute values) to
> inject his own commands or script code.
>
> The ps3 filter system of the SpeicherDaten (DienstProgramm) module does
> not recognize special chars and does not provide
> any kind of input restrictions. Attackers can manipulate the .sfo file of
> a save game to execute system specific commands
> or inject malicious persistent script code out of the save game preview
> listing.
>
> If you inject standard frames or system unknow commands (jailbreak)
> without passing the filter char by char and direct sync
> as update you will fail to reproduce!
>
> PoC: PARAM.SFO
>
> PSF    Ä   @                                                           h
>         %               ,             4
> $   C       @   (   V           h   j
>    €   p   t       €   ð
> ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL
> SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE
> 40ac78551a88fdc
> SD
> PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR
> CODE!]
>
> Hackizeit: 1:33:07
>
> ExpSkills: VL-LAB-TRAINING
>
> Operation: 1%
> Trojaners: 0%
> ... Õõ~\ ˜òíA×éú ;óç     40ac78551a88fdc
> ...
> BLES00371-NARUTO_STORM-0
> HACKINGBKM 1
> PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR
> CODE!];
>
>
>
> Solution:
> =========
> Restrict the savegame name input and disallow special chars.
> Encode the savegame values and redisplaying in the menu preview of the
> game.
> Parse the strings and values from the savegames even if included string by
> string via sync.
>
>
> Risk:
> =====
> The security risk of the high exploitable but local vulnerability is
> estimated as critical and needs to be fixed soon.
>
>
> Credits:
> ========
> Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri  (
> bkm@...nerability-lab.com)
>
>
> Disclaimer:
> ===========
> The information provided in this advisory is provided as it is without any
> warranty. Vulnerability-Lab disclaims all warranties,
> either expressed or implied, including the warranties of merchantability
> and capability for a particular purpose. Vulnerability-
> Lab or its suppliers are not liable in any case of damage, including
> direct, indirect, incidental, consequential loss of business
> profits or special damages, even if Vulnerability-Lab or its suppliers
> have been advised of the possibility of such damages. Some
> states do not allow the exclusion or limitation of liability for
> consequential or incidental damages so the foregoing limitation
> may not apply. We do not approve or encourage anybody to break any vendor
> licenses, policies, deface websites, hack into databases
> or trade with fraud/stolen material.
>
> Domains:    www.vulnerability-lab.com           - www.vuln-lab.com
>                       - www.vulnerability-lab.com/register
> Contact:    admin@...nerability-lab.com         -
> support@...nerability-lab.com                -
> research@...nerability-lab.com
> Section:    video.vulnerability-lab.com         -
> forum.vulnerability-lab.com                  - news.vulnerability-lab.com
> Social:     twitter.com/#!/vuln_lab             -
> facebook.com/VulnerabilityLab                -
> youtube.com/user/vulnerability0lab
> Feeds:      vulnerability-lab.com/rss/rss.php   -
> vulnerability-lab.com/rss/rss_upcoming.php   -
> vulnerability-lab.com/rss/rss_news.php
>
> Any modified copy or reproduction, including partially usages, of this
> file requires authorization from Vulnerability Laboratory.
> Permission to electronically redistribute this alert in its unmodified
> form is granted. All other rights, including the use of other
> media, are reserved by Vulnerability-Lab Research Team or its suppliers.
> All pictures, texts, advisories, source code, videos and
> other information on this website is trademark of vulnerability-lab team &
> the specific authors or managers. To record, list (feed),
> modify, use or edit our material contact (admin@...nerability-lab.com or
> support@...nerability-lab.com) to get a permission.
>
>                                         Copyright © 2013 | Vulnerability
> Laboratory
>
> --
> VULNERABILITY RESEARCH LABORATORY
> LABORATORY RESEARCH TEAM
> CONTACT: research@...nerability-lab.com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists