Sponsored Links

Sponsored Links

Results 1 to 2 of 2



  1. #1
    Toucan Sam CJPC's Avatar
    Join Date
    Apr 2005
    Posts
    2,174
    Sponsored Links

    Resistance: FoM Network Update Vulnerability

    Sponsored Links
    As you know, the Resistance: Fall of Man game updates via PlayStation Network. The resident PS3 Devs (Subdub and Gigi) discovered this nearly 6 months ago and others (Placa, to name just one) soon after, it's just another rehash of the old Warhawk method (detailed here and here), but more constrained.

    For example, using the Warhawk hole users could change directories, in the R:FOM one you can't. In layman's terms, it means this R:FOM method is even more limited/useless than the Warhawk one was. Of course to those who just recently discovered it- this is being incorrectly labeled as something useful when it sadly isn't at all.

    However, since Sony plugged the Warhawk hole in a past Firmware Update, most of the devs opted to keep quiet until tonight... as now this hole will certainly be addressed in an upcoming Firmware Update as it is indeed a security issue to Sony.

    It's a fairly simple method. Using your favorite DNS "hijack" method, or proxy server redirect download-prod.online.scea.com to a HTTP server.

    On the HTTP server, set up the path:
    /client-patch/resistancegs-prod/resistancegs_SCEE/8.7.1.1/

    So, http://download-prod.online.scea.com/client-<br>patch/resistancegs-prod/resistancegs_SCEE/8.7.1.1/ will be redirected to your HTTP server.

    You will want to download the files from there to your HTTP server, and recreate the file directory. You can then begin to play around with the files.

    http://download-prod.online.scea.com/client-patch/resistancegs-<br>prod/resistancegs_SCEE/8.7.1.1/manifest.dat

    http://download-prod.online.scea.com/client-patch/resistancegs-<br>prod/resistancegs_SCEE/8.7.1.1/EBOOT.BIN

    Note: You may need to change _SCEE to _SCEA, depending on your region.

    You cant do much with this, you can replace some files, but since they're all encrypted and signed, its somewhat useless indeed!

    In regards to the Manifest.dat, a hint:

    0x00: 0x49470001 - marker
    0x04: 0x0000000a - number of files
    0x08: 32 bytes per patch file

    And the patch files:

    0x00: 64-bit length
    0x08: 32-bit checksum? (unused)
    0x0c: 20 bytes - zero terminated file name

    More PlayStation 3 News...

  2. #2
    Forum Moderator PS3 News's Avatar
    Join Date
    Apr 2005
    Posts
    27,446
    Sponsored Links

    Arrow

    Sponsored Links
    Here are a few more older PS3 vulnerabilities for those following...

    From seclists.org/bugtraq/2009/Jul/126
    Code:
    [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari,Opera, Chrome,Seamonkey,iPhone,iPod,Wii,PS3.... From: "MustLive" <mustlive () websecurity com ua>
    Date: Fri, 17 Jul 2009 23:56:38 +0300
    
    Hello Thierry!
    
    About your "bug to rule them all" I can tell, that it's interesting vulnerability and interesting research itself. I have found DoS vulnerabilities in multiple browsers many time, but I never tested in such many browsers and systems. So you made a large research (with help of those people who helped you with testing in different systems) - this DoS hole exists (or existed) in so many systems: different desktop browsers, email clients, browsers for mobile devices, game devices and possible other devices with support of JavaScript.
    
    Maybe some of DoS hole found by me can also work on multiple platforms, but I didn't tested in such large scale of devices (just in different browsers at my PC).
    
    Credit      : Except Apple - nobody
    
    It's very common situation (with not serious relation of developers to security professionals who found holes in their programs). Especially in case of DoS vulnerabilities.
    
        IV. Disclosure timeline
    
        Nothing particular to note, except the usual discussion about availability being a security issue.
    
    It is also very common for developers (browsers developers in particular) to not put DoS in category of security issues (even if they officially said that they acknowledge DoS as security issue). So nothing surprising :) - I heard many times such statements from browsers developers.
    
    Thierry, I even planned to write here a large message on this subject (which I planned in the beginning of this year), but I canceled it due lack of time :). In a short: the developers are not right and DoS is a security issue.
    
    I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox, IE, Opera and Chrome. Here are results of my tests, which will be additional stroke to your picture of vulnerable browsers and systems.
    
    Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla 1.7.x, because it hasn't many of the holes which Mozilla added to new versions of their Firefox ;). You wrote that Firefox allocates 2 GB of memory and then crashes. My Mozilla only allocates about 900 MB of memory and then stops this process (and stops using of CPU). So it was just small lag, without particular strain, so it's not vulnerable.
    
    Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).
    
    IE6 is vulnerable. But my IE6 is vulnerable in different way then other browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then crashes. In my case, browser only take CPU resources (over 50% at my two core processor, it'll be 100% on single core processor) without taking of memory.
    
    Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64). You wrote that Opera allocated and commits as much memory as available and will not crash. In my case Opera takes more that 2 GB (almost all memory available) and then freezes.
    
    Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates 2 GB of memory and then crashes tab with a null pointer. In my case Chrome takes more than 2 GB of memory and then says its message about error at the page and frees all the memory. So in result almost no memory or CPU resources are used by the browser. You wrote that Chrome was patched (unknown version). As we see at least version Chrome 1.0.154.48 is not vulnerable.
    
    There is also one interesting thing.
    
    You mentioned bug #460713 in Mozilla's bugzilla. When yesterday I came via this link I found that this entry is closed for viewing (even for logged in users). So for some unknown reasons Mozilla closed access to bug #460713 (bugzilla.mozilla.org/show_bug.cgi?id=460713), even if it's resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version was released at 16th of December 2008, so from that time and till now Mozilla didn't open this bug. Why they did it? Do they have something to hide from people :).
    
    Best wishes & regards,
    MustLive
    Administrator of Websecurity web site
    websecurity.com.ua
    Unfortunately it's from July 2009 so we don't know if it's already patched...
    Code:
    <script>
     function poc(o) {
     e = document.createElement("select");
     e.length=2147483647;
     }
    
    function go() {
     poc(0);
     }
     </script>
    Correct. Hard locks the PS3. You have to hard reset afterwards.

    Another: exploit-db.com/exploits/25718/

    Sony Playstation 3 (PS3) 4.31 - Save Game Preview SFO File Handling Local Command Execution
    Code:
    EDB-ID: 25718 	CVE: N/A 	OSVDB-ID: 93552
    Author: Vulnerability-Lab 	Published: 2013-05-26 	Verified: Not Verified
    Exploit Code:   Download 	Vulnerable App:   N/A 	
    
    Title:
    
    Sony PS3 Firmware v4.31 - Code Execution Vulnerability
     
     
    Date:
    
    2013-05-12
     
     
    References:
    
    vulnerability-lab.com/get_content.php?id=767
     
     
    VL-ID:
    
    767
     
     
    Common Vulnerability Scoring System:
    
    6.5
    
    
    Introduction:
    
    The PlayStation 3 is the third home video game console produced by Sony Computer Entertainment and the successor to the
    PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes with Microsoft`s Xbox 360 and Nintendo`s Wii
    as part of the seventh generation of video game consoles. It was first released on November 11, 2006, in Japan, with
    international markets following shortly thereafter.
     
    Major features of the console include its unified online gaming service, the PlayStation Network, its multimedia capabilities,
    connectivity with the PlayStation Portable, and its use of the Blu-ray Disc as its primary storage medium.
     
    (Copy of the Homepage: en.wikipedia.org/wiki/PlayStation_3 )
     
    PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming and digital media delivery service provided/run
    by Sony Computer Entertainment for use with the PlayStation 3, PlayStation Portable, and PlayStation Vita video game consoles.
    The PlayStation Network is the video game portion of the Sony Entertainment Network.
     
    (Copy of the Homepage: en.wikipedia.org/wiki/PlayStation_Network)
     
    Abstract:
    
    The Vulnerability Laboratory Research Team discovered a code execution vulnerability in the official Playstation3 v4.31 Firmware.
     
     
    Report-Timeline:
    
    2012-10-26: Researcher Notification & Coordination
    2012-11-18: Vendor Notification 1
    2012-12-14: Vendor Notification 2
    2012-01-18: Vendor Notification 3
    2012-**-**: Vendor Response/Feedback
    2012-05-01: Vendor Fix/Patch by Check
    2012-05-13: Public Disclosure
     
     
    Status:
    
    Published
     
     
    Affected Products:
    
    Sony
    Product: PlayStation 3 4.31
     
     
    Exploitation-Technique:
    
    Local
     
     
    Severity:
    
    High
     
     
    Details:
    
    A local code execution vulnerability is detected in the official Playstation3 v4.31 Firmware.
    The vulnerability allows local attackers to inject and execute code out of vulnerable ps3 menu main web context.
     
    There are 3 types of save games for the sony ps3. The report is only bound to the .sfo save games of the Playstation3.
    The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) to display movable text like marquees,
    in combination with a video, sound and the (path) background picture. Normally the ps3 firmware parse the redisplayed
    save game values & detail information text when processing to load it via usb/ps3-hd. The import ps3 preview filtering
    can be bypassed via a splitted char by char injection of script code or system (ps3 firmware) specific commands.
     
    The attacker syncronize his computer (to change the usb context) with USB (Save Game) and connects to the network
    (USB, COMPUTER, PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview
    listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker
    can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.
     
    The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide
    any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands
    or inject malicious persistent script code.
     
    Successful exploitation of the vulnerability can result in persistent but local system command executions, psn session
    hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview
    listing context manipulation.
     
     
    Vulnerable Section(s):
                    [+] PS Menu > Game (Spiel)
     
    Vulnerable Module(s):
                    [+] SpeicherDaten (DienstProgramm) PS3 > USB Gert
     
    Affected Section(s):
                    [+] Title - Save Game Preview Resource (Detail Listing)
     
     
    Proof of Concept:
    =================
    The firmware preview listing validation vulnerability can be exploited by local attackers and with low or medium required user interaction.
    For demonstration or reproduce ...
     
    The attacker needs to sync his computer (to change the usb context) with USB (Save Game) and connects to the network
    (USB, COMPUTER, +PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview
    listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker
    can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.
     
    The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide
    any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands
    or inject malicious persistent script code out of the save game preview listing.
     
    If you inject standard frames or system unknow commands (jailbreak) without passing the filter char by char and direct sync
    as update you will fail to reproduce!
     
    PoC: PARAM.SFO
     
    PSF     @                                       h         %          ,          4      
    $  C    @   (  V       h  j 
       €   p  t    €    
    ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE   
    40ac78551a88fdc   
    SD 
    PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]
     
    Hackizeit: 1:33:07
     
    ExpSkills: VL-LAB-TRAINING
     
    Operation: 1%
    Trojaners: 0%
    ... ~\˜A;    40ac78551a88fdc
    ...
    BLES00371-NARUTO_STORM-0
    HACKINGBKM 1
    PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];
     
    Solution:
    
    Restrict the savegame name input and disallow special chars.
    Encode the savegame values and redisplaying in the menu preview of the game.
    Parse the strings and values from the savegames even if included string by string via sync.
     
    Risk:
    
    The security risk of the high exploitable but local vulnerability is estimated as critical and needs to be fixed soon.
     
    Credits:
    
    Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri  (bkm AT vulnerability-lab.com)
    Report-Timeline:
    Code:
    2012-10-26: Researcher Notification & Coordination
    2012-11-18: Vendor Notification 1
    2012-12-14: Vendor Notification 2
    2012-01-18: Vendor Notification 3
    2012-**-**: Vendor Response/Feedback
    2012-05-01: Vendor Fix/Patch by Check
    2012-05-13: Public Disclosure
    This one is patched and couldn't really do much anyway.

 

Sponsored Links

Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News