Sponsored Links

Sponsored Links

Resistance: FoM Network Update Vulnerability


Sponsored Links
346w ago - As you know, the Resistance: Fall of Man game updates via PlayStation Network. The resident PS3 Devs (Subdub and Gigi) discovered this nearly 6 months ago and others (Placa, to name just one) soon after, it's just another rehash of the old Warhawk method (detailed here and here), but more constrained.

For example, using the Warhawk hole users could change directories, in the R:FOM one you can't. In layman's terms, it means this R:FOM method is even more limited/useless than the Warhawk one was. Of course to those who just recently discovered it- this is being incorrectly labeled as something useful when it sadly isn't at all.

However, since Sony plugged the Warhawk hole in a past Firmware Update, most of the devs opted to keep quiet until tonight... as now this hole will certainly be addressed in an upcoming Firmware Update as it is indeed a security issue to Sony.

It's a fairly simple method. Using your favorite DNS "hijack" method, or proxy server redirect download-prod.online.scea.com to a HTTP server.

On the HTTP server, set up the path:
/client-patch/resistancegs-prod/resistancegs_SCEE/8.7.1.1/

So, http://download-prod.online.scea.com/client-
patch/resistancegs-prod/resistancegs_SCEE/8.7.1.1/ will be redirected to your HTTP server.

You will want to download the files from there to your HTTP server, and recreate the file directory. You can then begin to play around with the files.

http://download-prod.online.scea.com/client-patch/resistancegs-
prod/resistancegs_SCEE/8.7.1.1/manifest.dat

http://download-prod.online.scea.com/client-patch/resistancegs-
prod/resistancegs_SCEE/8.7.1.1/EBOOT.BIN

Note: You may need to change _SCEE to _SCEA, depending on your region.

You cant do much with this, you can replace some files, but since they're all encrypted and signed, its somewhat useless indeed!

In regards to the Manifest.dat, a hint:

0x00: 0x49470001 - marker
0x04: 0x0000000a - number of files
0x08: 32 bytes per patch file

And the patch files:

0x00: 64-bit length
0x08: 32-bit checksum? (unused)
0x0c: 20 bytes - zero terminated file name


Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 1 Comment - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

PS3 News's Avatar
#1 - PS3 News - 69w ago
Here are a few more older PS3 vulnerabilities for those following...

From seclists.org/bugtraq/2009/Jul/126

[Register or Login to view code]


Unfortunately it's from July 2009 so we don't know if it's already patched...

[Register or Login to view code]


Correct. Hard locks the PS3. You have to hard reset afterwards.

Another: exploit-db.com/exploits/25718/

Sony Playstation 3 (PS3) 4.31 - Save Game Preview SFO File Handling Local Command Execution
[code]
EDB-ID: 25718 CVE: N/A OSVDB-ID: 93552
Author: Vulnerability-Lab Published: 2013-05-26 Verified: Not Verified
Exploit Code: Download Vulnerable App: N/A

Title:

Sony PS3 Firmware v4.31 - Code Execution Vulnerability


Date:

2013-05-12


References:

vulnerability-lab.com/get_content.php?id=767


VL-ID:

767


Common Vulnerability Scoring System:

6.5


Introduction:

The PlayStation 3 is the third home video game console produced by Sony Computer Entertainment and the successor to the
PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes with Microsoft`s Xbox 360 and Nintendo`s Wii
as part of the seventh generation of video game consoles. It was first released on November 11, 2006, in Japan, with
international markets following shortly thereafter.

Major features of the console include its unified online gaming service, the PlayStation Network, its multimedia capabilities,
connectivity with the PlayStation Portable, and its use of the Blu-ray Disc as its primary storage medium.

(Copy of the Homepage: en.wikipedia.org/wiki/PlayStation_3 )

PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming and digital media delivery service provided/run
by Sony Computer Entertainment for use with the PlayStation 3, PlayStation Portable, and PlayStation Vita video game consoles.
The PlayStation Network is the video game portion of the Sony Entertainment Network.

(Copy of the Homepage: en.wikipedia.org/wiki/PlayStation_Network)

Abstract:

The Vulnerability Laboratory Research Team discovered a code execution vulnerability in the official Playstation3 v4.31 Firmware.


Report-Timeline:

2012-10-26: Researcher Notification & Coordination
2012-11-18: Vendor Notification 1
2012-12-14: Vendor Notification 2
2012-01-18: Vendor Notification 3
2012-**-**: Vendor Response/Feedback
2012-05-01: Vendor Fix/Patch by Check
2012-05-13: Public Disclosure


Status:

Published


Affected Products:

Sony
Product: PlayStation 3 4.31


Exploitation-Technique:

Local


Severity:

High


Details:

A local code execution vulnerability is detected in the official Playstation3 v4.31 Firmware.
The vulnerability allows local attackers to inject and execute code out of vulnerable ps3 menu main web context.

There are 3 types of save games for the sony ps3. The report is only bound to the .sfo save games of the Playstation3.
The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) to display movable text like marquees,
in combination with a video, sound and the (path) background picture. Normally the ps3 firmware parse the redisplayed
save game values & detail information text when processing to load it via usb/ps3-hd. The import ps3 preview filtering
can be bypassed via a splitted char by char injection of script code or system (ps3 firmware) specific commands.

The attacker syncronize his computer (to change the usb context) with USB (Save Game) and connects to the network
(USB, COMPUTER, PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview
listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker
can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.

The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide
any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands
or inject malicious persistent script code.

Successful exploitation of the vulnerability can result in persistent but local system command executions, psn session
hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview
listing context manipulation.


Vulnerable Section(s):
[+] PS Menu > Game (Spiel)

Vulnerable Module(s):
[+] SpeicherDaten (DienstProgramm) PS3 > USB Gerät

Affected Section(s):
[+] Title - Save Game Preview Resource (Detail Listing)


Proof of Concept:
=================
The firmware preview listing validation vulnerability can be exploited by local attackers and with low or medium required user interaction.
For demonstration or reproduce ...

The attacker needs to sync his computer (to change the usb context) with USB (Save Game) and connects to the network
(USB, COMPUTER, +PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview
listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker
can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.

The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide
any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands
or inject malicious persistent script code out of the save game preview listing.

If you inject standard frames or system unknow commands (jailbreak) without passing the filter char by char and direct sync
as update you will fail to reproduce!

PoC: PARAM.SFO

PSF Ä @            h   %     ,   4  
$ C  @ ( V   h j 
€ p t  € š
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE
40ac78551a88fdc
SD
PSHACK: Benjamin Ninja H%20'>"

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News