So, wanna tell me what exactly is critical about you being able to inject marquee tags into your savefile names?
2013/5/21 Vulnerability Lab <resea...@vulnerability-lab.com> > Title: > ====== > Sony PS3 Firmware v4.31 - Code Execution Vulnerability > > > Date: > ===== > 2013-05-12 > > > References: > =========== > http://www.vulnerability-lab.com/get_content.php?id=767 > > > VL-ID: > ===== > 767 > > > Common Vulnerability Scoring System: > ==================================== > 6.5 > > > Introduction: > ============= > The PlayStation 3 is the third home video game console produced by Sony > Computer Entertainment and the successor to the > PlayStation 2 as part of the PlayStation series. The PlayStation 3 > competes with Microsoft`s Xbox 360 and Nintendo`s Wii > as part of the seventh generation of video game consoles. It was first > released on November 11, 2006, in Japan, with > international markets following shortly thereafter. > > Major features of the console include its unified online gaming service, > the PlayStation Network, its multimedia capabilities, > connectivity with the PlayStation Portable, and its use of the Blu-ray > Disc as its primary storage medium. > > (Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_3 ) > > > PlayStation Network, often abbreviated as PSN, is an online multiplayer > gaming and digital media delivery service provided/run > by Sony Computer Entertainment for use with the PlayStation 3, PlayStation > Portable, and PlayStation Vita video game consoles. > The PlayStation Network is the video game portion of the Sony > Entertainment Network. > > (Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_Network) > > > Abstract: > ========= > The Vulnerability Laboratory Research Team discovered a code execution > vulnerability in the official Playstation3 v4.31 Firmware. > > > Report-Timeline: > ================ > 2012-10-26: Researcher Notification & Coordination > 2012-11-18: Vendor Notification 1 > 2012-12-14: Vendor Notification 2 > 2012-01-18: Vendor Notification 3 > 2012-**-**: Vendor Response/Feedback > 2012-05-01: Vendor Fix/Patch by Check > 2012-05-13: Public Disclosure > > > Status: > ======== > Published > > > Affected Products: > ================== > Sony > Product: Playstation 3 4.31 > > > Exploitation-Technique: > ======================= > Local > > > Severity: > ========= > High > > > Details: > ======== > A local code execution vulnerability is detected in the official > Playstation3 v4.31 Firmware. > The vulnerability allows local attackers to inject and execute code out of > vulnerable ps3 menu main web context. > > There are 3 types of save games for the sony ps3. The report is only bound > to the .sfo save games of the Playstation3. > The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or > PS3 HD) to display movable text like marquees, > in combination with a video, sound and the (path) background picture. > Normally the ps3 firmware parse the redisplayed > save game values & detail information text when processing to load it via > usb/ps3-hd. The import ps3 preview filtering > can be bypassed via a splitted char by char injection of script code or > system (ps3 firmware) specific commands. > > The attacker syncronize his computer (to change the usb context) with USB > (Save Game) and connects to the network > (USB, COMPUTER, PS3), updates the save game via computer and can execute > the context directly out of the ps3 savegame preview > listing menu (SUB/HD). The exploitation requires local system access, a > manipulated .sfo file, an usb device. The attacker > can only use the given byte size of the saved string (attribute values) to > inject his own commands or script code. > > The ps3 filter system of the SpeicherDaten (DienstProgramm) module does > not recognize special chars and does not provide > any kind of input restrictions. Attackers can manipulate the .sfo file of > a save game to execute system specific commands > or inject malicious persistent script code. > > Successful exploitation of the vulnerability can result in persistent but > local system command executions, psn session > hijacking, persistent phishing attacks, external redirect out of the > vulnerable module, stable persistent save game preview > listing context manipulation. > > > Vulnerable Section(s): > [+] PS Menu > Game (Spiel) > > Vulnerable Module(s): > [+] SpeicherDaten (DienstProgramm) PS3 > > USB Gerät > > Affected Section(s): > [+] Title - Save Game Preview Resource > (Detail Listing) > > > Proof of Concept: > ================= > The firmware preview listing validation vulnerability can be exploited by > local attackers and with low or medium required user interaction. > For demonstration or reproduce ... > > The attacker needs to sync his computer (to change the usb context) with > USB (Save Game) and connects to the network > (USB, COMPUTER, +PS3), updates the save game via computer and can execute > the context directly out of the ps3 savegame preview > listing menu (SUB/HD). The exploitation requires local system access, a > manipulated .sfo file, an usb device. The attacker > can only use the given byte size of the saved string (attribute values) to > inject his own commands or script code. > > The ps3 filter system of the SpeicherDaten (DienstProgramm) module does > not recognize special chars and does not provide > any kind of input restrictions. Attackers can manipulate the .sfo file of > a save game to execute system specific commands > or inject malicious persistent script code out of the save game preview > listing. > > If you inject standard frames or system unknow commands (jailbreak) > without passing the filter char by char and direct sync > as update you will fail to reproduce! > > PoC: PARAM.SFO > > PSF Ä @ h > % , 4 > $ C @ ( V h j > € p t € ð > ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL > SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE > 40ac78551a88fdc > SD > PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR > CODE!] > > Hackizeit: 1:33:07 > > ExpSkills: VL-LAB-TRAINING > > Operation: 1% > Trojaners: 0% > ... Õõ~\ ˜òíA×éú ;óç 40ac78551a88fdc > ... > BLES00371-NARUTO_STORM-0 > HACKINGBKM 1 > PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR > CODE!]; > > > > Solution: > ========= > Restrict the savegame name input and disallow special chars. > Encode the savegame values and redisplaying in the menu preview of the > game. > Parse the strings and values from the savegames even if included string by > string via sync. > > > Risk: > ===== > The security risk of the high exploitable but local vulnerability is > estimated as critical and needs to be fixed soon. > > > Credits: > ======== > Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ( > b...@vulnerability-lab.com) > > > Disclaimer: > =========== > The information provided in this advisory is provided as it is without any > warranty. Vulnerability-Lab disclaims all warranties, > either expressed or implied, including the warranties of merchantability > and capability for a particular purpose. Vulnerability- > Lab or its suppliers are not liable in any case of damage, including > direct, indirect, incidental, consequential loss of business > profits or special damages, even if Vulnerability-Lab or its suppliers > have been advised of the possibility of such damages. Some > states do not allow the exclusion or limitation of liability for > consequential or incidental damages so the foregoing limitation > may not apply. We do not approve or encourage anybody to break any vendor > licenses, policies, deface websites, hack into databases > or trade with fraud/stolen material. > > Domains: www.vulnerability-lab.com - www.vuln-lab.com > - www.vulnerability-lab.com/register > Contact: ad...@vulnerability-lab.com - > supp...@vulnerability-lab.com - > resea...@vulnerability-lab.com > Section: video.vulnerability-lab.com - > forum.vulnerability-lab.com - news.vulnerability-lab.com > Social: twitter.com/#!/vuln_lab - > facebook.com/VulnerabilityLab - > youtube.com/user/vulnerability0lab > Feeds: vulnerability-lab.com/rss/rss.php - > vulnerability-lab.com/rss/rss_upcoming.php - > vulnerability-lab.com/rss/rss_news.php > > Any modified copy or reproduction, including partially usages, of this > file requires authorization from Vulnerability Laboratory. > Permission to electronically redistribute this alert in its unmodified > form is granted. All other rights, including the use of other > media, are reserved by Vulnerability-Lab Research Team or its suppliers. > All pictures, texts, advisories, source code, videos and > other information on this website is trademark of vulnerability-lab team & > the specific authors or managers. To record, list (feed), > modify, use or edit our material contact (ad...@vulnerability-lab.com or > supp...@vulnerability-lab.com) to get a permission. > > Copyright © 2013 | Vulnerability > Laboratory > > -- > VULNERABILITY RESEARCH LABORATORY > LABORATORY RESEARCH TEAM > CONTACT: resea...@vulnerability-lab.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/