Connexion

[NEWS]Une grosse faille dans le firmware 4.31 : News - PS3-Infos

[NEWS]Une grosse faille dans le firmware 4.31   

Les news du Hack PS3 postées sur PS3 Infos

[NEWS]Une grosse faille dans le firmware 4.31

Messagepar Attila » Mar 28 Mai 2013 13:35

imageUne faille vient d'être dévoilée concernant la PS3, et celle-ci touche tous les firmwares jusqu'en 4.31. Cette faille pourrait être utilisée pour jailbreaker toutes les consoles et sans aucune soudure !

La faille concerne la non vérification des données dans le nom des sauvegardes.
Ainsi pour exploiter celle-ci, il faut générer un param.sfo provenant d'une sauvegarde d'un jeu et le modifier.

Voici le message complet concernant la faille :
Code: Tout sélectionner
    Title:
    ======
    Sony PS3 Firmware v4.31 - Code Execution Vulnerability
     
     
    Date:
    =====
    2013-05-12
     
     
    References:
    ===========
    http://www.vulnerability-lab.com/get_content.php?id=767
     
     
    VL-ID:
    =====
    767
     
     
    Common Vulnerability Scoring System:
    ====================================
    6.5
     
     
    Introduction:
    =============
    The PlayStation 3 is the third home video game console produced by Sony Computer Entertainment and the successor to the
    PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes with Microsoft`s Xbox 360 and Nintendo`s Wii
    as part of the seventh generation of video game consoles. It was first released on November 11, 2006, in Japan, with
    international markets following shortly thereafter.
     
    Major features of the console include its unified online gaming service, the PlayStation Network, its multimedia capabilities,
    connectivity with the PlayStation Portable, and its use of the Blu-ray Disc as its primary storage medium.
     
    (Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_3 )
     
     
    PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming and digital media delivery service provided/run
    by Sony Computer Entertainment for use with the PlayStation 3, PlayStation Portable, and PlayStation Vita video game consoles.
    The PlayStation Network is the video game portion of the Sony Entertainment Network.
     
    (Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_Network)
     
     
    Abstract:
    =========
    The Vulnerability Laboratory Research Team discovered a code execution vulnerability in the official Playstation3 v4.31 Firmware.
     
     
    Report-Timeline:
    ================
    2012-10-26: Researcher Notification & Coordination
    2012-11-18: Vendor Notification 1
    2012-12-14: Vendor Notification 2
    2012-01-18: Vendor Notification 3
    2012-**-**: Vendor Response/Feedback
    2012-05-01: Vendor Fix/Patch by Check
    2012-05-13: Public Disclosure
     
     
    Status:
    ========
    Published
     
     
    Affected Products:
    ==================
    Sony
    Product: Playstation 3 4.31
     
     
    Exploitation-Technique:
    =======================
    Local
     
     
    Severity:
    =========
    High
     
     
    Details:
    ========
    A local code execution vulnerability is detected in the official Playstation3 v4.31 Firmware.
    The vulnerability allows local attackers to inject and execute code out of vulnerable ps3 menu main web context.
     
    There are 3 types of save games for the sony ps3. The report is only bound to the .sfo save games of the Playstation3.
    The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) to display movable text like marquees,
    in combination with a video, sound and the (path) background picture. Normally the ps3 firmware parse the redisplayed
    save game values & detail information text when processing to load it via usb/ps3-hd. The import ps3 preview filtering
    can be bypassed via a splitted char by char injection of script code or system (ps3 firmware) specific commands.
     
    The attacker syncronize his computer (to change the usb context) with USB (Save Game) and connects to the network
    (USB, COMPUTER, PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview
    listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker
    can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.
     
    The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide
    any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands
    or inject malicious persistent script code.
     
    Successful exploitation of the vulnerability can result in persistent but local system command executions, psn session
    hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview
    listing context manipulation.
     
     
    Vulnerable Section(s):
                    [+] PS Menu > Game (Spiel)
     
    Vulnerable Module(s):
                    [+] SpeicherDaten (DienstProgramm) PS3 > USB Gerät
     
    Affected Section(s):
                    [+] Title - Save Game Preview Resource (Detail Listing)
     
     
    Proof of Concept:
    =================
    The firmware preview listing validation vulnerability can be exploited by local attackers and with low or medium required user interaction.
    For demonstration or reproduce ...
     
    The attacker needs to sync his computer (to change the usb context) with USB (Save Game) and connects to the network
    (USB, COMPUTER, +PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview
    listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker
    can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.
     
    The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide
    any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands
    or inject malicious persistent script code out of the save game preview listing.
     
    If you inject standard frames or system unknow commands (jailbreak) without passing the filter char by char and direct sync
    as update you will fail to reproduce!
     
    PoC: PARAM.SFO
     
    PSF  Ä   @                                       h         %          ,           4    
    $  C    @   (  V       h  j 
       €   p  t    €   ð
    ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE   
    40ac78551a88fdc   
    SD
    PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]
     
    Hackizeit: 1:33:07
     
    ExpSkills: VL-LAB-TRAINING
     
    Operation: 1%
    Trojaners: 0%
    ... Õõ~\˜òíA×éú;óç    40ac78551a88fdc
    ...
    BLES00371-NARUTO_STORM-0
    HACKINGBKM 1
    PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];
     
     
     
    Solution:
    =========
    Restrict the savegame name input and disallow special chars.
    Encode the savegame values and redisplaying in the menu preview of the game.
    Parse the strings and values from the savegames even if included string by string via sync.
     
     
    Risk:
    =====
    The security risk of the high exploitable but local vulnerability is estimated as critical and needs to be fixed soon.
     
     
    Credits:
    ========
    Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri  ([email protected])
     
     
    Disclaimer:
    ===========
    The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
    either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
    Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
    profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
    states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
    may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
    or trade with fraud/stolen material.
     
    Domains:    http://www.vulnerability-lab.com       - http://www.vuln-lab.com                 - http://www.vulnerability-lab.com/register
    Contact:    [email protected]     - [email protected]            - [email protected]
    Section:    video.vulnerability-lab.com     - forum.vulnerability-lab.com              - news.vulnerability-lab.com
    Social:     twitter.com/#!/vuln_lab         - facebook.com/VulnerabilityLab            - youtube.com/user/vulnerability0lab
    Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php
     
    Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
    Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
    media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
    other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
    modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.
     
                            Copyright © 2013 | Vulnerability Laboratory


Et voici la partie importante :
Details:
========
A local code execution vulnerability is detected in the official Playstation3 v4.31 Firmware.
The vulnerability allows local attackers to inject and execute code out of vulnerable ps3 menu main web context.

There are 3 types of save games for the sony ps3. The report is only bound to the .sfo save games of the Playstation3.
The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) to display movable text like marquees,
in combination with a video, sound and the (path) background picture. Normally the ps3 firmware parse the redisplayed
save game values & detail information text when processing to load it via usb/ps3-hd. The import ps3 preview filtering
can be bypassed via a splitted char by char injection of script code or system (ps3 firmware) specific commands.

The attacker syncronize his computer (to change the usb context) with USB (Save Game) and connects to the network
(USB, COMPUTER, PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview
listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker
can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.

The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide
any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands
or inject malicious persistent script code.

Successful exploitation of the vulnerability can result in persistent but local system command executions, psn session
hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview
listing context manipulation.


Vulnerable Section(s):
[+] PS Menu > Game (Spiel)

Vulnerable Module(s):
[+] SpeicherDaten (DienstProgramm) PS3 > USB Gerät

Affected Section(s):
[+] Title - Save Game Preview Resource (Detail Listing)


Proof of Concept:
=================
The firmware preview listing validation vulnerability can be exploited by local attackers and with low or medium required user interaction.
For demonstration or reproduce ...

The attacker needs to sync his computer (to change the usb context) with USB (Save Game) and connects to the network
(USB, COMPUTER, +PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview
listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker
can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.

The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide
any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands
or inject malicious persistent script code out of the save game preview listing.

If you inject standard frames or system unknow commands (jailbreak) without passing the filter char by char and direct sync
as update you will fail to reproduce!

PoC: PARAM.SFO

PSF Ä @            h   %     ,   4  
$ C  @ ( V   h j 
€ p t  € ð
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE
40ac78551a88fdc
SD
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]

Hackizeit: 1:33:07

ExpSkills: VL-LAB-TRAINING

Operation: 1%
Trojaners: 0%
... Õõ~\˜òíA×éú;óç 40ac78551a88fdc
...
BLES00371-NARUTO_STORM-0
HACKINGBKM 1
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];



Solution:
=========
Restrict the savegame name input and disallow special chars.
Encode the savegame values and redisplaying in the menu preview of the game.
Parse the strings and values from the savegames even if included string by string via sync.


Risk:
=====
The security risk of the high exploitable but local vulnerability is estimated as critical and needs to be fixed soon.


Cette faille aurait été découverte par Benjamin Kunz Mejri du "Vulnerability Laboratory" et révélée publiquement que maintenant, après avoir indiqué à Sony à plusieurs reprises la faille et après qu'ils l'aient corrigée.

On ne sait pas si la faille suffira à jailbreaker entièrement la console mais une chose est sure, c'est une bonne nouvelle !

Merci lordriri pour l'info.
Avatar de l’utilisateur
Attila
Administrateur du site
 
Messages: 7572
Inscription: Ven 3 Sep 2010 11:53

Re: [NEWS]Une grosse faille dans le firmware 4.31

Messagepar lexou » Mar 28 Mai 2013 19:49

merci pour la news interressant :)
lexou
Apprenti parleur
 
Messages: 173
Inscription: Sam 19 Mar 2011 21:44

Re: [NEWS]Une grosse faille dans le firmware 4.31

Messagepar Carlton99 » Mer 29 Mai 2013 17:50

Très bonne nouvelle !
Espérons que cette faille soit exploitée par les ténors du underground PS3 et qu'elle puisse permettre l'éclosion d'un jailbreak pour toutes nos ps3 (notamment pour tout ceux qui sont en firmware officiel 3.56 et +, ce qui est mon cas) :-)
Carlton99
 
Messages: 3
Inscription: Dim 5 Aoû 2012 19:10

Re: [NEWS]Une grosse faille dans le firmware 4.31

Messagepar mandads » Ven 31 Mai 2013 19:59

super nouvel mais je ne suis pas trop surpris ,ca ne m’étonnerai pas non plus qu'ils hack la ps3 3xxx et ultra slim juste après la sortis de la ps4 histoire d’arrondir les chiffres de vente de la ps3 une derniére fois je me trompe peut-être mais sa sent le complot :p
mandads
 
Messages: 4
Inscription: Ven 31 Mai 2013 19:46

Re: [NEWS]Une grosse faille dans le firmware 4.31

Messagepar firebird35 » Jeu 6 Juin 2013 21:35

salut !!
y a t' il plus d'info sur cette faille ?
firebird35
Débutant
 
Messages: 21
Inscription: Mar 4 Jan 2011 11:11


Retourner vers News

 


  • Articles en relation
    Réponses
    Vues
    Dernier message

Qui est en ligne

Utilisateurs parcourant ce forum: Google [Bot] et 11 invités