Connexion
S'inscrire
Actualités
Quoi de neuf
Activités générales
Auteurs
Forums
Nouveaux messages
Rechercher un forum
Quoi de neuf
Nouveaux messages
Nouveaux messages de profil
Activités générales
Membres
Membres inscrits
Visiteurs actuels
Nouveaux messages de profil
Rechercher dans les messages des profils
Teams
Créé ton équipe
Quoi de neuf ?
Nouveaux messages
Rechercher un forum
Menu
Connexion
S'inscrire
Install the app
Install
Forums
Plateformes
Playstation
Questions, aides et recherches
Résolus
Possible une modification du ofw de sony?
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
Vous utilisez un navigateur non à jour ou ancien. Il ne peut pas afficher ce site ou d'autres sites correctement.
Vous devez le mettre à jour ou utiliser un
navigateur alternatif
.
Répondre à la discussion
Message
<blockquote data-quote="AssouGasModz" data-source="post: 6550220" data-attributes="member: 649104"><p>la faille 4.31 de sony autre fois a put ouvrire une faille encore plus grande qui permet de fair un jailbreak <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite351" alt=";)" title="Clin d'oeil ;)" loading="lazy" data-shortname=";)" /></p><p>i le message complet concernant la faille :</p><p>CODE: <a href="http://www.ps3-infos.fr/forum/#" target="_blank">TOUT SÉLECTIONNER</a></p><p> Title:</p><p> ======</p><p> Sony PS3 Firmware v4.31 - Code Execution Vulnerability</p><p> </p><p> </p><p> Date:</p><p> =====</p><p> 2013-05-12</p><p> </p><p> </p><p> References:</p><p> ===========</p><p> <a href="http://www.vulnerability-lab.com/get_content.php?id=767" target="_blank">http://www.vulnerability-lab.com/get_content.php?id=767</a></p><p> </p><p> </p><p> VL-I<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite353" alt="D:" title="Sad D:" loading="lazy" data-shortname="D:" /></p><p> =====</p><p> 767</p><p> </p><p> </p><p> Common Vulnerability Scoring System:</p><p> ====================================</p><p> 6.5</p><p> </p><p> </p><p> Introduction:</p><p> =============</p><p> The PlayStation 3 is the third home video game console produced by Sony Computer Entertainment and the successor to the</p><p> PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes with Microsoft`s Xbox 360 and Nintendo`s Wii</p><p> as part of the seventh generation of video game consoles. It was first released on November 11, 2006, in Japan, with</p><p> international markets following shortly thereafter.</p><p> </p><p> Major features of the console include its unified online gaming service, the PlayStation Network, its multimedia capabilities,</p><p> connectivity with the PlayStation Portable, and its use of the Blu-ray Disc as its primary storage medium.</p><p> </p><p> (Copy of the Homepage: <a href="http://en.wikipedia.org/wiki/PlayStation_3" target="_blank">http://en.wikipedia.org/wiki/PlayStation_3</a> )</p><p> </p><p> </p><p> PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming and digital media delivery service provided/run</p><p> by Sony Computer Entertainment for use with the PlayStation 3, PlayStation Portable, and PlayStation Vita video game consoles.</p><p> The PlayStation Network is the video game portion of the Sony Entertainment Network.</p><p> </p><p> (Copy of the Homepage: <a href="http://en.wikipedia.org/wiki/PlayStation_Network" target="_blank">http://en.wikipedia.org/wiki/PlayStation_Network</a>)</p><p> </p><p> </p><p> Abstract:</p><p> =========</p><p> The Vulnerability Laboratory Research Team discovered a code execution vulnerability in the official Playstation3 v4.31 Firmware.</p><p> </p><p> </p><p> Report-Timeline:</p><p> ================</p><p> 2012-10-26: Researcher Notification & Coordination</p><p> 2012-11-18: Vendor Notification 1</p><p> 2012-12-14: Vendor Notification 2</p><p> 2012-01-18: Vendor Notification 3</p><p> 2012-**-**: Vendor Response/Feedback</p><p> 2012-05-01: Vendor Fix/Patch by Check</p><p> 2012-05-13: Public Disclosure</p><p> </p><p> </p><p> Status:</p><p> ========</p><p> Published</p><p> </p><p> </p><p> Affected Products:</p><p> ==================</p><p> Sony</p><p> Product: Playstation 3 4.31</p><p> </p><p> </p><p> Exploitation-Technique:</p><p> =======================</p><p> Local</p><p> </p><p> </p><p> Severity:</p><p> =========</p><p> High</p><p> </p><p> </p><p> Details:</p><p> ========</p><p> A local code execution vulnerability is detected in the official Playstation3 v4.31 Firmware.</p><p> The vulnerability allows local attackers to inject and execute code out of vulnerable ps3 menu main web context.</p><p> </p><p> There are 3 types of save games for the sony ps3. The report is only bound to the .sfo save games of the Playstation3.</p><p> The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) to display movable text like marquees,</p><p> in combination with a video, sound and the (path) background picture. Normally the ps3 firmware parse the redisplayed</p><p> save game values & detail information text when processing to load it via usb/ps3-hd. The import ps3 preview filtering</p><p> can be bypassed via a splitted char by char injection of script code or system (ps3 firmware) specific commands.</p><p> </p><p> The attacker syncronize his computer (to change the usb context) with USB (Save Game) and connects to the network</p><p> (USB, COMPUTER, PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview</p><p> listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker</p><p> can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.</p><p> </p><p> The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide</p><p> any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands</p><p> or inject malicious persistent script code.</p><p> </p><p> Successful exploitation of the vulnerability can result in persistent but local system command executions, psn session</p><p> hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview</p><p> listing context manipulation.</p><p> </p><p> </p><p> Vulnerable Section(s):</p><p> [+] PS Menu > Game (Spiel)</p><p> </p><p> Vulnerable Module(s):</p><p> [+] SpeicherDaten (DienstProgramm) PS3 > USB Gerät</p><p> </p><p> Affected Section(s):</p><p> [+] Title - Save Game Preview Resource (Detail Listing)</p><p> </p><p> </p><p> Proof of Concept:</p><p> =================</p><p> The firmware preview listing validation vulnerability can be exploited by local attackers and with low or medium required user interaction.</p><p> For demonstration or reproduce ...</p><p> </p><p> The attacker needs to sync his computer (to change the usb context) with USB (Save Game) and connects to the network</p><p> (USB, COMPUTER, +PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview</p><p> listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker</p><p> can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.</p><p> </p><p> The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide</p><p> any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands</p><p> or inject malicious persistent script code out of the save game preview listing.</p><p> </p><p> If you inject standard frames or system unknow commands (jailbreak) without passing the filter char by char and direct sync</p><p> as update you will fail to reproduce!</p><p> </p><p> PoC: PARAM.SFO</p><p> </p><p> PSF Ä @ h % , 4 </p><p> $ C @ ( V h j </p><p> € p t € ð</p><p> ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE </p><p> 40ac78551a88fdc </p><p> SD</p><p> PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]</p><p> </p><p> Hackizeit: 1:33:07</p><p> </p><p> ExpSkills: VL-LAB-TRAINING</p><p> </p><p> Operation: 1%</p><p> Trojaners: 0%</p><p> ... Õõ~\˜òíA×éú;óç 40ac78551a88fdc</p><p> ...</p><p> BLES00371-NARUTO_STORM-0</p><p> HACKINGBKM 1</p><p> PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];</p><p> </p><p> </p><p> </p><p> Solution:</p><p> =========</p><p> Restrict the savegame name input and disallow special chars.</p><p> Encode the savegame values and redisplaying in the menu preview of the game.</p><p> Parse the strings and values from the savegames even if included string by string via sync.</p><p> </p><p> </p><p> Risk:</p><p> =====</p><p> The security risk of the high exploitable but local vulnerability is estimated as critical and needs to be fixed soon.</p><p> </p><p> </p><p> Credits:</p><p> ========</p><p> Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)</p><p> </p><p> </p><p> Disclaimer:</p><p> ===========</p><p> The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,</p><p> either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-</p><p> Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business</p><p> profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some</p><p> states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation</p><p> may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases</p><p> or trade with fraud/stolen material.</p><p> </p><p> Domains: <a href="http://www.vulnerability-lab.com" target="_blank">http://www.vulnerability-lab.com</a> - <a href="http://www.vuln-lab.com" target="_blank">http://www.vuln-lab.com</a> - <a href="http://www.vulnerability-lab.com/register" target="_blank">http://www.vulnerability-lab.com/register</a></p><p> Contact: <a href="mailto:admin@vulnerability-lab.com">admin@vulnerability-lab.com</a> - <a href="mailto:support@vulnerability-lab.com">support@vulnerability-lab.com</a> - <a href="mailto:research@vulnerability-lab.com">research@vulnerability-lab.com</a></p><p> Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com</p><p> Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab</p><p> Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php</p><p> </p><p> Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.</p><p> Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other</p><p> media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and</p><p> other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),</p><p> modify, use or edit our material contact (admin@vulnerability-lab.com or <a href="mailto:support@vulnerability-lab.com">support@vulnerability-lab.com</a>) to get a permission.</p><p> </p><p> Copyright © 2013 | Vulnerability Laboratory</p><p></p><p></p><p>Et voici la partie importante :</p><p>Details:</p><p>========</p><p>A local code execution vulnerability is detected in the official Playstation3 v4.31 Firmware.</p><p>The vulnerability allows local attackers to inject and execute code out of vulnerable ps3 menu main web context.</p><p></p><p>There are 3 types of save games for the sony ps3. The report is only bound to the .sfo save games of the Playstation3.</p><p>The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) to display movable text like marquees,</p><p>in combination with a video, sound and the (path) background picture. Normally the ps3 firmware parse the redisplayed</p><p>save game values & detail information text when processing to load it via usb/ps3-hd. The import ps3 preview filtering</p><p>can be bypassed via a splitted char by char injection of script code or system (ps3 firmware) specific commands.</p><p></p><p>The attacker syncronize his computer (to change the usb context) with USB (Save Game) and connects to the network</p><p>(USB, COMPUTER, PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview</p><p>listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker</p><p>can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.</p><p></p><p>The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide</p><p>any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands</p><p>or inject malicious persistent script code.</p><p></p><p>Successful exploitation of the vulnerability can result in persistent but local system command executions, psn session</p><p>hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview</p><p>listing context manipulation.</p><p></p><p></p><p>Vulnerable Section(s):</p><p>[+] PS Menu > Game (Spiel)</p><p></p><p>Vulnerable Module(s):</p><p>[+] SpeicherDaten (DienstProgramm) PS3 > USB Gerät</p><p></p><p>Affected Section(s):</p><p>[+] Title - Save Game Preview Resource (Detail Listing)</p><p></p><p></p><p>Proof of Concept:</p><p>=================</p><p>The firmware preview listing validation vulnerability can be exploited by local attackers and with low or medium required user interaction.</p><p>For demonstration or reproduce ...</p><p></p><p>The attacker needs to sync his computer (to change the usb context) with USB (Save Game) and connects to the network</p><p>(USB, COMPUTER, +PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview</p><p>listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker</p><p>can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.</p><p></p><p>The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide</p><p>any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands</p><p>or inject malicious persistent script code out of the save game preview listing.</p><p></p><p>If you inject standard frames or system unknow commands (jailbreak) without passing the filter char by char and direct sync</p><p>as update you will fail to reproduce!</p><p></p><p>PoC: PARAM.SFO</p><p></p><p>PSF Ä @ h % , 4 </p><p>$ C @ ( V h j </p><p>€ p t € ð</p><p>ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE </p><p>40ac78551a88fdc </p><p>SD</p><p>PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]</p><p></p><p>Hackizeit: 1:33:07</p><p></p><p>ExpSkills: VL-LAB-TRAINING</p><p></p><p>Operation: 1%</p><p>Trojaners: 0%</p><p>... Õõ~\˜òíA×éú;óç 40ac78551a88fdc</p><p>...</p><p>BLES00371-NARUTO_STORM-0</p><p>HACKINGBKM 1</p><p>PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];</p><p></p><p></p><p></p><p>Solution:</p><p>=========</p><p>Restrict the savegame name input and disallow special chars.</p><p>Encode the savegame values and redisplaying in the menu preview of the game.</p><p>Parse the strings and values from the savegames even if included string by string via sync.</p><p></p><p></p><p>Risk:</p><p>=====</p><p>The security risk of the high exploitable but local vulnerability is estimated as critical and needs to be fixed soon.</p><p></p><p>sa vien de se site : <a href="http://www.ps3-infos.fr/forum/news-f42/une-grosse-faille-dans-le-firmware-4-31-t4154.html" target="_blank">http://www.ps3-infos.fr/forum/news-f42/une-grosse-faille-dans-le-firmware-4-31-t4154.html</a></p></blockquote><p></p>
[QUOTE="AssouGasModz, post: 6550220, member: 649104"] la faille 4.31 de sony autre fois a put ouvrire une faille encore plus grande qui permet de fair un jailbreak ;) i le message complet concernant la faille : CODE: [URL='http://www.ps3-infos.fr/forum/#']TOUT SÉLECTIONNER[/URL] Title: ====== Sony PS3 Firmware v4.31 - Code Execution Vulnerability Date: ===== 2013-05-12 References: =========== [URL]http://www.vulnerability-lab.com/get_content.php?id=767[/URL] VL-ID: ===== 767 Common Vulnerability Scoring System: ==================================== 6.5 Introduction: ============= The PlayStation 3 is the third home video game console produced by Sony Computer Entertainment and the successor to the PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes with Microsoft`s Xbox 360 and Nintendo`s Wii as part of the seventh generation of video game consoles. It was first released on November 11, 2006, in Japan, with international markets following shortly thereafter. Major features of the console include its unified online gaming service, the PlayStation Network, its multimedia capabilities, connectivity with the PlayStation Portable, and its use of the Blu-ray Disc as its primary storage medium. (Copy of the Homepage: [URL]http://en.wikipedia.org/wiki/PlayStation_3[/URL] ) PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming and digital media delivery service provided/run by Sony Computer Entertainment for use with the PlayStation 3, PlayStation Portable, and PlayStation Vita video game consoles. The PlayStation Network is the video game portion of the Sony Entertainment Network. (Copy of the Homepage: [URL]http://en.wikipedia.org/wiki/PlayStation_Network[/URL]) Abstract: ========= The Vulnerability Laboratory Research Team discovered a code execution vulnerability in the official Playstation3 v4.31 Firmware. Report-Timeline: ================ 2012-10-26: Researcher Notification & Coordination 2012-11-18: Vendor Notification 1 2012-12-14: Vendor Notification 2 2012-01-18: Vendor Notification 3 2012-**-**: Vendor Response/Feedback 2012-05-01: Vendor Fix/Patch by Check 2012-05-13: Public Disclosure Status: ======== Published Affected Products: ================== Sony Product: Playstation 3 4.31 Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== A local code execution vulnerability is detected in the official Playstation3 v4.31 Firmware. The vulnerability allows local attackers to inject and execute code out of vulnerable ps3 menu main web context. There are 3 types of save games for the sony ps3. The report is only bound to the .sfo save games of the Playstation3. The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) to display movable text like marquees, in combination with a video, sound and the (path) background picture. Normally the ps3 firmware parse the redisplayed save game values & detail information text when processing to load it via usb/ps3-hd. The import ps3 preview filtering can be bypassed via a splitted char by char injection of script code or system (ps3 firmware) specific commands. The attacker syncronize his computer (to change the usb context) with USB (Save Game) and connects to the network (USB, COMPUTER, PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code. The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code. Successful exploitation of the vulnerability can result in persistent but local system command executions, psn session hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview listing context manipulation. Vulnerable Section(s): [+] PS Menu > Game (Spiel) Vulnerable Module(s): [+] SpeicherDaten (DienstProgramm) PS3 > USB Gerät Affected Section(s): [+] Title - Save Game Preview Resource (Detail Listing) Proof of Concept: ================= The firmware preview listing validation vulnerability can be exploited by local attackers and with low or medium required user interaction. For demonstration or reproduce ... The attacker needs to sync his computer (to change the usb context) with USB (Save Game) and connects to the network (USB, COMPUTER, +PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code. The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code out of the save game preview listing. If you inject standard frames or system unknow commands (jailbreak) without passing the filter char by char and direct sync as update you will fail to reproduce! PoC: PARAM.SFO PSF Ä @ h % , 4 $ C @ ( V h j € p t € ð ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE 40ac78551a88fdc SD PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] Hackizeit: 1:33:07 ExpSkills: VL-LAB-TRAINING Operation: 1% Trojaners: 0% ... Õõ~\˜òíA×éú;óç 40ac78551a88fdc ... BLES00371-NARUTO_STORM-0 HACKINGBKM 1 PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]; Solution: ========= Restrict the savegame name input and disallow special chars. Encode the savegame values and redisplaying in the menu preview of the game. Parse the strings and values from the savegames even if included string by string via sync. Risk: ===== The security risk of the high exploitable but local vulnerability is estimated as critical and needs to be fixed soon. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: [URL]http://www.vulnerability-lab.com[/URL] - [URL]http://www.vuln-lab.com[/URL] - [URL]http://www.vulnerability-lab.com/register[/URL] Contact: [email]admin@vulnerability-lab.com[/email] - [email]support@vulnerability-lab.com[/email] - [email]research@vulnerability-lab.com[/email] Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or [email]support@vulnerability-lab.com[/email]) to get a permission. Copyright © 2013 | Vulnerability Laboratory Et voici la partie importante : Details: ======== A local code execution vulnerability is detected in the official Playstation3 v4.31 Firmware. The vulnerability allows local attackers to inject and execute code out of vulnerable ps3 menu main web context. There are 3 types of save games for the sony ps3. The report is only bound to the .sfo save games of the Playstation3. The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) to display movable text like marquees, in combination with a video, sound and the (path) background picture. Normally the ps3 firmware parse the redisplayed save game values & detail information text when processing to load it via usb/ps3-hd. The import ps3 preview filtering can be bypassed via a splitted char by char injection of script code or system (ps3 firmware) specific commands. The attacker syncronize his computer (to change the usb context) with USB (Save Game) and connects to the network (USB, COMPUTER, PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code. The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code. Successful exploitation of the vulnerability can result in persistent but local system command executions, psn session hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview listing context manipulation. Vulnerable Section(s): [+] PS Menu > Game (Spiel) Vulnerable Module(s): [+] SpeicherDaten (DienstProgramm) PS3 > USB Gerät Affected Section(s): [+] Title - Save Game Preview Resource (Detail Listing) Proof of Concept: ================= The firmware preview listing validation vulnerability can be exploited by local attackers and with low or medium required user interaction. For demonstration or reproduce ... The attacker needs to sync his computer (to change the usb context) with USB (Save Game) and connects to the network (USB, COMPUTER, +PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code. The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code out of the save game preview listing. If you inject standard frames or system unknow commands (jailbreak) without passing the filter char by char and direct sync as update you will fail to reproduce! PoC: PARAM.SFO PSF Ä @ h % , 4 $ C @ ( V h j € p t € ð ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE 40ac78551a88fdc SD PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] Hackizeit: 1:33:07 ExpSkills: VL-LAB-TRAINING Operation: 1% Trojaners: 0% ... Õõ~\˜òíA×éú;óç 40ac78551a88fdc ... BLES00371-NARUTO_STORM-0 HACKINGBKM 1 PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]; Solution: ========= Restrict the savegame name input and disallow special chars. Encode the savegame values and redisplaying in the menu preview of the game. Parse the strings and values from the savegames even if included string by string via sync. Risk: ===== The security risk of the high exploitable but local vulnerability is estimated as critical and needs to be fixed soon. sa vien de se site : [URL]http://www.ps3-infos.fr/forum/news-f42/une-grosse-faille-dans-le-firmware-4-31-t4154.html[/URL] [/QUOTE]
Insérer les citations…
Vérification
Publier la réponse
Forums
Plateformes
Playstation
Questions, aides et recherches
Résolus
Possible une modification du ofw de sony?
Ce site utilise des cookies. En continuant à utiliser ce site, vous acceptez l'utilisation des cookies.
Acceptez
En savoir plus.…
Haut