funsec mailing list archives

Previous By Date Next
Previous By Thread Next

When You Want Buffer Overflows in Your System....

From: Scott Manley <djsnm () djsnm com>
Date: Fri, 23 Sep 2005 13:16:37 -0700
When you've got some closed peice of hardware you want to run homebrew code on... Looks like the latest Sony PSP firmware has finally given in to a 6 month old buffer overflow in LibTiff 

http://www.psp-hacks.com/2005/09/23/possible-20-exploit/
It'd been rather amusing watching the various PSP forums over the last few weeks as kiddiez identify all sorts of random bugs in the PSP firmware and then tried to write exploit code, 99% of them never got further than 'this corrupted image crashes my PSP'. The forums have been host to hundreds of spoof claims, accompanied by faked videos or confirmations from 'a friend who heard it on IRC' - but this one at last seems legitimate.
Of course Sony will update the firmware and fix the bug, and the game will begin again.
Ironicly, this is a bug in the 2.0 firmware - the first 1.0 firmware allowed execution of unsigned code byt default, and the 1.50 update had a well known exploit. Sony rushed out 1.51 and 1.52 with extra security, but nobody wanted to update a 1.50 PSP and lose their ability to run homebrew code, so, Sony created 2.0. The 2.0 firmware had some extra layers of protection and encryption to make hacking harder still, but to encourage adoption they added a host of new features, such as a web browser and support for .tiff and .png images, and it's these extra features that allow the exploit. The exploit loads a PNG wallpaper with the shellcode into the framebuffer - the framebuffer has an alpha channel which is set to zero, so the shellcode has to be somewhat smart to work around this limitation. The Tiff image is then loaded which contains the overflow and a return adress in the framebuffer. 

Overall, not a bad hack considering the limitations.

Scott Manley
imeem.com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: