Wololo.net

psp dev / security

Tiff crashes: a breakpoint is NOT exploitable!

by wololo · January 30, 2010

Here’s another “how to look for exploits” post from me, I hope it’ll be useful to all the people who are currently trying to free the PSPGo from the chains that prevent it to breathe 🙂

Recently we’ve seen lots of crashes involving images, especially TIFF files. Let me start by correcting something here: some people believe that TIFF support has been removed from the PSP after the laughing man tiff exploit. This is NOT true, only support of a class of TIFF files (files with an unassociated alpha layer) has been dropped by Sony. So, yes, even in the latest firmwares, the PSP can display tiff files.

Now let’s go back to the recent crashes. So, you’ve crafted a tiff file that crashes your PSP. Or you’ve found one on the internet. That’s great. People will tell you that this could lead to an exploit. They are right. Other people will tell you that this is an exploit. They are wrong. A crash is not necessarily an exploit, and, in the case of tiff files, a crash is very likely to NOT be an exploit.

Let’s take for example a file that can easily be found these days on various sites, a tiff crash apparently created by CoD3r-D. This files does crash the latest PSP firmwares, but a quick analysis in PSPLink gives us the following:

Ok. So let’s be clear here: the error we get is a breakpoint. a breakpoint cannot lead to an exploit. A breakpoint is how your PSP tells you: “you tried to mess up with me, I’d rather stop everything here, and while I’m at it, I’ll shut down very soon to prove my point.”

Why do these breakpoints happen frequently with Tiff files? Well the libtiff (the library used on the PSP to handle TIFF files) has a pretty good error handling system. Any file that is “corrupted” will trigger some error handling code, that is supposed to spit an error message. That’s how it works on a PC. On the PSP, for some reason, it seems that instead of getting a nice “unsupported file” error screen, in most cases, the PSP just crashes with a breakpoint. It feels like Sony’s engineers have replaced all error handling code with breakpoints, but that’s just my guess so don’t quote me on this.

So I’m saying it again: breakpoint == not exploitable. Keep looking for other crashes!

I’ll try to have a more detailed post on “how to go further” with other crashes, but that’s it from me now 🙂



wololo

We are constantly looking for guest bloggers at wololo.net. If you like to write, and have a strong interest in the console hacking scene, contact me either with a comment here, or in a PM on /talk!

jeerum says:
 February 1, 2010 at 12:24 am
if it is same tiff, what i have tested, then there is some interestin. i get sometime without breakpoint error.
but maybe its just a coincidence
but nice to see so many crashes
PsPLow says:
 February 1, 2010 at 7:25 pm
Hi,
who can test this file in psplink? I’m an ofw 🙁
I think that this File I modified is interesting…
PSP freeze…but it don’t crash!! and it cannot powered off…
Please try it…
I uploaded file to http://hotfile.com/dl/26735751/8f2a311/strangeMP4.zip.html
diesel701 says:
 February 2, 2010 at 3:41 pm
REALLY GOOD POST wololo!
There are too many people who ask if this tiff or this problem is exploitable and I’m annoyed to this many same questions….
Now, I can link this for the reply xD
Thanks!
@PsPLow if the file don’t crash the psp, I think it’s useless.
FrEdDy says:
 February 2, 2010 at 5:24 pm
If only freezes is nothing interesting I think
H@lo World says:
 February 3, 2010 at 7:11 pm
These many crashes are very interesting, but i noticed that there are many bugs since version 6.00.I´ve a few files that are corrupted on 5.XX but on 6.XX they aren´t. I don´t know why but that´s very interesting too. (One of my tiff files say on 6.XX “The System Memory is low”).Let´s see what happens. I think it doesn´t take long time until there comes a real exploit
PsPLow says:
 February 4, 2010 at 1:43 am
I understand… but Psp crash if after you open mp4 video you stand-by psp… Please you try with psplink if it is possible..
CoD3r-D says:
 February 4, 2010 at 11:42 am
Thanks :):)
CoD3r-D says:
 February 4, 2010 at 4:34 pm
Tiff crash by me :D:D
Darkjj says:
 September 3, 2010 at 5:14 am
It actually works if you have 5.03 official firmware and play on slide show on slow…..but I have 6.20.
🙂
Roberto says:
 October 10, 2010 at 9:41 pm
If i made a crash off a bmp,tiff it would be useless but i have another idea what if we use that same photo from ChickHen or a diffrent version we could put that file as a picture on a music selection.Basicly change the picture a mp3 shows with that image.Im going to test this,hope I dont waste my time.
Roberto says:
 October 10, 2010 at 9:41 pm
I would ask wololo to test this also plz
1HandPlay says:
 December 20, 2010 at 1:26 am
i don’t get when is firmware 6.36 going to be released because it shown on wikipedia—????? http://en.wikipedia.org/wiki/PlayStation_Portable_system_software
............ says:
 July 21, 2012 at 4:11 pm
A breakpoint crash can be exploitable. If a stack buffer overrun is detected by the Visual C++’s /GS canary system, a breakpoint exception is raised. If the attacker can guess the canary value, it’s exploitable.