Tiff crashes: a breakpoint is NOT exploitable!
Here’s another “how to look for exploits” post from me, I hope it’ll be useful to all the people who are currently trying to free the PSPGo from the chains that prevent it to breathe 🙂
Recently we’ve seen lots of crashes involving images, especially TIFF files. Let me start by correcting something here: some people believe that TIFF support has been removed from the PSP after the laughing man tiff exploit. This is NOT true, only support of a class of TIFF files (files with an unassociated alpha layer) has been dropped by Sony. So, yes, even in the latest firmwares, the PSP can display tiff files.
Now let’s go back to the recent crashes. So, you’ve crafted a tiff file that crashes your PSP. Or you’ve found one on the internet. That’s great. People will tell you that this could lead to an exploit. They are right. Other people will tell you that this is an exploit. They are wrong. A crash is not necessarily an exploit, and, in the case of tiff files, a crash is very likely to NOT be an exploit.
Let’s take for example a file that can easily be found these days on various sites, a tiff crash apparently created by CoD3r-D. This files does crash the latest PSP firmwares, but a quick analysis in PSPLink gives us the following:
Ok. So let’s be clear here: the error we get is a breakpoint. a breakpoint cannot lead to an exploit. A breakpoint is how your PSP tells you: “you tried to mess up with me, I’d rather stop everything here, and while I’m at it, I’ll shut down very soon to prove my point.”
Why do these breakpoints happen frequently with Tiff files? Well the libtiff (the library used on the PSP to handle TIFF files) has a pretty good error handling system. Any file that is “corrupted” will trigger some error handling code, that is supposed to spit an error message. That’s how it works on a PC. On the PSP, for some reason, it seems that instead of getting a nice “unsupported file” error screen, in most cases, the PSP just crashes with a breakpoint. It feels like Sony’s engineers have replaced all error handling code with breakpoints, but that’s just my guess so don’t quote me on this.
So I’m saying it again: breakpoint == not exploitable. Keep looking for other crashes!
I’ll try to have a more detailed post on “how to go further” with other crashes, but that’s it from me now 🙂