libxml2 vulnerability, a new hack vector for Vita and PS4?
Scene member Dragood2 dropped by our forums recently to point a new vulnerability in libxml2, an open source XML processing library.
The interesting part for readers of this blog is that libxml2 is a library used both on the PS4 and the PS Vita. An exploitable vulnerability in the library could potentially be ported to these consoles.
I was expecting the forum thread would generate lots of replies but it hasn’t received the attention it deserves so far. The vulnerability is fresh, so it is most likely present on the PS4 and the PS Vita. The question of course, is if this could lead to an exploit or not. From dragood2 the oss-sec mailing list:
A couple of weeks back while working on a related bug [CVE-2016-3627] I discovered a specially created xml file is capable of triggering a stack overflow before libxml2 can detect its a invalid xml file.
The vulnerability triggers a stack overflow, and now has its own CVE: CVE-2016-3705.
For the PS4, CTurt has confirmed to me that FreeBSD has had Stack Protector baked in since FreeBSD 8.0, meaning that this vulnerability (if confirmed on PS4) would be useless on its own (Unless some other exploit could help bypass stack protection?).
Status of the vulnerability on the PS Vita is unknown so far and I don’t think anyone has tested. I do not know if the PS Vita’s firmware has some sort of stack protection implemented. Given that the PS Vita has been a tough nut to crack with pretty advanced security, it wouldn’t be surprising, but it would be great if Vita experts could chime in.
In order to test, someone would need to confirm if the test file (provided in the source link below) actually crashes the PS Vita (or the PS4) when accessed. To access such an XML file, one might have to use a proxy such as SKFU Pr0xy in order to trick the console and download the test file instead of one of the regular XML files it uses, for example to check for firmware update.
There’s some test work to be done here, but nothing fundamentally hard.
Normally I would not blog about this in such early stages, when nothing’s been confirmed, but I think this needs some visibility, and people with time+skills to confirm if something can be done with this.
Source: oss-sec mailing list, via dragood2 on /talk (repro xml file in the bugzilla link)
Updates: we initially incorrectly implied that dragood2 was behind the vulnerability, the article has been altered to correct that
Are we finally going to get some love on the PS-Vita?
“For the PS4, CTurt has confirmed to me that FreeBSD has had Stack Protector baked in since FreeBSD 8.0”
Cturt on twitter 4 days ago:
https://twitter.com/CTurtE/status/727114115630698496
“Just finished a new FreeBSD kernel exploit! I chained together a heap overflow with a stack overflow and a stack protector bypass.”
Stack Protection or not ? 🙂
He already has code execution in this case. This won’t help. We’ll probably need an read primitive from an WebKit infoleak to chain this together with the libxml2 stack overflow.
Due to the stack protection cookie we would also need an information disclosure (a read primitive which would allow us to view that value on the stack). Time to start fuzzing libxml2? Is it part of the web browser process (would make our target bigger while hunting for a read primitive).
So we might be able to revive the Vita from the dead?
no
No, it’s more like stacking it into another big *** coffin even though it’s in a coffin already.
Maximum hype for a Vita exploit! CMON!
On trying it as psp2-updatelist.xml, it just gave the error: C3-12077-7
How did you download it
If there’s a will, there’s a way
Wonder if this could be paired with the Webkit exploit for Vita on 3.18 and lower…
So I tried the XML file (I hope I got the right one) and gave it to my Vita. Used the system settings update option to feed it the XML via proxy and it gave me: An error has occurred (C3-12077-7) so I’m not sure if its because it doesn’t find the update xml file or if it’s because of the modified xml. I’m guessing the first one so not really getting my hopes up here.
Yes 😀 i always knew that something might pop up for vita after PS4 , because in implemention they are really similar 😀
Actually, they aren’t that similar and the Vita is a heck of a lot more secure
If no one has commented on the thread it is because there are people who know more than he claims to know .
Untasted already know whether or not at PsVita .
It’s probably useless for PS Vita. I don’t think it’s capable to bypass ASLR. WebKit and Mono exploitation were possible because they can dump RAM and deal with the dump using JavaScript or Mono program.
Anyway, I think it’s a good point to start exploiting. XML is used In everywhere, and potentially privileged. If you can manage to run malformed XSLT (programming language in XML), that’s can be breakthrough.
exploit for vita…………yeah, right……..when me S.H.I.T turns purple and starts to smell like rainbow sherbet :p
Hacker,i you love only love!!Hacker,good luck to hack PS4 PS Vita!
I you love only love? wtflol
Stanislav, wants to make love with the hackers in return of ROM loaders. Fair trade I think.
lol
I don’t know why people are expecting a vita hack, that’s like bombarding its current kind of dead but still a bit alive economy of games in Japan and localizations so it can finally turn into a dust or worse, a particle.
Im just looking for better SNES emulation on a handheld. I dont care much for Vita games…
why not use your smartphone?
Physical buttons.
Moga controller
The New 3DS (804 Mhz) is the best so far for SNES-Emulation WITH buttons. But you still only get like ~70-80% accuracys since its 804 Mhz (a bit lesser than a typical todays smartphone). PS Vita only has 333-400 Mhz and is much slower than New 3DS when doing SNES-Emulation. So yeah, New 3DS is much better suited for it, which is why Nintendo gave it official SNES-emulated games.
The WiiU uses a 1 Ghz ARM for that, so its nearly perfect. But you cannot carry it around with you 😉
the PSP is 333, the vita has not yet been disclosed. also the vita has multiple cores, where the PSP only had 2