Two new(ish) .png vulnerabilities

[n00neimp0rtant]

Advertising

As we have yet to see a public release of any real Vita hacks, I figured I might start some SPECULATION

In the past few months, two libpng vulnerabilities have been discovered and patched. They are:

• CVE-2011-3045 - Integer signedness error in png_inflate function.
• CVE-2011-3048 - Memory corruption using png_set_text_2.

Like I said, both of these have been discovered and patched in the official releases of libpng, but considering how newly they have been discovered, I highly doubt the latest Vita system software revisions have incorporated the patches. Now I know the Vita works differently than the PSP when it comes to running unsigned code (it can't, lol), so as I'm new to this sort of exploitation, I haven't a clue if a bug in an image library even means anything anymore (other than a new version of VHBL) and that kernel access is what we really need to get the ball rollling. I figured I would share while I'm doing my own research on these bugs just to see if anyone else can benefit from it. The roadblock for me is that I don't know how to craft any .pngs to set either of these off (but this guy does).

[Z80]

Advertising

maybe iam blind but i dont see libpng license in system/intellectual property notices on vita -> no libpng used in system software ?. -> useless :/

edit:
but 1.2.4x is used in psp firmware on vita

[n00neimp0rtant]

http://www.vitadevwiki.com/index.php?title=Licensing

[Z80]

as i say before there is missing point 9.libpng in licenses on my vita firmware 1.67 .. maybe libpng is used in earlier firmware ...
anyway i am trying to work on vulnerable .png file and trying run on vita or psp vita emu

[Z80]

btw libpng used in vita mono PSS,PSM is probably version 1.2.46 and png_decompress_chunk is there ...)

[yifanlu]

AFAIK, the vita only uses libpng on webkit (for the internet browser). In the system, there is scePng, which is ported from the PSP. I've played with scePng and I found one bug which is that you have negative widths and heights. The crash doesn't produce anything useful though.

[Z80]

AFAIK
psm.exe contain string libpng and psm for android file psmdevassistant.apk->libdefault.so contain libpng1.2.46 so i think that mono for vita uses similar library as mono runtime
in vita psp firmware i have found this libpng1.2.47 too

[yifanlu]

AFAIK
psm.exe contain string libpng and psm for android file psmdevassistant.apk->libdefault.so contain libpng1.2.46 so i think that mono for vita uses similar library as mono runtime
in vita psp firmware i have found this libpng1.2.47 too

What does mono use libpng for? Could it be that psm.exe just uses it for something like displaying icons? Aka, no user control over input?

[hgoel0974]

I guess it should be usable, Welcome Park uses OpenCV which relies on LibPNG

[yifanlu]

I take back what I said. The Android version of PSM uses:

libpng version 1.2.46 - July 9, 2011

for Sce.Playstation.Core.Imaging although it is still possible that the Vita uses scePng instead.