Advertising (This ad goes away for registered users. You can Login or Register)

Research on PSM privilege escalation (and a puzzle to solve)

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Research on PSM privilege escalation (and a puzzle to solve)

Post by yifanlu »

I'm sure many have tried looking at PSM as a possible way of getting native/unsigned code running, but I haven't seen any reports on it. I'm hoping that here, we can discuss our findings and such. I read most of the mono codebase (very messy and confusing), disassembled and read PSM for windows and android (because in theory the code on the vita should be similar because the windows and android ones are similar), decompiled PSM's mscorlib.dll and the various sony libraries, and USB sniffed debug traffic.

First, I want to talk about some of the things I've tried and failed. My first thought is that we should look at mono specific things as implementors may overlook these things. For example, reading http://www.mono-project.com/Interop_wit ... _Libraries, we see that mono allows a DLL name of "__Internal" to refer to loaded functions (aka libc and such). (Unfortunately, it's not as easy as loading exec() from __Internal.) There's also dllmap, which can map library names to other names. Specify the config file from the environment variable MONO_CONFIG and you can "rename" libraries. (Unfortunately, not much here either because PSM never loads any libraries through managed code). I've also took at look at assembly signing and how signing with the ECMA key (all zeros except for one byte) allows you to sign system libraries. (Unfortunately, mono doesn't really care about signing, so even if you sign a library as system, nothing really changes). I've tried using .NET Refractor to rename references to mscorlib and see if we can load another library with custom commands. Doesn't work because the name mscorlib.dll is basically hard coded inside mono and references to it is just a formality. I also tried to use reflections to access private and protected methods/fields but it doesn't work because of the security manager.

Now, here's my attempt at hacking PSM. Please note that this is most likely not the only avenue and I look forward to ideas of other routes.

So what are the security in place to prevent running unmanaged code? First and most importantly, the CoreCLR security manager is turned on. (In fact it is the very first thing PSM does when it starts). This means that all code running is untrusted and cannot call "SecurityCritical" methods. Next, sony made sure that any method that can lead to unmanaged code running is marked as "SecurityCritical". This means all the methods in System.Runtime.Interop.Marshal. This includes Marshal.PreLink() which is what is called when you do a DllLink() attribute on an extern method. This also include the various bridging methods like reading IntPtr and any method that can read/write unmanaged memory. Obviously, they also disabled methods to start processes and in fact even methods to find what path the current domain is in. Most of the icalls are SecurityCritical too, and those that must be called are usually called indirectly through another system method. So in order to run unmanaged code, we can either a) somehow get mono to think our code is trusted, which is hard because all code loaded by untrusted code is untrusted and our code is first loaded as untrusted. b) somehow disable the security manager, which is harder since this would have to be on the realm of exploiting mono, which is a fairly mature project (The last vulnerability was discovered in 2010 and sony's using an April 2012 version of mono). But the one silver lining is that (AFAIK from looking at android and windows version) there is no sony specific security in place and the only thing preventing unsigned code from running are mono features themselves which we have the source code for.

I've spent most of my time trying to find how to make mono think our code is trusted. Basically what happens is that the core assemblies are hard coded as trusted and with some exception, all other trusted code is determined by the core libraries. So the idea is, how do we make mono think we are loading a core assembly? What happens is that the implementation of the mono runtime (in our case psm.exe (windows), libdefault.so (android), and EBOOT.bin (vita)). Passes a callback function to libmono and this function is called with the name of the assembly to check if it is verified. The name is either the canonized path of the assembly if it is external, or just the filename if it is internal (AFAIK, the Vita system assemblies is internal).

Now I've found a tiny bug to work with: glib2 only looks at POSIX-styled path separators: / while the Vita can interprate both Windows-styled \ and POSIX-styled / It's not much, but it's something to start with. In order to disable the security manager, first you must make mono think that the library being loaded is a system library. Sony has hard coded the names "mscorlib.dll", "System.dll", and "Sce.PlayStation.Core.dll" and does a strcmp() with the canonical path of the library being loaded. However, if Mono sees that the basename of the library being loaded is "mscorlib.dll" or any of the other two, it will try to load the embedded version instead of our own. So, what we need to do is feed a path to Assembly.LoadFile() that a) the Vita recognizes. b) gets past the security manager by thinking it's a core library, and c) gets past mono's loader by thinking it's an external library.

If we get past the security manager, running unsigned code is as simple as calling an extern function. No need to deal with stacks or memory addresses. Here's how you can help. I've basically made an application, almost a game that allows you to test input paths. It includes the actual mono and eglib function used by PSM to test the names. Through either passing some malformed string or somehow exploiting the function themselves and getting all three tests to pass, please tell us. Think of it as a puzzle, using the given bug on path separators and any other bugs, find a string that passes the three conditions. I wish I can offer a prize, but I don't have anything except gratitude :P

https://gist.github.com/3278820
Advertising
ipadboy00
Banned
Posts: 69
Joined: Tue Jul 17, 2012 9:39 pm

Re: Research on PSM privilege escalation (and a puzzle to so

Post by ipadboy00 »

No.
You wasted your time by the way.
Advertising
fate6
Big Beholder
Posts: 7599
Joined: Fri Mar 09, 2012 1:18 am
Location: [fate6@Canterlot ~]$

Re: Research on PSM privilege escalation (and a puzzle to so

Post by fate6 »

you have no idea who you are talking to do you ?
if anyone can figure out a way out of the sandbox its yifanlu ;)
Image
anon wrote:If you can't trust a 600 year old vampire in a prepubescent girl's body, who can you trust?
SFX
Posts: 28
Joined: Mon May 28, 2012 12:03 am

Re: Research on PSM privilege escalation (and a puzzle to so

Post by SFX »

ipadboy00 wrote:No.
You wasted your time by the way.
No offense, but I think it would help if you weren't so negative in every thread you were in, or passing on wrong information.
poettlr
Posts: 38
Joined: Mon May 14, 2012 2:10 pm

Re: Research on PSM privilege escalation (and a puzzle to so

Post by poettlr »

I posted this link in the programming section but in case you overlooked http://www.mono-project.com/Vulnerabilities i have no knowledge at all about such things :( i am a developer and a developer only but maybe it helps
Seaking
Posts: 95
Joined: Thu Apr 12, 2012 9:35 pm
Location: Ohio

Re: Research on PSM privilege escalation (and a puzzle to so

Post by Seaking »

ipadboy00 wrote:No.
You wasted your time by the way.
Can this guy get a warning for being so negative? I call this the last straw.
celcodioc
Posts: 131
Joined: Sat Jun 09, 2012 8:50 am
Location: Sweden

Re: Research on PSM privilege escalation (and a puzzle to so

Post by celcodioc »

I'm a curious noob.
Is "pss0:/top/Applications/" a placeholder, or is that where the apps really are stored? If it isn't a placeholder, how did you find it out?
ipadboy00
Banned
Posts: 69
Joined: Tue Jul 17, 2012 9:39 pm

Re: Research on PSM privilege escalation (and a puzzle to so

Post by ipadboy00 »

Oh you want to give me a warning? Fate6 deserves one more than i do and hes been here longer. Im willing to bet that if a new guy showed up this exact same thread, then you all would bash him. But if a well known guy ( i guess the op is) post this he would get praised and some sort of award.

Anyways, i guess (From what these kids are saying) you didn't waste your time. But this is timed open beta that WILL close sooner than you think.
Xian Nox
Retired Mod
Posts: 2744
Joined: Fri Nov 05, 2010 5:27 pm
Location: Over the hills and far away

Re: Research on PSM privilege escalation (and a puzzle to so

Post by Xian Nox »

I don't care who's right and who's wrong, so either contribute something, or shut up and don't post anything if you have nothing to say. Thank you for your understanding.
KrewOwns
Posts: 53
Joined: Sun Apr 15, 2012 7:21 am
Location: California

Re: Research on PSM privilege escalation (and a puzzle to so

Post by KrewOwns »

ipadboy00 wrote:Oh you want to give me a warning? Fate6 deserves one more than i do and hes been here longer. Im willing to bet that if a new guy showed up this exact same thread, then you all would bash him. But if a well known guy ( i guess the op is) post this he would get praised and some sort of award.

Anyways, i guess (From what these kids are saying) you didn't waste your time. But this is timed open beta that WILL close sooner than you think.

Just drop it. I doubt you could get a warning for being "negative," as it would be a ridiculous thing to get a warning for, but you could get a warning for spamming.

I'm technically spamming by writing this, and not contributing to the thread, but I just feel the need to say this.

Just build your reputation here, and you'll get respect, although everyone respects each other enough to say this is a good community.
Image
Locked

Return to “Programming and Security”