Vulnerability Lab is having a hard time communicating with Sony

May 29, 2013 12:41 GMT  ·  By

Researchers from Vulnerability Lab have identified a high-severity local code execution security hole in the 4.31 version of the firmware installed on Sony’s PlayStation 3 consoles. The vulnerability was reported to Sony in October 2012, but it was only recently fixed.

According to the Vulnerability Lab, if unfixed, the security flaw could have been exploited by a local attacker to inject and execute arbitrary code on an affected device via USB.

Here’s a technical description of the vulnerability as described in Vulnerability Lab’s report:

“There are 3 types of save games for the Sony PS3. The report is only bound to the .sfo save games of the PlayStation3. The PS3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) to display movable text like marquees, in combination with a video, sound and the (path) background picture.

Normally the PS3 firmware parse the redisplayed save game values & detail information text when processing to load it via USB/PS3-HD. The import PS3 preview filtering can be bypassed via a split char by char injection of script code or system (PS3 firmware) specific command.

The attacker synchronizes his computer (to change the USB context) with USB (Save Game) and connects to the network (USB, COMPUTER, PS3), updates the save game via computer and can execute the context directly out of the PS3 save game preview listing menu (SUB/HD).

The exploitation requires local system access, a manipulated .sfo file, and USB device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.

The PS3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code.”

Benjamin Kunz Mejri, the CEO of Vulnerability Lab and the one who identified the issue, has told us that he had difficulties in communicating with Sony. The flaw was addressed only after several notifications had been sent, including one by the PS3 community in Germany.

“No response arrived from Sony Entertainment in over 5 months after the notification. The bug has already been confirmed by other researchers on Full Disclosure were the issue was publicly released 2 days ago. The issue has been silently addressed by Sony with the last firmware releases after the version 4.31,” Kunz Mejri said in an email.

“So far, there was not much trouble in the public after the release because the advisory was a bit hidden in the Full Disclosure mailing-list. The scip.ch research team discovered a German bulletin and it seems like this is a historical release of information, how an exploit could trigger the PlayStation3 device into executing code from a USB drive,” the expert added.

Additional technical details for the firmware vulnerability are available here. The binary exploit of the issue has not been published to prevent criminal activities. Vulnerability Lab also fears that it might get sued by Sony, just like Geohot, if it releases the exploit.

Another interesting issue has been uncovered by Vulnerability Lab on the Sony Entertainment Network website (sonyentertainmentnetwork.com). Experts found that remote attackers could leverage a critical vulnerability in the password recovery function to reset the password of any Play Station Network user.

According to the advisory from Vulnerability Lab, “the critical application vulnerability is located in the recovery (forgot password) account function of the PSN account service application. In the recovery function is an auth request bound to the account session using the allowed password forgot (method 3) form via JSon & jQuery with the value of the intercape.

The request itself is not sanitized when resetting via method 3 only 1 value (Forgot Your Password) by processing to load it two times (store.playstation.com/ accounts/manage/ beginPasswordResetFlow.action) and live changing the manipulated request at the end when process to hold the request.

The value only checks if exist and if empty but not validate the context again (2nd time). The attacker can bypass the token protection via live session tamper to reset any PSN account by exchanging the values local to his own.

Exploitation requires `processing to request` via for example the JSon form and JQuery request. It is also required to know the birth date of the account because of the protection mechanism at the end.”

“As of today, there is no additional information available regarding the password reset issue in the PS3 network. Sony is well known for not responding to important threats for security and image reason, but it cares about security to address new issues or bugs,” Kunz Mejri noted.

Regarding the PlayStation 3 firmware issue, Chris Boyd, a senior security researcher at ThreatTrack Security, has told The Register that the persistent phishing and the session hijacking attacks are certainly dangerous.

However, Boyd highlights the fact that an attacker needs local access to the device, or he needs to convince the victim to download and store a maliciously crafted game save onto a USB stick.

“As game saves typically need to be re-signed to work with another PSN account, we're now talking about the attacker re-signing malicious saves, storing them on a free file host which may prompt caution on the part of the victim (re-signing can be a complicated process, so more often than not they're posted to dedicated gaming / modding sites, which can smell a rogue a mile away) and hoping the gamer follows the instructions to effectively nuke their own machine from orbit,” Boyd said.

“As the most popular form of attack on the majority of gaming accounts we see is phishing, one might ask why doing all of the above to phish somebody (for example) is worth it when simply sending an in-game phish link would be simpler,” he added.

Photo Gallery (5 Images)

Sony Entertainment Network password reset vulnerability
Sony Entertainment Network password reset vulnerabilitySony Entertainment Network password reset vulnerability
+2more