Serious discussion about libungif exploit

[tenttu]

There was a vulnearability found from libungif at version below 4.1.4 and it was fixed at (2005-10-19 08:54), which should be after 2.01 Firmware update was released.

More info about the exploit:
http://www.frsirt.com/english/advisories/2005/2295
Patch for the exploit:
https://bugzilla.redhat.com/bugzilla....cgi?id=120493

Proof-of-concept .gifs can be downloaded below, my 2.0 PSP crashes with bad1 and bad2 files, would be nice to hear how 2.01, 2.5 and 2.6 reacts for those. Bad2 is most likely the best for code execution due OOB write.

http://scary.beasts.org/misc/bad1.gif
http://scary.beasts.org/misc/bad2.gif
http://scary.beasts.org/misc/bad3.gif

My experience with this kind of exploits is very limited so help would be appricieted, the hard part is to craft a right kind of .gif file and then we can probably use the same wallpaper as used with .tiff overflow exploit to run our own code.

[KINGOFNOOBS]

if it doesnt do anything to 2.0 then it will only do less to 2.01+

[tenttu]

As I said, bad1 and bad2 crashes my 2.0 PSP.

Edit: If it's not clear for everyone, to test those .gif files just put one of them into PSP/PHOTO folder, open PSP's Photo feature and see if it crashes or not.

[WishboneAsh]

2.5 crashes with bad1

EDIT: and bad2 crashes 2.5 aswell, bad3 only gives an error message..no crash.

[KINGOFNOOBS]

whats the point if it crashes again? u cant make a exploit from the images that easily like the 2.0 one.. because 1st off index.dat has been changed/encrypted and secondly 2.5 is has new PRX files so ya.. we had video crashes a while back and nothing has been made of it.. sadly the same will come with this... hopefully and maybe something can come out of this though

[WishboneAsh]

Indeed these are only crashes, however they are still worth exploring...Have there been any documented cases where this exploit has led to code execution on computers?

EDIT: quote: "The second issue is due to a memory corruption error in "dgif_lib.c" and "egif_lib.c" when processing malformed GIF files, which could be exploited by attackers to cause an application linked with libungif to crash or execute arbitrary code when a malicious GIF file is opened."
There is some potential in this but don't get your hopes up

[tenttu]

Quote:

whats the point if it crashes again? u cant make a exploit from the images that easily like the 2.0 one.. because 1st off index.dat has been changed/encrypted and secondly 2.5 is has new PRX files so ya.. we had video crashes a while back and nothing has been made of it.. sadly the same will come with this... hopefully and maybe something can come out of this though

The crash is just a way to tell if Sony has patched the issue in this case. Most of those crash videos just edit some random bytes on files, which makes PSP to crash. In this one we have the sourcecode of the exploit and the place where it happens.

It's most likely that the issue exists in 2.01 and 2.5 firmwares as the fixed version was released 6 days after 2.5 firmware release. Altough in that case Bad2.gif should crash 2.5 PSP.

EDIT: And even if the index.dat file has been changed, noone can really tell how easy it would be to downgrade 2.5 or 2.6 psp. Atleast running homebrew would be rather easy with EBOOT loader as long as some code can be executed.

Quote:

"The second issue is due to a memory corruption error in "dgif_lib.c" and "egif_lib.c" when processing malformed GIF files, which could be exploited by attackers to cause an application linked with libungif to crash or execute arbitrary code when a malicious GIF file is opened."

Thats exactly why I decided to post this thread.

[Fanjita]

Exploiting this one isn't straightforward.

It's being looked at, but due to the nature of the vulnerability (heap vs stack overflow, for a start), it's far from simple.

I'm hoping something will come of this, but don't hold your breath.

Incidentally, it looks like if it can be made to work, it would be good for at least 2.01 and 2.5. 2.6 seems to have fixed it, from what I remember.

[KINGOFNOOBS]

Quote:

Originally Posted by tenttu

The crash is just a way to tell if Sony has patched the issue in this case. Most of those crash videos just edit some random bytes on files, which makes PSP to crash. In this one we have the sourcecode of the exploit and the place where it happens.

It's most likely that the issue exists in 2.01 and 2.5 firmwares as the fixed version was released 6 days after 2.5 firmware release. Altough in that case Bad2.gif should crash 2.5 PSP.

EDIT: And even if the index.dat file has been changed, noone can really tell how easy it would be to downgrade 2.5 or 2.6 psp. Atleast running homebrew would be rather easy with EBOOT loader as long as some code can be executed.



Thats exactly why I decided to post this thread.

but u see.. theres lots of ways to crash your psp on 2.5 and 2.6... u can use a unvalid *edited but still encrypted* gamesave, go to a website with thousands of frames in buffer, video with buffer, unvalid music format in save game, etc and yet none of them have made a 2.5 exploit.. and on 2.6 theres a chance that the stand alont User Mode has be removed and now theres a "special" kind of user mode only for Games *UMD*

[cyanide]

this one will be worth checking out since its a known exploit...not something like lame hex edited files...
tho i know nothing about this kinda stuff, im sure there will be a way to run some code somewhere...

[WishboneAsh]

Quote:

Originally Posted by Fanjita

2.5. 2.6 seems to have fixed it, from what I remember.

Where did you discover that? It crashes my 2.5.

I'm aware a crash doesn't mean an exploit but if Sony had fixed it I would imagine I would get an error instead of a crash, much like what I get trying to view the third image listed above.

EDIT: Excuse me misread what you had written, I thought you said it wouldn't be usefull for 2.5 AND 2.6.


Even if this may not be usefull for 2.6, there are still more than a few 2.5 and 2.01 users out there waiting for homebrew

[tenttu]

It's definitely good news for all 2.5 owners that it does indeed crash it. Would be nice to get some results from 2.6 owner.

I just compiled the Sample windows app that comes with the libungif and those .gif:s crashes it also. The bad3.gif doesn't though so seems it's not a proper one, no need to test it anymore.

Fanjita: Are you sure this has been discussed before? Atleast I couldn't find any forum topics or pages with Google about this.

[KINGOFNOOBS]

why dont u update to 2.6 if your so confident and determined to get this to work?

[PSP250]

People are already looking into it for some time.

Creating crafted GIF files in order to trigger the vulnerability has been done aswell.

This thing is a "write x bytes to a memory location write overflow" originating in the heap. However as stated before, this is not a very straight forward one and creating an exploit out of it is a very very ugly task.

I can assure that this accours on 2.0-2.5 FW PSPs and that the vulnerability is fixed on 2.6 FW (verified).

Don't get too excited out of this and give it some time.

[WishboneAsh]

What's with the attitude? He's not claiming instant success here he is just exploring the possibility of these crashes being exploitable.


I think a good way of testing this out is to see if it's possible to get code running through this exploit on Windows first, if that can be done then it can be considered a very likely proof-of-concept for the PSP aswell.

EDIT: Ah message above was instaposted

Even though this wont work on 2.6 it's still worth checking up IMO, since people have already been working on it has there been any success at exploiting this on the PSP?

[tenttu]

Quote:

why dont u update to 2.6 if your so confident and determined to get this to work?

I am not confident that this ever will lead into exploit that is capably of running homebrew application on PSP and I have never said so. Altough everyone must admit that there is a chance for that.

There is also a chance that when 2.6 will run homebrew apps, downgrading will take long to achieve or won't ever happen.

[Fanjita]

Quote:

Originally Posted by tenttu

Would be nice to get some results from 2.6 owner.

Fanjita: Are you sure this has been discussed before? Atleast I couldn't find any forum topics or pages with Google about this.

It's been confirmed as fixed on 2.6 (and it makes sense, since the publicly-known vulnerability was fixed in libungif between the 2.5 and 2.6 release dates).

To my knowledge it's not been discussed in any open forums. Most of the places that house sufficient knowledge to discuss this sort of thing productively don't like discussing exploits. And most decent hackers don't like to raise people's hopes before something has come of their ideas .

Rest assured that it is being explored by talented coders, and that there's a decent chance of it turning out to be useful. But it's far from pretty to work with.

[KINGOFNOOBS]

Quote:

Originally Posted by tenttu

I am not confident that this ever will lead into exploit that is capably of running homebrew application on PSP and I have never said so. Altough everyone must admit that there is a chance for that.

There is also a chance that when 2.6 will run homebrew apps, downgrading will take long to achieve or won't ever happen.

my point exactly so dont be making threads like "Serious Discussion About Libungif Expoit" in the PSP Hacks section, this should go in the speculation section since it is speculation

[WishboneAsh]

This is a bit beyond speculation seeing as the exploit has (apparently) been shown as capable of running code.

True it has only been done on a computer but seeing as the nature of the exploit is the same on the PSP then it is mainly a matter of someone with the right expertise implementing it.

Thus this topic is perfectly valid IMO.

[iball®]

Looks like someone actually did their homework on this one, bravo.
Now look out for eleventy-billion new posts of "will this downgrade/run ISOs on my 2.5?"
But like Fan said, it's going to be a son-of-a-female-dog to get it to work, if ever.

[nxtlidenno]

So if this goes does that mean just user mode access or kernal?

[oren]

IF this is a workable exploit.. I hope it leads to loaders and not downgraders.. cos I'd actually quite like the abillity to change my wallpaper and watch AVC's without having to patch the firmware or the constant up/downgrading carousell....yet another downgrader is.. increasingly worthless... but ofcourse if anything is possible at all remains to be seen but at least now theres like an itzy bitzy teenie wiener shaped yellow polka dotted dild.. err bikini of hope..

[iball®]

I agree, oren.
Since the index.dat changed, a downgrader would be pointless.
Someone just has to get Fanjita's 2.0 ebootloader running on 2.01+ firmwares.
That will happen in three phases, just like the original 2.0 exploit:
1) Exploit is found in 2.01+ firmwares
2) Code is verified as running on 2.01+ firmwares using the new exploit
3) Fanjita gets a new version of the 2.0 ebootloader running "comfortably" on 2.01+ firmwares using the new exploit

Sound familiar, gang? Basic logic. And until anyone gets at least "hello world" running in an exploit, then it's not confirmed.

[Gossamer]

Quote:

Originally Posted by iball

I agree, oren.
Since the index.dat changed, a downgrader would be pointless.
Someone just has to get Fanjita's 2.0 ebootloader running on 2.01+ firmwares.
That will happen in three phases, just like the original 2.0 exploit:
1) Exploit is found in 2.01+ firmwares
2) Code is verified as running on 2.01+ firmwares using the new exploit
3) Fanjita gets a new version of the 2.0 ebootloader running "comfortably" on 2.01+ firmwares using the new exploit

Sound familiar, gang? Basic logic. And until anyone gets at least "hello world" running in an exploit, then it's not confirmed.

I agree, though fanjita said this wouldnt be a simple process. This is a "heap" overflow method, as opposed to the "stack" overflow that was used with the .tiff exploit.

?heap vs. stack? - Google: 'smashing the stack for fun and profit'

[Steverocks]

Why do we care about running code on a 2.01 and 2.5? They have the exact same features as 2.0, except that 2.5 has Location free tv, which can cost you upwards of $300 dollars. Just upgrade to 2.0, buy the UMD, have a web browser and fanjitas loader and your good to go.

[ipod]

Quote:

Originally Posted by Gossamer

This is a "heap" overflow method, as opposed to the "stack" overflow that was used with the .tiff exploit.

The position in which memory overflows is almost irrelevant, the problem is the isolation of the overflow (i.e. what memory is being overridden and can/will the memory that is overridden be executed).

The only method I'm fimilar with is in 'C' and is bit of a hack. Say I have a malloc'd structure (heap memory) that contains a function pointer, if I was simply able to override the address at which the pointer is pointing to (i.e. to a different function) I would be able to execute that code. Note this method works for a single executable not sure how you insert random code outside the executable, since most software has memory boundaries and if you step outside CRASH (can't remember if it is bus or segfault though)

Using a single executable this is really simple, and can be demostrated with about 20 lines of C code.

I'm not expert, just a programmer but the problem is that stack memory is easier to trace as the memory is localised, where heap is NOT.

[Eclipse9069]

Quote:

Originally Posted by KINGOFNOOBS

whats the point if it crashes again? u cant make a exploit from the images that easily like the 2.0 one.. because 1st off index.dat has been changed/encrypted and secondly 2.5 is has new PRX files so ya.. we had video crashes a while back and nothing has been made of it.. sadly the same will come with this... hopefully and maybe something can come out of this though

index.dat has nothing to do with this exploit.
index.dat is used to keep information about the system like system version and stuff.

Also, all three gif's make my Firmware 2.0 PSP freeze. I'm not keeping my hopes up or holding my breath for this, but we will see what the future unfolds.

[Gossamer]

Quote:

Originally Posted by Fanjita

It's been confirmed as fixed on 2.6 (and it makes sense, since the publicly-known vulnerability was fixed in libungif between the 2.5 and 2.6 release dates).

To my knowledge it's not been discussed in any open forums. Most of the places that house sufficient knowledge to discuss this sort of thing productively don't like discussing exploits. And most decent hackers don't like to raise people's hopes before something has come of their ideas .

Rest assured that it is being explored by talented coders, and that there's a decent chance of it turning out to be useful. But it's far from pretty to work with.

Does anyone know who all is working on this, besides fanjita?

SideNote: That guy butterballer over at ***** is CONVINCED that he can get this to work on 2.6..................

[ufoz]

Quote:

Originally Posted by Steverocks

Why do we care about running code on a 2.01 and 2.5? They have the exact same features as 2.0, except that 2.5 has Location free tv, which can cost you upwards of $300 dollars. Just upgrade to 2.0, buy the UMD, have a web browser and fanjitas loader and your good to go.

We care because there is no going back from versions above 2.0, and some people are unlucky enough to be stuck with such versions.

[unrestricted]

King Of Noobs, would you please SHUT THE **** UP? You have no idea what you are talking about, nor how an exploit works. You dont even understand the concepts of what can be done with an exploit or how to do it. Stay out of things you do not understand.

I think that this could turn out to be a successful exploit provided that the area of memory it is being written to is able to be executed. We need to discover if there are any jumps in this space of memory before we can make an exploit out of this.