QJ.net Game Discussion - PSP, Xbox, Wii, PS3, PSP Homebrew, and PSP Guides

Gossamer · 12-27-2005, 11:43 PM

This was posted on psp-hacks in reference to progress of the work being done with the libungif insecurity.

Quote:

Due to the nature of the vulnerability the progress is not as straightforward and fast as with a typical buffer overflow.

However, progress is made and for now it is sure that the libungif vulnerability allows writing of any number of bytes to specific offsets in memory with data that has to pass a certain mask limitation which is relative to the targeted offset.

It is currently being tested with carefully crafted GIF files injecting self-modifing code.

If it works, we have a way to run code on 2.0 - 2.5 FW using this (vsh user mode).
If that will fail, all research and tools made so far will be released to the greater public.

I hope that the testing proves successful. This would lead to a more convenient way to run code, than the GTA method.

**torrobinson** · 12-28-2005, 12:45 AM

What.
About.
2.6?

**Drusenija** · 12-28-2005, 03:24 AM

The assumption so far with the libungif exploit has been that the version Sony used up until v2.5 had this exploit in it. Between v2.5 and v2.6 being released, the libungif authors had fixed this bug, so it's my understanding that this particular exploit won't work in v2.6 (that assumption is based on Sony using the new version of libungif when they upgraded the firmware, which is a reasonably safe assumption to make).

**fyrehart** · 12-28-2005, 10:33 AM

I'll believe it when I see Hello World.

**Realn0whereman** · 12-28-2005, 11:02 AM

http://psp-news.dc------------------...io1frsmall.JPG

you guys i got mario on 2.6 !!!!!!!

**nxtlidenno** · 12-28-2005, 11:41 AM

That link doesnt work i was hoping to see the pic you got
It was funny though

**nxtlidenno** · 12-28-2005, 11:43 AM

Nevermind i got the pic nice photoshop job there.lol

**DaWaN** · 12-28-2005, 12:38 PM

Atleast the libungif got an update on v2.60

**nxtlidenno** · 12-28-2005, 12:41 PM

Thats what I say if they fixed it in 2.6 then there must be something to it. Something good I hope.

**Peroxide** · 12-28-2005, 04:42 PM

They are obviously onto something, only a matter of time until they or someone else nails it.

**PSP250** · 01-02-2006, 10:30 AM

Unfortunate news.

The libungif vulnerability is not usable to create a working exploit out of it.

It allows writing any number of bytes with any data you want that has to pass two limitations (mask and maximum uint size) to specific offsets between 0x08a7xxxx and 0x09FFFFFF on 2.0 - 2.5 FW PSP's. This did prove as not sufficient.

Code:

Offsetlist:

Struct Offset: 0x08a7c0e0
Suffix Offset: 0x08a7d223
Prefix Offset: 0x08a7e224

BPP:  VUL  Suffix Off Prefix Off Mask       ClearCode 
0x0c: OOB  0x08a7e225 0x08a8222c 0x00000001 0x00001000
0x0d: OOB  0x08a7f225 0x08a8622c 0x00000010 0x00002000
0x0e: OOB  0x08a81225 0x08a8e22c 0x00000002 0x00004000
0x0f: OOB  0x08a85225 0x08a9e22c 0x00000040 0x00008000
0x10: OOB  0x08a8d225 0x08abe22c 0x00000003 0x00010000
0x11: OOB  0x08a9d225 0x08afe22c 0x00000080 0x00020000
0x12: OOB  0x08abd225 0x08b7e22c 0x00000004 0x00040000
0x13: OOB  0x08afd225 0x08c7e22c 0x00000020 0x00080000
0x14: OOB  0x08b7d225 0x08e7e22c 0x0000001b 0x00100000
0x15: OOB  0x08c7d225 0x0927e22c 0x00002000 0x00200000
0x16: OOB  0x08e7d225 0x09a7e22c 0x0000001a 0x00400000
0x17: OOB  0x0927d225 0x0aa7e22c 0x00004000 0x00800000
0x18: OOB  0x09a7d225 0x0ca7e22c 0x0000001c 0x01000000
0x19: OOB  0x0aa7d225 0x10a7e22c 0x00001000 0x02000000
0x1a: OOB  0x0ca7d225 0x18a7e22c 0x0000001d 0x04000000
0x1b: OOB  0x10a7d225 0x28a7e22c 0x00008000 0x08000000
0x1c: OOB  0x18a7d225 0x48a7e22c 0x0000001e 0x10000000
...
(other values cycle through the same offsets with a different mask)

The code injection worked in theory, however fails as the libungif vuln. is writing using two buffers (Suffix, Prefix in the list) into memory.

Unfortunately picking an offset (by picking a BPP value, like 0x18) for the first buffer which would overwrite code to be executed, results in the other buffer attempting to write off-memory thus resulting in an immediate crash which makes this not usable.

Please notice that you should not post any "proposals" as I can guarantee almost 90% of what can be done has been attempted by experts in the past weeks and fails due to the exotic and highly complex nature of this vulnerability.

Also notice that we have understood the inner workings of the vulnerability by 100% and created appropriate tools to allow generation of anykind of crafted GIF files to work with this vulnerability.

Some people are looking into the research at the moment however it is not likely that it will have success.

Thanks go out to all those who helped in the research, you know who you are, thanks a LOT.

The research material and tools can be freely requested by PM if you have a serious idea how to use it.

**Fanjita** · 01-02-2006, 11:02 AM

It's a big shame, I was hoping something could still be done with this, but it looks impossible.

I know how hard you've worked on this, without any public recognition - it's a pity that all that work didn't pay off in the end.

This was a perfect example of the right way to go about exploiting a vulnerability, too - hard work, thought, analysis and understanding, with the bulk of the experimentation at the end, rather than the beginning.

Ah well, happier hunting next time!

**dougal22** · 01-02-2006, 11:18 AM

Quote:

Originally Posted by torrobinson

What.
About.
2.6?

Why do you always say that ?

**M0rph3v5** · 01-02-2006, 02:03 PM

Quote:

Originally Posted by dougal22

Why do you always say that ?

because he is ****ed cus he upgraded to 2.6 ..

**nxtlidenno** · 01-02-2006, 03:07 PM

Sorry to hear this psp250, However you folks worked hard at this and quietly as well. I hope you all continue your work with potential exploits like the ones noted I am sure you will be successful in the future. Keep up the good work!!!

**cgroux202** · 01-02-2006, 03:18 PM

Yeah good work man. Don't worry an exploit will be found soon enough I can assure you that! Don't forget we still have that GTA savegame hack that still needs a little bit of developing into. Don't let this get you down. It seems we have a lot of intellegent people on this site that know what they're doing! :icon_smil

sheep22 · 11-07-2006, 11:04 AM

Is it possible to get the research materials from someone that worked on this vulnerability? I tried pm'ing PSP250, but no answer.

**~Ellen~** · 11-07-2006, 11:08 AM

zomg uber old thread

**wseyller** · 11-07-2006, 11:31 AM

Necropost - this thread is nearly a year old, lol.

**CA$HMON3Y** · 11-07-2006, 11:32 AM

Quote:

Originally Posted by ~Ellen~

zomg uber old thread

lol

12-28-2005, 12:45 AM	#2
torrobinson Join Date: Aug 2005 Location: Edmonton, Canada Posts: 2,938 Trader Feedback: 0	What. About. 2.6? __________________ [CENTER][img]http://img357.imageshack.us/img357/5953/torro5mb.gif[/img][/CENTER] [CENTER][img]http://img98.imageshack.us/img98/9213/xbox360owner1nb.jpg[/img][/CENTER] [CENTER][img]http://img98.imageshack.us/img98/6253/luminesaddict3bb.jpg[/img][/CENTER] [center][img]http://f10.putfile.com/7/18321220157.jpg[/img][/CENTER] [CENTER][URL=http://forums.qj.net/showthread.php?t=19128][COLOR=Magenta]¸,ø¤º°`¦°º¤ø,¸ Become premium! Support QJ.net! ¸,ø¤º°`¦°º¤ø,¸[/COLOR][/URL][/CENTER]

12-28-2005, 10:33 AM	#4
fyrehart Join Date: Nov 2005 Location: Baltimore, MD, USA Posts: 504 Trader Feedback: 0	I'll believe it when I see Hello World. __________________ 1.52US New => 2.0JP => 1.5US => 2.0US => 1.5US => 2.0US => 1.5US => 2.0US => 2.6US => 1.5US! THANK YOU DARK_ALEX AND THE REST OF THE GANG! My retro headset for cellphone: [URL]http://www.i-hacked.com/images/stories/retrophone/m91sao.jpg[/URL] Infected, Madden 06, Burnout: Legends, Lumines, Kingdom of Paradise, etc etc. Favorite homebrew: NesterJ, PSPGenesis, PSPRadio, and PSPSone

12-28-2005, 11:02 AM	#5
Realn0whereman Mindless Self Indulgence Join Date: Oct 2005 Location: afk Posts: 7,212 Trader Feedback: 0	http://psp-news.dc------------------...io1frsmall.JPG you guys i got mario on 2.6 !!!!!!! __________________ PSN:realn0whereman NEW MSI ALBUM APRIL 29TH: IF orgasm

01-02-2006, 10:30 AM	#11
PSP250 Developer Join Date: Nov 2005 Location: PSPPlanet Posts: 62 Trader Feedback: 0	Unfortunate news. The libungif vulnerability is not usable to create a working exploit out of it. It allows writing any number of bytes with any data you want that has to pass two limitations (mask and maximum uint size) to specific offsets between 0x08a7xxxx and 0x09FFFFFF on 2.0 - 2.5 FW PSP's. This did prove as not sufficient. Code: Offsetlist: Struct Offset: 0x08a7c0e0 Suffix Offset: 0x08a7d223 Prefix Offset: 0x08a7e224 BPP: VUL Suffix Off Prefix Off Mask ClearCode 0x0c: OOB 0x08a7e225 0x08a8222c 0x00000001 0x00001000 0x0d: OOB 0x08a7f225 0x08a8622c 0x00000010 0x00002000 0x0e: OOB 0x08a81225 0x08a8e22c 0x00000002 0x00004000 0x0f: OOB 0x08a85225 0x08a9e22c 0x00000040 0x00008000 0x10: OOB 0x08a8d225 0x08abe22c 0x00000003 0x00010000 0x11: OOB 0x08a9d225 0x08afe22c 0x00000080 0x00020000 0x12: OOB 0x08abd225 0x08b7e22c 0x00000004 0x00040000 0x13: OOB 0x08afd225 0x08c7e22c 0x00000020 0x00080000 0x14: OOB 0x08b7d225 0x08e7e22c 0x0000001b 0x00100000 0x15: OOB 0x08c7d225 0x0927e22c 0x00002000 0x00200000 0x16: OOB 0x08e7d225 0x09a7e22c 0x0000001a 0x00400000 0x17: OOB 0x0927d225 0x0aa7e22c 0x00004000 0x00800000 0x18: OOB 0x09a7d225 0x0ca7e22c 0x0000001c 0x01000000 0x19: OOB 0x0aa7d225 0x10a7e22c 0x00001000 0x02000000 0x1a: OOB 0x0ca7d225 0x18a7e22c 0x0000001d 0x04000000 0x1b: OOB 0x10a7d225 0x28a7e22c 0x00008000 0x08000000 0x1c: OOB 0x18a7d225 0x48a7e22c 0x0000001e 0x10000000 ... (other values cycle through the same offsets with a different mask) The code injection worked in theory, however fails as the libungif vuln. is writing using two buffers (Suffix, Prefix in the list) into memory. Unfortunately picking an offset (by picking a BPP value, like 0x18) for the first buffer which would overwrite code to be executed, results in the other buffer attempting to write off-memory thus resulting in an immediate crash which makes this not usable. Please notice that you should not post any "proposals" as I can guarantee almost 90% of what can be done has been attempted by experts in the past weeks and fails due to the exotic and highly complex nature of this vulnerability. Also notice that we have understood the inner workings of the vulnerability by 100% and created appropriate tools to allow generation of anykind of crafted GIF files to work with this vulnerability. Some people are looking into the research at the moment however it is not likely that it will have success. Thanks go out to all those who helped in the research, you know who you are, thanks a LOT. The research material and tools can be freely requested by PM if you have a serious idea how to use it. Last edited by PSP250; 01-02-2006 at 10:36 AM..

01-02-2006, 11:02 AM	#12
Fanjita Muppet Magnet Join Date: Sep 2005 Location: Edinburgh, UK Posts: 2,388 Trader Feedback: 0	It's a big shame, I was hoping something could still be done with this, but it looks impossible. I know how hard you've worked on this, without any public recognition - it's a pity that all that work didn't pay off in the end. This was a perfect example of the right way to go about exploiting a vulnerability, too - hard work, thought, analysis and understanding, with the bulk of the experimentation at the end, rather than the beginning. Ah well, happier hunting next time! __________________ Using firmware v2.00-v3.50? Open up a whole world of homebrew here The PSP Homebrew Database needs YOU! Your ISP may be illegally wiretapping all your web activity. Stop Phorm Now! Visiting the Edinburgh Festivals? Get practical advice from experts.

12-28-2005, 03:24 AM	#3
Drusenija Join Date: Dec 2005 Posts: 111 Trader Feedback: 0	The assumption so far with the libungif exploit has been that the version Sony used up until v2.5 had this exploit in it. Between v2.5 and v2.6 being released, the libungif authors had fixed this bug, so it's my understanding that this particular exploit won't work in v2.6 (that assumption is based on Sony using the new version of libungif when they upgraded the firmware, which is a reasonably safe assumption to make).

12-28-2005, 11:41 AM	#6
nxtlidenno Join Date: May 2005 Posts: 178 Trader Feedback: 0	That link doesnt work i was hoping to see the pic you got It was funny though

12-28-2005, 11:43 AM	#7
nxtlidenno Join Date: May 2005 Posts: 178 Trader Feedback: 0	Nevermind i got the pic nice photoshop job there.lol

12-28-2005, 12:38 PM	#8
DaWaN Join Date: Nov 2005 Posts: 60 Trader Feedback: 0	Atleast the libungif got an update on v2.60

12-28-2005, 12:41 PM	#9
nxtlidenno Join Date: May 2005 Posts: 178 Trader Feedback: 0	Thats what I say if they fixed it in 2.6 then there must be something to it. Something good I hope.

12-28-2005, 04:42 PM	#10
Peroxide Join Date: Jun 2005 Location: Ontario, Canada Posts: 121 Trader Feedback: 0	They are obviously onto something, only a matter of time until they or someone else nails it.

01-02-2006, 03:07 PM	#15
nxtlidenno Join Date: May 2005 Posts: 178 Trader Feedback: 0	Sorry to hear this psp250, However you folks worked hard at this and quietly as well. I hope you all continue your work with potential exploits like the ones noted I am sure you will be successful in the future. Keep up the good work!!!

01-02-2006, 03:18 PM	#16
cgroux202 Join Date: May 2005 Location: Boston Area Posts: 221 Trader Feedback: 0	Yeah good work man. Don't worry an exploit will be found soon enough I can assure you that! Don't forget we still have that GTA savegame hack that still needs a little bit of developing into. Don't let this get you down. It seems we have a lot of intellegent people on this site that know what they're doing! :icon_smil

11-07-2006, 11:04 AM	#17
sheep22 Join Date: Nov 2006 Posts: 1 Trader Feedback: 0	Is it possible to get the research materials from someone that worked on this vulnerability? I tried pm'ing PSP250, but no answer.

11-07-2006, 11:08 AM	#18
~Ellen~ Wii owns Poo Join Date: Jul 2006 Location: ) wouldnt you like to know Posts: 695 Trader Feedback: 0	zomg uber old thread __________________ [LEFT][FONT=Comic Sans MS][SIZE=1]My sig................[/SIZE][/FONT] [/LEFT]

11-07-2006, 11:31 AM	#19
wseyller Join Date: Feb 2006 Posts: 441 Trader Feedback: 0	Necropost - this thread is nearly a year old, lol.

QJ.net Game Discussion - PSP, Xbox, Wii, PS3, PSP Homebrew, and PSP Guides

more on the libungif insecurity..