Feeds

Saved-game bug dumped PlayStation 3 fans in hijackers' sights

What's on that USB stick? Don't shove that in there!

The Power of One eBook: Top reasons to choose HP BladeSystem

A potentially nasty security hole has apparently been found in the PlayStation 3 that allows miscreants to execute commands on a player's console if they preview a booby-trapped saved game.

The flaw affects firmware version 4.31 in Sony's gaming rig, according to the Vulnerability Laboratory Research Team which claims to have unearthed the coding error.

The bug - ranked 6.5 out of 10 in the Common Vulnerability Scoring System (PDF) - can be triggered from a saved game on a USB stick, for example, and exploited to compromise the device. Specifically, the firmware fails to securely validate input data when listing previews of saved games. Successful attacks, which are non-trivial to pull off, open the way to PlayStation Network (PSN) session hijacking or worse, we're told.

Vulnerability Laboratory researcher Benjamin Kunz Mejri produced proof-of-concept exploit code to underline his concerns about the apparent security flaw. Even so it took three attempts and several months to get Sony to respond to his findings.

Chris Boyd (AKA PaperGhost), a senior threat researcher at ThreatTrack Security and an expert in gaming security, said the vulnerability was potentially dangerous in practice in-game phishing poses a greater risk.

"While the listed attacks - persistent phishing and PSN session hijacks, to name but two - are certainly serious, this exploit requires the attacker to have local access to the PS3, or perhaps convince a PS3 user to download and store a game save onto a USB stick," Boyd told El Reg.

"As game saves typically need to be resigned to work with another PSN account, we're now talking about the attacker resigning malicious saves, storing them on a free file host which may prompt caution on the part of the victim (resigning can be a complicated process, so more often than not they're posted to dedicated gaming or modding sites, which can smell a rogue a mile away) and hoping the gamer follows the instructions to effectively nuke their own machine from orbit.

"As the most popular form of attack on the majority of gaming accounts we see is phishing, one might ask why doing all of the above to phish somebody (for example) is worth it when simply sending an in-game phish link would be simpler,” said Boyd.

“However, it's a good reminder to be cautious if downloading save games from the internet and it remains to be seen how creatively this vulnerability could be used."

Describing the problem in some more detail, the Vulnerability Laboratory wrote in its original advisory:

The attacker synchronizes his computer (to change the USB context) with USB (Save Game) and connects to the network (USB, computer, PS3), updates the save game via computer and can execute the context directly out of the PS3 savegame preview listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, and a USB device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.

The PS3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special characters and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code.

Successful exploitation of the vulnerability can result in persistent but local system command executions, PSN session hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview listing context manipulation.

The bug has apparently been fixed in firmware version 4.41, which should be downloaded and installed on PS3s. The fix was released at the end of last month - six months after Vulnerability Labs said it reported the issue to Sony. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.