Feeds

Saved-game bug dumped PlayStation 3 fans in hijackers' sights

What's on that USB stick? Don't shove that in there!

Protecting users from Firesheep and other Sidejacking attacks with SSL

A potentially nasty security hole has apparently been found in the PlayStation 3 that allows miscreants to execute commands on a player's console if they preview a booby-trapped saved game.

The flaw affects firmware version 4.31 in Sony's gaming rig, according to the Vulnerability Laboratory Research Team which claims to have unearthed the coding error.

The bug - ranked 6.5 out of 10 in the Common Vulnerability Scoring System (PDF) - can be triggered from a saved game on a USB stick, for example, and exploited to compromise the device. Specifically, the firmware fails to securely validate input data when listing previews of saved games. Successful attacks, which are non-trivial to pull off, open the way to PlayStation Network (PSN) session hijacking or worse, we're told.

Vulnerability Laboratory researcher Benjamin Kunz Mejri produced proof-of-concept exploit code to underline his concerns about the apparent security flaw. Even so it took three attempts and several months to get Sony to respond to his findings.

Chris Boyd (AKA PaperGhost), a senior threat researcher at ThreatTrack Security and an expert in gaming security, said the vulnerability was potentially dangerous in practice in-game phishing poses a greater risk.

"While the listed attacks - persistent phishing and PSN session hijacks, to name but two - are certainly serious, this exploit requires the attacker to have local access to the PS3, or perhaps convince a PS3 user to download and store a game save onto a USB stick," Boyd told El Reg.

"As game saves typically need to be resigned to work with another PSN account, we're now talking about the attacker resigning malicious saves, storing them on a free file host which may prompt caution on the part of the victim (resigning can be a complicated process, so more often than not they're posted to dedicated gaming or modding sites, which can smell a rogue a mile away) and hoping the gamer follows the instructions to effectively nuke their own machine from orbit.

"As the most popular form of attack on the majority of gaming accounts we see is phishing, one might ask why doing all of the above to phish somebody (for example) is worth it when simply sending an in-game phish link would be simpler,” said Boyd.

“However, it's a good reminder to be cautious if downloading save games from the internet and it remains to be seen how creatively this vulnerability could be used."

Describing the problem in some more detail, the Vulnerability Laboratory wrote in its original advisory:

The attacker synchronizes his computer (to change the USB context) with USB (Save Game) and connects to the network (USB, computer, PS3), updates the save game via computer and can execute the context directly out of the PS3 savegame preview listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, and a USB device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.

The PS3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special characters and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code.

Successful exploitation of the vulnerability can result in persistent but local system command executions, PSN session hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview listing context manipulation.

The bug has apparently been fixed in firmware version 4.41, which should be downloaded and installed on PS3s. The fix was released at the end of last month - six months after Vulnerability Labs said it reported the issue to Sony. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.