Feeds

Saved-game bug dumped PlayStation 3 fans in hijackers' sights

What's on that USB stick? Don't shove that in there!

Choosing a cloud hosting partner with confidence

A potentially nasty security hole has apparently been found in the PlayStation 3 that allows miscreants to execute commands on a player's console if they preview a booby-trapped saved game.

The flaw affects firmware version 4.31 in Sony's gaming rig, according to the Vulnerability Laboratory Research Team which claims to have unearthed the coding error.

The bug - ranked 6.5 out of 10 in the Common Vulnerability Scoring System (PDF) - can be triggered from a saved game on a USB stick, for example, and exploited to compromise the device. Specifically, the firmware fails to securely validate input data when listing previews of saved games. Successful attacks, which are non-trivial to pull off, open the way to PlayStation Network (PSN) session hijacking or worse, we're told.

Vulnerability Laboratory researcher Benjamin Kunz Mejri produced proof-of-concept exploit code to underline his concerns about the apparent security flaw. Even so it took three attempts and several months to get Sony to respond to his findings.

Chris Boyd (AKA PaperGhost), a senior threat researcher at ThreatTrack Security and an expert in gaming security, said the vulnerability was potentially dangerous in practice in-game phishing poses a greater risk.

"While the listed attacks - persistent phishing and PSN session hijacks, to name but two - are certainly serious, this exploit requires the attacker to have local access to the PS3, or perhaps convince a PS3 user to download and store a game save onto a USB stick," Boyd told El Reg.

"As game saves typically need to be resigned to work with another PSN account, we're now talking about the attacker resigning malicious saves, storing them on a free file host which may prompt caution on the part of the victim (resigning can be a complicated process, so more often than not they're posted to dedicated gaming or modding sites, which can smell a rogue a mile away) and hoping the gamer follows the instructions to effectively nuke their own machine from orbit.

"As the most popular form of attack on the majority of gaming accounts we see is phishing, one might ask why doing all of the above to phish somebody (for example) is worth it when simply sending an in-game phish link would be simpler,” said Boyd.

“However, it's a good reminder to be cautious if downloading save games from the internet and it remains to be seen how creatively this vulnerability could be used."

Describing the problem in some more detail, the Vulnerability Laboratory wrote in its original advisory:

The attacker synchronizes his computer (to change the USB context) with USB (Save Game) and connects to the network (USB, computer, PS3), updates the save game via computer and can execute the context directly out of the PS3 savegame preview listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, and a USB device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.

The PS3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special characters and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code.

Successful exploitation of the vulnerability can result in persistent but local system command executions, PSN session hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview listing context manipulation.

The bug has apparently been fixed in firmware version 4.41, which should be downloaded and installed on PS3s. The fix was released at the end of last month - six months after Vulnerability Labs said it reported the issue to Sony. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, watchdog claims
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.