Details: ======== A local code execution vulnerability is detected in the official Playstation3 v4.31 Firmware. The vulnerability allows local attackers to inject and execute code out of vulnerable ps3 menu main web context. There are 3 types of save games for the sony ps3. The report is only bound to the .sfo save games of the Playstation3. The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) to display movable text like marquees, in combination with a video, sound and the (path) background picture. Normally the ps3 firmware parse the redisplayed save game values & detail information text when processing to load it via usb/ps3-hd. The import ps3 preview filtering can be bypassed via a splitted char by char injection of script code or system (ps3 firmware) specific commands. The attacker syncronize his computer (to change the usb context) with USB (Save Game) and connects to the network (USB, COMPUTER, PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code. The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code. Successful exploitation of the vulnerability can result in persistent but local system command executions, psn session hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview listing context manipulation. Vulnerable Section(s): [+] PS Menu > Game (Spiel) Vulnerable Module(s): [+] SpeicherDaten (DienstProgramm) PS3 > USB Gerät Affected Section(s): [+] Title - Save Game Preview Resource (Detail Listing) Proof of Concept: ================= The firmware preview listing validation vulnerability can be exploited by local attackers and with low or medium required user interaction. For demonstration or reproduce ... The attacker needs to sync his computer (to change the usb context) with USB (Save Game) and connects to the network (USB, COMPUTER, +PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code. The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code out of the save game preview listing. If you inject standard frames or system unknow commands (jailbreak) without passing the filter char by char and direct sync as update you will fail to reproduce! PoC: PARAM.SFO PSF Ä @            h   %     ,   4   $ C  @ ( V   h j  € p t  € ð ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE 40ac78551a88fdc SD PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] Hackizeit: 1:33:07 ExpSkills: VL-LAB-TRAINING Operation: 1% Trojaners: 0% ... Õõ~\˜òíA×éú;óç 40ac78551a88fdc ... BLES00371-NARUTO_STORM-0 HACKINGBKM 1 PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!];