Following up on his PS3 SCETool update and PS3 Dump_Rootkey code, today Sony PlayStation 3 hacker Naehrwert has posted some details on exploiting the PlayStation 3 lv2_kernel and has made available a sample 3.41 implementation below. To quote from his blog: Exploiting (?) lv2 A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems: 1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40... control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges. 2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload. Here (pastie.org/4755699) is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.
==========================================================================================================
기사 원문과 DASHHACKS의 기사를 짧은 지식으로나마 해석해보니 LV2 단계의 커널의 EXPLOIT이 구현되었다고 하고
이걸 통해서 모든 현 시스템의 LV2 커널의 EXPLOIT이 가능할 수도 있다라고 하는거 같은데요.
(According to the source, there seems to be the possibility of a kernel exploit that could effect all current systems!)
==========================================================================================================
As of right now, the PS3 scene is somewhat limited to a very specific group that happen to have one of the few possible hacked firmwares. However, if the exploit discussed in this coder's blog post can happen to be capitalized on, it's quite possible that the homebrew community just might open up to a massive degree. According to the source, there seems to be the possibility of a kernel exploit that could effect all current systems! Essentially in technical terms the crash creates what is called a stack overflow, allowing the entire security mechanism to be crushed under the right kind of code.
However, as of right now this discovery is not without its share of limitations. As Naehrwert himself puts it "you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges" to work behind the protected syscall involved with the vulnerability. Additionally, the firmware itself also has a way of erasing the extra payload so that the true crash isn't allowed to take full effect. Still, as proof of his work, my my source link shows the 3.41 version kernel in the hopes that another group may be able to help him out. Oh what a wonderful world we would live in should this be fully realized.
==================================================================================
제가 너무 확대 해석한건지 ㅋ
어쨋든 LV2 커널 EXPLOIT로 인해 3005도 커펌이 되길 기다립니다.
(자세한 해석은 밑에분께 ㅠ)
|
