Saved-game bug dumped PlayStation 3 fans in hijackers' sights

A potentially nasty security hole has apparently been found in the PlayStation 3 that allows miscreants to execute commands on a player's console if they preview a booby-trapped saved game.

The flaw affects firmware version 4.31 in Sony's gaming rig, according to the Vulnerability Laboratory Research Team which claims to have unearthed the coding error.

The bug - ranked 6.5 out of 10 in the Common Vulnerability Scoring System (PDF) - can be triggered from a saved game on a USB stick, for example, and exploited to compromise the device. Specifically, the firmware fails to securely validate input data when listing previews of saved games. Successful attacks, which are non-trivial to pull off, open the way to PlayStation Network (PSN) session hijacking or worse, we're told.

Vulnerability Laboratory researcher Benjamin Kunz Mejri produced proof-of-concept exploit code to underline his concerns about the apparent security flaw. Even so it took three attempts and several months to get Sony to respond to his findings.

Chris Boyd (AKA PaperGhost), a senior threat researcher at ThreatTrack Security and an expert in gaming security, said the vulnerability was potentially dangerous in practice in-game phishing poses a greater risk.

"While the listed attacks - persistent phishing and PSN session hijacks, to name but two - are certainly serious, this exploit requires the attacker to have local access to the PS3, or perhaps convince a PS3 user to download and store a game save onto a USB stick," Boyd told El Reg.

"As game saves typically need to be resigned to work with another PSN account, we're now talking about the attacker resigning malicious saves, storing them on a free file host which may prompt caution on the part of the victim (resigning can be a complicated process, so more often than not they're posted to dedicated gaming or modding sites, which can smell a rogue a mile away) and hoping the gamer follows the instructions to effectively nuke their own machine from orbit.

"As the most popular form of attack on the majority of gaming accounts we see is phishing, one might ask why doing all of the above to phish somebody (for example) is worth it when simply sending an in-game phish link would be simpler,” said Boyd.

“However, it's a good reminder to be cautious if downloading save games from the internet and it remains to be seen how creatively this vulnerability could be used."

Describing the problem in some more detail, the Vulnerability Laboratory wrote in its original advisory:

The attacker synchronizes his computer (to change the USB context) with USB (Save Game) and connects to the network (USB, computer, PS3), updates the save game via computer and can execute the context directly out of the PS3 savegame preview listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, and a USB device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code.

The PS3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special characters and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code.

Successful exploitation of the vulnerability can result in persistent but local system command executions, PSN session hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview listing context manipulation.

The bug has apparently been fixed in firmware version 4.41, which should be downloaded and installed on PS3s. The fix was released at the end of last month - six months after Vulnerability Labs said it reported the issue to Sony. ®