Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday June 29 2020, @09:34PM   Printer-friendly
from the playing-games-with-game-playing-consoles dept.

Security Expert Discovered Flaw in PS2 That Gives a Way to Play Any Game

A security engineer who uses the nickname "Cturt" has hacked a PlayStation 2 console and managed to make it run any game title that he burns on a DVD. We're not talking about pirated games here, but titles that were never meant to run on a PS2, like the classic Mario platformer, for example. The man is calling the hack "FreeDVDBoot" and claims that no hardware intervention or any other type of mods are required to make it work. All that is needed is the exploitation of an existing flaw that triggers a read overflow vulnerability.

The researcher gives all the technical details on his write-up, saying that he had to experiment with emulators a lot in order to figure out the crucial aspects that hide behind Sony's proprietary container format (VOB) used on the PS2 DVD disk reading system. The hacker looked specifically for buffer overflow vulnerabilities in the "getDiscData" call system and found four of them. The existence of these flaws means that if a disc specifies lengths larger than allowed, one can trigger a buffer overflow exploit. Based on this and some luck on the existence of valid memory jumps that occur in regions that can be modified, a series of corruption states can be achieved.

A similar exploit may work with the PS1, which only supports CDs, and the PS3 and PS4, which both support Blu-ray discs. The security engineer may be eligible to earn up to $50,000 for a working PS4 exploit.

PlayStation 2 was released in Japan in March 2000, and discontinued worldwide in January 2013.

Also at Ars Technica.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Snotnose on Monday June 29 2020, @09:57PM (2 children)

    by Snotnose (1623) on Monday June 29 2020, @09:57PM (#1014272)

    Playing a DVD presents a huge attack surface. Why would this be so? MPEG2 is a container format. It's got a bunch of containers, each with an ID. Every once in a while you get a table of contents that says stuff like ID1 is english, ID2 is spanish, ID3 is closed captioning, ID4 is video, etc. Literally, you can put pretty much what you want in a container.

    So if your container ID is sound, CC, or video, you just ensure the embedded packet length matches the packet length you read. Oops, lazy programmer detected. Plus, if you don't recognize an ID you just ignore it. Oops, another lazy programmer.

    Is it really that hard? Or is the whole "callback to MPAA" shit so bad you can get hacked playing a, for $diety's sake, DVD.

    --
    Why shouldn't we judge a book by it's cover? It's got the author, title, and a summary of what the book's about.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by The Mighty Buzzard on Monday June 29 2020, @10:02PM

    Is it really that hard? Or is the whole "callback to MPAA" shit so bad you can get hacked playing a, for $diety's sake, DVD.

    Both.

    --
    My rights don't end where your fear begins.
  • (Score: 2) by Snotnose on Monday June 29 2020, @11:03PM

    by Snotnose (1623) on Monday June 29 2020, @11:03PM (#1014292)

    Just remembered MPEG isn't packetized, so you can't go by how many bytes the hardware read. But still, each packet has a sync, a byte count, and a checksum/CRC. How hard can it be to figure out that something about your packet is dodgy, and scan the stream looking for the sync pattern?

    --
    Why shouldn't we judge a book by it's cover? It's got the author, title, and a summary of what the book's about.