Summary
A malicious user can crash a victim’s game in any instance of Refresh.
Details
LittleBigPlanet lets you use an in-game GUID as a level badge. If you use an in-game GUID of a model (ex: 1087, which is Sackboy) as either your level badge or (if it’d let you, not sure if this is implemented) your user picture, the RSX (and consequently the game) will crash as it cannot load the model into texture memory. This crash occurs on both PS3 and RPCS3 and all games until LBP3 PS4. What this means is that a user’s game will crash just by visiting a profile or by visiting the “Newest Levels” tab.
PoC
Create a level utilizing a model GUID as the level badge, such as the example provided above. Navigate to the level in-game to cause the crash.
Impact
This vulnerability is caused by improper or missing input validation, and all in-game users are affected.
Mitigation
This vulnerability was mitigated by the creation of a database of the “blurayguids.map” file (preferably LBP3 PS3 latest) of GUIDs that are valid textures (.tex, .png), and implementation of a check in the files handler or other relevant system to verify a GUID’s presence in the database.
This vulnerability was brought to our attention via a Responsible Disclosure email delivered to a maintainer of the ProjectLighthouse repository, who has forwarded it to the Refresh team on the reporter's behalf.
sudokoko Reporter
Summary
A malicious user can crash a victim’s game in any instance of Refresh.
Details
LittleBigPlanet lets you use an in-game GUID as a level badge. If you use an in-game GUID of a model (ex: 1087, which is Sackboy) as either your level badge or (if it’d let you, not sure if this is implemented) your user picture, the RSX (and consequently the game) will crash as it cannot load the model into texture memory. This crash occurs on both PS3 and RPCS3 and all games until LBP3 PS4. What this means is that a user’s game will crash just by visiting a profile or by visiting the “Newest Levels” tab.
PoC
Create a level utilizing a model GUID as the level badge, such as the example provided above. Navigate to the level in-game to cause the crash.
Impact
This vulnerability is caused by improper or missing input validation, and all in-game users are affected.
Mitigation
This vulnerability was mitigated by the creation of a database of the “blurayguids.map” file (preferably LBP3 PS3 latest) of GUIDs that are valid textures (.tex, .png), and implementation of a check in the files handler or other relevant system to verify a GUID’s presence in the database.
This vulnerability was brought to our attention via a Responsible Disclosure email delivered to a maintainer of the ProjectLighthouse repository, who has forwarded it to the Refresh team on the reporter's behalf.