libTiff exploit ?

[wololo]

I think the PSP is using the libtiff for image decoding...
would it be worth it looking into this vulnerability ? (it's a bit old, end of august)
http://secunia.com/advisories/31610/

Sorry if that's not the kind of talk allowed here

Edit: all my current findings on this vulnerability are summed up a few pages later in this same thread : http://lan.st/showthread.php?p=13084#post13084

Edit2: changed the title for a less confusing one

[Torch]

Depends on whether the PSP implementation can be made to jump into code that we plant. Only those who've fully studied the lib on the PSP will know.

[Jachra]

Quote:

Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.

It might be usable, but further study must show that

[arnold]

Isn't libtiff old? Huh?

-Arnold

[Hellcat]

That's been fixed in FW 2.00, guys.... o_O

[Torch]

Quote:

Originally Posted by Hellcat

That's been fixed in FW 2.00, guys.... o_O

No this is a new exploit.

If its actually usable, then its just what we need. A user mode exploit to complement the kernel mode exploits that certain people say exist in current firmware.

[arnold]

Can't we just hold as long as we can until it is completely necessary to use new user mode exploits? That way, Sony won't block it. Yet.

-Arnold

[Jachra]

Quote:

Originally Posted by arnold

Can't we just hold as long as we can until it is completely necessary to use new user mode exploits? That way, Sony won't block it. Yet.

-Arnold

We can safely assume that this possible exploit will be patched in the next firmware. Sony knows from the past events that the scene will try to use this and will not leave unpatched.

[arnold]

Unless they are silly.

-Arnold

[wololo]

Quote:

Originally Posted by Jachra

We can safely assume that this possible exploit will be patched in the next firmware. Sony knows from the past events that the scene will try to use this and will not leave unpatched.

That's my concern. The exploit was found on 8/26, and the 4.20 firmware which ships with psp3000 was released in october...
Chances are high that firmware 4.20 already has a patch for this issue, unfortunately there is no "proof of concept" file available publicly to test...