Closed prodigysml closed 6 years ago
Thanks for the information. This program is very old and we may be changing the design to allow the proper passing of HDD-based paths, which will mean that the affected part will be likely changed.
On the bright side, there is probably no reason for anybody to attack homebrew PlayStation 2 software.
The ELF loader has been reworked in commit 459c53c and the vulnerable code no longer exists there.
There is a buffer overflow vulnerability in the loader.c file. This is in regards to both the
s
variable and thepartition
variable.The partition variable contains
argv[1]
which is user controlled as displayed below: https://github.com/AKuHAK/uLaunchELF/blob/75b22d9b0d5a23f4b758d6498e6e7a185b744523/loader/loader.c#L126This variable has a size of 128 characters, making it simple to overflow: https://github.com/AKuHAK/uLaunchELF/blob/75b22d9b0d5a23f4b758d6498e6e7a185b744523/loader/loader.c#L51
Running with
argv[1] = A * 400
(400 A's) will make the application crash. This weakness may be used to change the intended execution flow of the program.