ps2homebrew / wLaunchELF

ELF loader and File browser for Sony PlayStation 2
Other
492 stars 51 forks source link

Buffer overflow in loader.c #14

Closed prodigysml closed 6 years ago

prodigysml commented 6 years ago

There is a buffer overflow vulnerability in the loader.c file. This is in regards to both the s variable and the partition variable.

The partition variable contains argv[1] which is user controlled as displayed below: https://github.com/AKuHAK/uLaunchELF/blob/75b22d9b0d5a23f4b758d6498e6e7a185b744523/loader/loader.c#L126

This variable has a size of 128 characters, making it simple to overflow: https://github.com/AKuHAK/uLaunchELF/blob/75b22d9b0d5a23f4b758d6498e6e7a185b744523/loader/loader.c#L51

Running with argv[1] = A * 400 (400 A's) will make the application crash. This weakness may be used to change the intended execution flow of the program.

sp193 commented 6 years ago

Thanks for the information. This program is very old and we may be changing the design to allow the proper passing of HDD-based paths, which will mean that the affected part will be likely changed.

On the bright side, there is probably no reason for anybody to attack homebrew PlayStation 2 software.

sp193 commented 6 years ago

The ELF loader has been reworked in commit 459c53c and the vulnerable code no longer exists there.