Skip to content

Game crash vulnerability caused by missing input validation

Moderate
Beyley published GHSA-qjj3-q32v-fgqm Dec 23, 2023

Package

Refresh

Affected versions

<= 2.5.1

Patched versions

>= 2.5.2

Description

Summary

A malicious user can crash a victim’s game in any instance of Refresh.

Details

LittleBigPlanet lets you use an in-game GUID as a level badge. If you use an in-game GUID of a model (ex: 1087, which is Sackboy) as either your level badge or (if it’d let you, not sure if this is implemented) your user picture, the RSX (and consequently the game) will crash as it cannot load the model into texture memory. This crash occurs on both PS3 and RPCS3 and all games until LBP3 PS4. What this means is that a user’s game will crash just by visiting a profile or by visiting the “Newest Levels” tab.

PoC

Create a level utilizing a model GUID as the level badge, such as the example provided above. Navigate to the level in-game to cause the crash.

Impact

This vulnerability is caused by improper or missing input validation, and all in-game users are affected.

Mitigation

This vulnerability was mitigated by the creation of a database of the “blurayguids.map” file (preferably LBP3 PS3 latest) of GUIDs that are valid textures (.tex, .png), and implementation of a check in the files handler or other relevant system to verify a GUID’s presence in the database.


This vulnerability was brought to our attention via a Responsible Disclosure email delivered to a maintainer of the ProjectLighthouse repository, who has forwarded it to the Refresh team on the reporter's behalf.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVE ID

No known CVE

Weaknesses

Credits