iQue Player System Flaws

From iQueBrew
Revision as of 22:46, 27 January 2020 by Normmatt (talk | contribs) (Reverted edits by Toilet (talk) to last revision by Jhynjhiruu)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Summary Description Timeframe this was discovered Discovered by
Virage2 is writable SK has code to write to Virage2; this actually works and writes there.

Virage2 was assumed "OTP" before, it contains SK hash, bootrom patches, BBID and key material.

Successfully overwriting the correct virage2 areas allows for persistent boot-time secure mode code execution.

WARNING: overwriting SK hash with garbage, not fixing checksum, etc, WILL hard brick your console!

May 4, 2018 Normmatt

Secure Kernel

Summary Description Successful exploitation result Timeframe this was discovered Discovered by
psychic paper: Secure Kernel could incorrectly consider a self-signed certificate chain as valid The function for verifying certificate chains at 0x9FC028BC is passed an array of pointers to certificates.

For the first 5 elements, it checks to see if the certificate was issued by Root, if so it checks if the certificate was signed by the hardcoded Root public key (and returns immediately with the result).

If the certificate wasn't signed by Root, it checks if the certificate was signed by the public key of the next certificate in the array.

If all 5 certificates verified correctly, the function will return success.

Assuming this function can be called with an attacker-controlled array of certificates (this is possible, thanks to other (below) issues), self-signing of certificates (and thus, arbitrary code execution, with full non-Secure Mode privileges)

(This is not the case for Secure Applications, the code in SK for verifying those sets up a hardcoded array on the stack for the certificate verification function)

April 2018 Riley
skLaunchSetup and skRecryptBegin leave CMD in memory if its signature does not verify The function called by skLaunchSetup (and skRecryptBegin) at 0x9FC00BAC verifies ticket and CMD, and decrypts the titlekey.

After verifying the ticket signature, it copies the CMD to another place in memory, derives the titlekey encryption key, decrypts the titlekey with the titlekek, then verifies the CMD signature.

If the CMD signature does not verify successfully, the function just returns an error, leaving the unsigned CMD in place.

Most of the code that uses a CMD in SK uses the CMD in that place in memory that this function copies the CMD to, and trusts that whatever data is there has been verified already.

The entire CMD is covered by the ticket signature anyway, so this isn't that useful really, besides potentially making psychic paper easier to exploit.

With existing code execution with access to skLaunchSetup or skRecryptBegin and some other SKC that uses SK's internal CMD copy (only non-test SAs have this level of access), and the ability to sign a ticket but not a CMD:

Allowing the use of an unsigned CMD by SK, potentially leading to privilege escalation (by specifying arbitrary allowed hardware access/allowed SKCs).

April 26, 2018 Riley
skLaunch does not check content hash if recrypt flag is set in CMD skLaunch calculates the SHA1 hash of the content and compares it to the value in the CMD, returning an error if the hash doesn't match. This entire block of code is jumped over if the recrypt flag is set in the CMD. With plaintext of an application with the recrypt flag set in its CMD, arbitrary code execution (via, for example, implementation of the attack described in pocorgtfo17)

Also: Injection of games; see iQueCrypt.

Early 2018? Everyone
skVerifyHash signature pointer not validated skVerifyHash takes in a u8 pointer to a signature to verify, but does not actually validate this pointer is valid before treating the memory it points to as an RSA/ECC signature. Causing the Secure Kernel to data abort -- possibly usable as an infoleak, depending on the provided cert chain April 29, 2018 SciresM
SK's ECDH implementation does no validation of the other party's public key When deriving the titlekek using ECDH, SK does no validation whatsoever of the public key, which comes from the ticket. Because ECDH is just multiplication, passing in an all-zero public key would lead to an all-zero titlekek being used. With the ability to sign a ticket and CMD (for example, psychic paper): causing SK to use a constant titlekek; no need to know a console's ECC keypair. April 29, 2018 Riley
skRecryptData insufficient checks skRecryptData allows for NULL to be passed in as a pointer, for supporting some alternate mode controlled by a u32 in SK .data.

However, if this u32 is 0 (which is the default), no further checks are done and recrypt operations are done starting from NULL with provided length (in 0x400 chunks).

Also, if skRecryptBegin wasn't called, the recrypt operation is done by decrypting using the current hardware AES engine state, then re-encrypting with a completely zero internal state (which is invalid, so nothing will be done).

If skRecryptBegin was called, the re-encryption will succeed as the internal state would have been set, and re-encrypted data would be written to the same area that the original data was read from. (To get to the SK code area with this, though, requires overwriting all of DRAM)

Possible infoleak into the PI buffer. (without recrypt state set)

Possible secure mode code execution. (with recrypt state set)

April 30, 2018 Riley
SK's CRL checking function will not check a ticket CRL at all if the ticket CRL version in the ticket (as s32) is < 0 The function in SK that checks provided CRLs at 0x9FC02CB4 checks the provided ticket CRL version first (which comes from the ticket.) If it's less than 0 as s32, it will not be checked at all, that call will be jumped over.

The first CRL in the list is the ticket CRL; thus this could provide a favourable situation for exploiting psychic paper.

Additionally, the required elements to craft a CRL such that SA believes it to be valid with the public key in the correct place for psychic paper do not overlap.

Furthermore, libultra function osBbSaGamePrelaunch (which calls skLaunchSetup/skRecryptBegin/etc), which is called by SA when launching a game, stores the CRL structure for those two SKCs directly after the ticket bundle structure in .data. This, plus other flaws (below) lead directly to the successful exploitation of psychic paper.

Exploitation of psychic paper April 30, 2018 Riley
eSKape: bad SKC table bounds check SK's Secure Kernel Call handler bounds check uses a signed comparison when checking the SKC number that's being called to make sure it is within the bounds of the table, leading to the ability to have SK take the SKC function pointer from non-secure RAM, and thus, arbitrary code execution in secure mode. Secure mode code execution. May 1, 2018 Stuckpixel and Riley (complementary)

System Applications

Summary Description Successful exploitation result Exploitable System Applications Timeframe this was discovered Discovered by
libultra _osBbSaVerifyTickets gets an entire ticket bundle then just uses skVerifyHash with the ticket cert-chain ptr _osBbVerifyTickets is called by osBbSaMetaGetTickets if argument 2 is not 0. (osBbSaMetaGetTickets, in turn, is called by a function in SA that appears to get the data for the game menu?)

This function calls osBbSaBundleTicket, which gets a "ticket bundle" (struct containing ticket + ticket+CMD cert chain + CRL pointers, pointer to which is used as an argument for skLaunchSetup and skRecryptBegin), then proceeds to call skVerifyHash passing a pointer to the ticket cert-chain pointer array from that structure.

Given that the CMD cert chain pointer array is directly after the ticket cert-chain pointer array in that structure, this gives a favourable situation for exploitation of psychic paper.

Exploitation of psychic paper and self-signing tickets such that non-test SAs believe them to be valid. All non-test SAs? April 30, 2018 Riley
libultra osBbSaCertCreateChain only uses the endmost certificate's issuer osBbSaCertCreateChain parses cert.sys to create a cert chain array for SK (first element points to the object's signer, second element points to its signer, etc.).

This function only uses the issuer of the endmost certificate (object's signer), to get a list of certificate names to obtain.

The rest of the certificates only have their name compared against the one currently being searched for. There are no checks that the chain being created ends in Root. This gives a favourable situation for exploitation of psychic paper.

Exploitation of psychic paper All non-test SAs? April 30, 2018 Riley
EMS monitor SA's signature verification code is flawed The EMS monitor SA, when loading its payload from NAND, verifies its CMD signature using similar code to what SK does.

However, SK's code, being in SK, calls SK-internal functions for the verification, whereas the SA has to use skVerifyHash.

skVerifyHash imposes less constraints on verification due to it having to support everything; most notably, no checks are done as to what type of certificate was used for signing, and ECC signatures (at the end of a cert chain) are allowed.

Additionally, usage of skVerifyHash requires that a list of CRL pointers is passed to it; these pointers are placed directly after the certificate chain pointers in memory, which potentially gives a favourable situation for exploitation of psychic paper.

More signers/signatures are allowed that perhaps would have been intended; possibly, exploitation of psychic paper. All EMS monitor SAs? August 8, 2018 Riley