HOME public beta just started a few minutes ago, and as a little bonus I write this little vulnarabilitie disclosure of HOME beta 1.3. Don't be THAT surprised, remember the decrypted HOME game files^^. HOME is the most buggy game I ever saw and they really ****ed up so much. Ok, the delays gone about 2 years but after this years of waiting as user I expect a little bit more. "It feels like 2005 tech in 2008. I'm not sure that’s what people want.", I can only agree with this comment of Microsoft. Well, here the disclosure:
The first 2 are server structure listenings. Some uninteresting files like the model files are missing, in generall the most interesting files are included. JSP files are NEVER sources, they are the response of the server. They are responded for german area.
----------------------------------------------------------------------------
1) scee-home.playstation.net server structure (without spaces as they are to big)
DOWNLOAD
2) homeps3.online.scee.com (jsp files are no sources, they are responds of the home servers)
DOWNLOAD
3) The different Content Bases:
For Developers & Alpha =
http://homeps3-content.online.scee.com:10010/Alpha/Dev/
For Quality Assurance =
http://homeps3-content.online.scee.com:10010/Alpha/QA/
For HOME Beta 0.9 =
http://homeps3-content.online.scee.com:10010/Beta/090/
4) Take a look in the first download package \c.home\prod\live\Screens\
Only one of the XML files is encrypted, which means you can simply customize the HOME areas with your own videos, pictures and text if you use a apache + simple dns redirection.
5) Download any file from the HOME content server you want
(Well now we come to the more interesting parts^^)
Theres a download script here...
(homeps3.online.scee.com/HUBPS3_SVML/home/fileservices/Download.jsp)
...which is meaned to act as downloader for other users profiles, avatars and more.
Example: User1 uploads his profile to the home server (see point 6), now User2 sees User1 in HOME; the downloader downloads the profile of User1 to the local HDD space of User2. So far so good. Now theres the possibility to do a realtime packet edit to download ANY file you want. It's up to you what files you think about now, but there are more than just lame user profiles on such servers ;-) To continue:
Download.jsp?filename=Profile-UserXYZ
This is the structure how it looks like when a user profile is requested, after this the server responds this way:
http://pastebin.com/f422ad43e
Simply edit the filename to get your specific file
6) The most important vulnarability "upload any file to the HOME server"
The methode is nearly the same like in 5. just that you can upload instead of download a file. The structure looks like this:
Server request:
homeps3.online.scee.com/HUBPS3_SVML/fileservices/UploadFileServlet?fileNameBeginsWith=Avatar-UserXYZ.jpg&filePermission=2&fileTypeID=2&fileDesc ription=unused
Aswell theres the file you want to upload as raw data in the POST header. Just do a live edit again and inject your file. It will be saved in /HUBPS3_SVML/.
Please don't upload any r00tshells or similiar ;-)
7) At the end a funny thing "delete any file on the HOME server"
homeps3.online.scee.com/HUBPS3_SVML/home/fileservices/Delete.jsp?filename=XYZ
This could end really evil with a simple script :P
Please remember the last 3 vulnarabilities only work if you do a realtime packet edit. It's not possible to do this from a PC only or with fake packets!
----------------------------------------------------------------------------
So what is the conclusion?:
SONY ****ed it really up! First they delay HOME for more than a year, then they delay it a few times again and again till finally we have a HOME beta on a technical standard from 2005 with crappy graphics, a few boring areas and many many many many many many many many bugs. After this whole bullshitting we finally get our beta on 11.12.2008 with another delay of about 5 hours because SONY is unable to test their servers before. Congratz, to SONY for this fantastic product. THANKS!
Please remember:
Don't do anything stupid with this information which you could repent later.
Thanks for you attention, this was my little HOME vulnarabilities disclosure for you,
SKFU
**********UPDATE1**********
I think I need to clear up some things:
1) This is all public information anyone with a bit networking knowledge can get.
2) At no time I hacked the servers. The HOME errors are NOT caused by me! The explainations are all based on theorethical base!
3) All scripts and responds are client site, so all legal.
4) I like the idea of HOME but the tech of 2005 is a fact.
5) I'm not responsible for other people which are going to experiment with the provided information.
6) I think this disclosure is very ok, think about the 2 options:
1. I disclosure it and it gets fixed by SONY.
2. Someone else use the bugs, uploads a shell, roots the server, kills your HOME.
- SKFU
**********UPDATE1**********
**********UPDATE2**********
As many people just don't understand what are the risks of this crappy server structure, here is it in simple words:
1) Uploading own files to hack the server itself
2) Replace original files and insert code which could damage your PS3
3) Executing unsigned code via replaced LUA and JAVA files
These are the most important issues. I'm not responsible for any actions you do. Thanks for attention,
SKFU