New FreeBSD Kernel Exploit Discovered by PS4 Developer CTurt

Following his announcement of a Kernel Exploit for FreeBSD 10.2, today PlayStation 4 developer CTurt revealed news of a new FreeBSD kernel exploit which he says will be published for PS4 developers to examine once the security team patches it.

Below are the related Tweets:


As always, we'll add updates to this article as they become available!

 

[pizzamann113]

So many guys want UC4, and i'm just sitting here, hoping for a hack to get Showtime on my PS4

 

[Howie648]

Well of course Showtime would be great on PS4 lol. So would playing some SNES and MAME..

 

[Chaos Kid]

game data packager
based on Kernel 3.xx
firmware-linux-free_3.x

usr/games/game-data-packager
usr/lib/game-data-packager/doom-common
usr/lib/game-data-packager/game-data-packager-shared
usr/lib/game-data-packager/lgeneral-mirrors
usr/lib/game-data-packager/q2mp-common
usr/lib/game-data-packager/rott-mirrors
usr/lib/game-data-packager/wolf3d-mirrors
usr/share/doc/game-data-packager/NEWS
usr/share/doc/game-data-packager/changelog.gz
usr/share/doc/game-data-packager/copyright
usr/share/games/game-data-packager/changelog.gz
usr/share/games/game-data-packager/doom-wad_37
usr/share/games/game-data-packager/doom2-wad_37
usr/share/games/game-data-packager/heretic-wad_37
usr/share/games/game-data-packager/hexen-wad_37
usr/share/games/game-data-packager/hexen2-data_37
usr/share/games/game-data-packager/lgeneral-data-nonfree_37
usr/share/games/game-data-packager/plutonia-wad_37
usr/share/games/game-data-packager/quake-armagon_37
usr/share/games/game-data-packager/quake-dissolution_37
usr/share/games/game-data-packager/quake-registered_37
usr/share/games/game-data-packager/quake-shareware_37
usr/share/games/game-data-packager/quake/quake-armagon-music.control
usr/share/games/game-data-packager/quake/quake-armagon-music.copyright
usr/share/games/game-data-packager/quake/quake-armagon-music.md5sums
usr/share/games/game-data-packager/quake/quake-dissolution-music.control
usr/share/games/game-data-packager/quake/quake-dissolution-music.copyright
usr/share/games/game-data-packager/quake/quake-dissolution-music.md5sums
usr/share/games/game-data-packager/quake/quake-music.control
usr/share/games/game-data-packager/quake/quake-music.copyright
usr/share/games/game-data-packager/quake/quake-music.md5sums
usr/share/games/game-data-packager/quake2/cd.md5sums
usr/share/games/game-data-packager/quake2/demo.md5sums
usr/share/games/game-data-packager/quake2/patch.md5sums
usr/share/games/game-data-packager/quake2/quake2-demo-data.control
usr/share/games/game-data-packager/quake2/quake2-demo-data.copyright
usr/share/games/game-data-packager/quake2/quake2-demo-data.md5sums
usr/share/games/game-data-packager/quake2/quake2-full-data.control
usr/share/games/game-data-packager/quake2/quake2-full-data.copyright
usr/share/games/game-data-packager/quake2/quake2-full-data.md5sums
usr/share/games/game-data-packager/quake2/quake2-music.control
usr/share/games/game-data-packager/quake2/quake2-music.copyright
usr/share/games/game-data-packager/quake2/quake2-music.md5sums
usr/share/games/game-data-packager/quake2/quake2-rogue.control
usr/share/games/game-data-packager/quake2/quake2-rogue.copyright
usr/share/games/game-data-packager/quake2/quake2-rogue.md5sums
usr/share/games/game-data-packager/quake2/quake2-xatrix.control
usr/share/games/game-data-packager/quake2/quake2-xatrix.copyright
usr/share/games/game-data-packager/quake2/quake2-xatrix.md5sums
usr/share/games/game-data-packager/quake3-data_37
usr/share/games/game-data-packager/rott-data_37
usr/share/games/game-data-packager/supported/doom
usr/share/games/game-data-packager/supported/doom2
usr/share/games/game-data-packager/supported/heretic
usr/share/games/game-data-packager/supported/hexen
usr/share/games/game-data-packager/supported/hexen2
usr/share/games/game-data-packager/supported/lgeneral
usr/share/games/game-data-packager/supported/plutonia
usr/share/games/game-data-packager/supported/q2rogue
usr/share/games/game-data-packager/supported/q2xatrix
usr/share/games/game-data-packager/supported/quake
usr/share/games/game-data-packager/supported/quake2
usr/share/games/game-data-packager/supported/quake3
usr/share/games/game-data-packager/supported/rott
usr/share/games/game-data-packager/supported/tnt
usr/share/games/game-data-packager/supported/wolf3d
usr/share/games/game-data-packager/tnt-wad_37
usr/share/games/game-data-packager/wolf3d-data-wl1_37
usr/share/man/man6/game-data-packager.6

 

[proskopina]

kernel??

 

[Fimo]

kernel??

3.xx
We knew that 3.xx has webkit vulnerabilities, now we know that 3.xx has webkit exploit.

 

[proskopina]

ααααα,,ok,i didnt see before 3.xx

 

[Chaos Kid]

@Fimo you say we already knew it was kernel 3.xx but considering kernel wasn't in this makes it more suspicious.
I know where the kernel is and not webkit found it else where

VERSION = 3
PATCHLEVEL = xx
SUBLEVEL = 0
EXTRAVERSION =
NAME =

# *DOCUMENTATION*
# To see a list of typical targets execute "make help"
# More info can be located in ./README
# Comments in this file are targeted only to the developer, do not
# expect to learn how to build the kernel reading this file.

# Do not:
# o  use make's built-in rules and variables
#  (this increases performance and avoids hard-to-debug behaviour);
# o  print "Entering directory ...";
MAKEFLAGS += -rR --no-print-directory

# Avoid funny character set dependencies
unexport LC_ALL
LC_COLLATE=C
LC_NUMERIC=C
export LC_COLLATE LC_NUMERIC

# We are using a recursive build, so we need to do a little thinking
# to get the ordering right.
#
# Most importantly: sub-Makefiles should only ever modify files in
# their own directory. If in some directory we have a dependency on
# a file in another dir (which doesn't happen often, but it's often
# unavoidable when linking the built-in.o targets which finally
# turn into vmlinux), we will call a sub make in that other dir, and
# after that we are sure that everything which is in that other dir
# is now up to date.
#
# The only cases where we need to modify files which have global
# effects are thus separated out and done before the recursive
# descending is started. They are now explicitly listed as the
# prepare rule.

# To put more focus on warnings, be less verbose as default
# Use 'make V=1' to see the full commands

ifeq ("$(origin V)", "command line")
  KBUILD_VERBOSE = $(V)
endif
ifndef KBUILD_VERBOSE
  KBUILD_VERBOSE = 0
endif

# Call a source code checker (by default, "sparse") as part of the
# C compilation.
#
# Use 'make C=1' to enable checking of only re-compiled files.
# Use 'make C=2' to enable checking of *all* source files, regardless
# of whether they are re-compiled or not.
#
# See the file "Documentation/sparse.txt" for more details, including
# where to get the "sparse" utility.

ifeq ("$(origin C)", "command line")
  KBUILD_CHECKSRC = $(C)
endif
ifndef KBUILD_CHECKSRC
  KBUILD_CHECKSRC = 0
endif

@Fimo you say we already knew it was kernel 3.xx but considering kernel wasn't in this makes it more suspicious.
I know where the kernel is and not webkit found it else where

VERSION = 3
PATCHLEVEL = xx
SUBLEVEL = 0
EXTRAVERSION =
NAME =

# *DOCUMENTATION*
# To see a list of typical targets execute "make help"
# More info can be located in ./README
# Comments in this file are targeted only to the developer, do not
# expect to learn how to build the kernel reading this file.

# Do not:
# o  use make's built-in rules and variables
#  (this increases performance and avoids hard-to-debug behaviour);
# o  print "Entering directory ...";
MAKEFLAGS += -rR --no-print-directory

# Avoid funny character set dependencies
unexport LC_ALL
LC_COLLATE=C
LC_NUMERIC=C
export LC_COLLATE LC_NUMERIC

# We are using a recursive build, so we need to do a little thinking
# to get the ordering right.
#
# Most importantly: sub-Makefiles should only ever modify files in
# their own directory. If in some directory we have a dependency on
# a file in another dir (which doesn't happen often, but it's often
# unavoidable when linking the built-in.o targets which finally
# turn into vmlinux), we will call a sub make in that other dir, and
# after that we are sure that everything which is in that other dir
# is now up to date.
#
# The only cases where we need to modify files which have global
# effects are thus separated out and done before the recursive
# descending is started. They are now explicitly listed as the
# prepare rule.

# To put more focus on warnings, be less verbose as default
# Use 'make V=1' to see the full commands

ifeq ("$(origin V)", "command line")
  KBUILD_VERBOSE = $(V)
endif
ifndef KBUILD_VERBOSE
  KBUILD_VERBOSE = 0
endif

# Call a source code checker (by default, "sparse") as part of the
# C compilation.
#
# Use 'make C=1' to enable checking of only re-compiled files.
# Use 'make C=2' to enable checking of *all* source files, regardless
# of whether they are re-compiled or not.
#
# See the file "Documentation/sparse.txt" for more details, including
# where to get the "sparse" utility.

ifeq ("$(origin C)", "command line")
  KBUILD_CHECKSRC = $(C)
endif
ifndef KBUILD_CHECKSRC
  KBUILD_CHECKSRC = 0
endif

2 layers of linux one is the true one n one is the one used on gameOS which is what cturt is using very limited access n can't be broken out of.

And for those on 3.5

VERSION = 3
PATCHLEVEL = 5
SUBLEVEL =?
EXTRAVERSION =
NAME =?

 

[Chaos Kid]

and those who are interested heres a nice little clip of the gpu radeon

#include "drmP.h"
#include "radeon.h"
#include "trinityd.h"
#include "r600_dpm.h"
#include "trinity_dpm.h"
#include <linux/seq_file.h>

 

[B7U3 C50SS]

Who posted the second tweet?? the account is suspended! hmm can't even see the tweet. well that sucks.

 

[Chaos Kid]

Who posted the second tweet?? the account is suspended! hmm can't even see the tweet. well that sucks.

Don't think it's me or that I'm aware of