Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Jan 14, 2016 at 12:36 PM       11,388       25            
Despite Sony releasing PS4 Firmware 3.15 last night, dragood2 recently uncovered a PS4 3.11 Out of Bound Read (Freetype 64bit Exploit) that reportedly isn't patched in System Software Update 3.15.

Download: 38662.zip (Proof of Concept) / Source Code

Below are the details, although the usefulness of this has yet to be determined by PS4 developers, to quote:

The following heap-based out-of-bounds memory read has been encountered in FreeType. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:
Code:
$ ftbench <file>
Attached are three POC files which trigger the conditions.
Code:
---
$ freetype2-demos/bin/ftbench asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b

ftbench results for font `asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b'
-------------------------------------------------------------------------------------

family: (null)
style: (null)

number of seconds for each test: 2.000000

starting glyph index: 0
face size: 10ppem
font preloading into memory: no

load flags: 0x0
render mode: 0

CFF engine set to Adobe
TrueType engine set to version 35
maximum cache size: 1024KiByte

executing tests:
Load =================================================================
==22366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eb55 at pc 0x00000069e2fc bp 0x7fffc4670610 sp 0x7fffc4670608
READ of size 1 at 0x60200000eb55 thread T0
#0 0x69e2fb in tt_sbit_decoder_load_bit_aligned freetype2/src/sfnt/ttsbit.c:834:19
#1 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#2 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#3 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
#4 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#5 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#6 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
#7 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
#8 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
#9 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
#10 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
#11 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
#12 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
#13 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9

0x60200000eb55 is located 0 bytes to the right of 5-byte region [0x60200000eb50,0x60200000eb55)
allocated by thread T0 here:
#0 0x4bc4a8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x756740 in ft_alloc freetype2/src/base/ftsystem.c:74:12
#2 0x51b4e7 in ft_mem_qalloc freetype2/src/base/ftutil.c:76:15
#3 0x51abb1 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:269:12
#4 0x51a800 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200:13
#5 0x69ccab in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1036:10
#6 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#7 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
#8 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#9 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#10 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
#11 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
#12 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
#13 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
#14 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
#15 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
#16 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
#17 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9

SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/sfnt/ttsbit.c:834:19 in tt_sbit_decoder_load_bit_aligned
Shadow bytes around the buggy address:
0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
0x0c047fff9d70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d90: fa fa fd fa fa fa 04 fa fa fa 00 fa fa fa fd fa
0x0c047fff9da0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22366==ABORTING
---
The issue was reported in https://savannah.nongnu.org/bugs/?46379.
PS4_3.11_Exploit.jpg
 

Comments

PSXHAX

Staff Member
Moderator
Contributor
Verified
Hmm, seems OK here although my browser settings may not be as strict as yours... the site being raw.githubusercontent.com which is spawned off github.com

If anyone else is having issues, here are some mirrors to the exploit file. :cool:
 

luix

Member
Contributor
thx for the info. nice to know that it seems to be safe to update to FW V3.15. either way, i updated before i read the news about the 3.11 exploit. :)
 

B7U3 C50SS

~ Team_Zer0 ~
Senior Member
Contributor
thx for the info. nice to know that it seems to be safe to update to FW V3.15. either way, i updated before i read the news about the 3.11 exploit. :)
Yeah i kinda did the same thing.. i wanted to digitally buy uncharted 4 last night.. (i mean pre-order) which i did do..and looks like it's a damn good thing it's still safe to be on 3.15. phew.

EDIT: i also wonder what this exploit is / is about and how it's used. :)
 

Chaos Kid

Developer
Senior Member
Contributor
How to run Linux in your PS4's Browser

I havnt had the time to test this out yet but will as soon as i can but it does seem legit and according to where its directed from i trieed it on a pc and booted.

If the above information is correct with it being built into browser like this you shod be able to actualy instal by mounting over the network and boot installing and may be possible to even boot from the drive itself but am unclear on this one for now.
 
Recent Articles
Nintendo (NES) PS2 on PS4 Emulator FCEUX Port PKG by Irfanansarionl9
Proceeding the PS4NES Emulator, PS4 v5.05 Port, PS4NES v1.01 Update and RetroArch QuickNES Port comes a Nintendo Entertainment System (NES) PS2 on PS4 Emulator FCEUX Port PKG from irfanansarionl9...
Blood & Truth Hits PS VR Next Week Among New PS4 Releases
Next week three heavy hitters land on PlayStation VR amongst the new PS4 game releases, namely The London Heist follow-up Blood & Truth, Five Nights at Freddy's VR: Help Wanted and also Trover...
Crash Team Racing: Nitro-Fueled Adventure Mode PS4 Gameplay, Details
Last month we saw a demo of rival Team Sonic Racing, and today Beenox Co-Studio Head Thomas Wilson shared a look at the CTR Adventure Mode in their upcoming kart racer Crash Team Racing...
Shoot Test PS4 Homebrew PKG by Lapy05575948
Following his Overcome: Save the Girl Edition PS4 PKG, today PlayStation 4 developer @Lapy is back with a Shoot Test PS4 PKG on Twitter stating the following: This is not the game that I have...
Top