Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Jan 14, 2016 at 12:36 PM       12,608       25            
Despite Sony releasing PS4 Firmware 3.15 last night, dragood2 recently uncovered a PS4 3.11 Out of Bound Read (Freetype 64bit Exploit) that reportedly isn't patched in System Software Update 3.15.

Download: 38662.zip (Proof of Concept) / Source Code

Below are the details, although the usefulness of this has yet to be determined by PS4 developers, to quote:

The following heap-based out-of-bounds memory read has been encountered in FreeType. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:
Code:
$ ftbench <file>
Attached are three POC files which trigger the conditions.
Code:
---
$ freetype2-demos/bin/ftbench asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b

ftbench results for font `asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b'
-------------------------------------------------------------------------------------

family: (null)
style: (null)

number of seconds for each test: 2.000000

starting glyph index: 0
face size: 10ppem
font preloading into memory: no

load flags: 0x0
render mode: 0

CFF engine set to Adobe
TrueType engine set to version 35
maximum cache size: 1024KiByte

executing tests:
Load =================================================================
==22366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eb55 at pc 0x00000069e2fc bp 0x7fffc4670610 sp 0x7fffc4670608
READ of size 1 at 0x60200000eb55 thread T0
#0 0x69e2fb in tt_sbit_decoder_load_bit_aligned freetype2/src/sfnt/ttsbit.c:834:19
#1 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#2 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#3 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
#4 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#5 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#6 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
#7 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
#8 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
#9 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
#10 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
#11 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
#12 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
#13 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9

0x60200000eb55 is located 0 bytes to the right of 5-byte region [0x60200000eb50,0x60200000eb55)
allocated by thread T0 here:
#0 0x4bc4a8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x756740 in ft_alloc freetype2/src/base/ftsystem.c:74:12
#2 0x51b4e7 in ft_mem_qalloc freetype2/src/base/ftutil.c:76:15
#3 0x51abb1 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:269:12
#4 0x51a800 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200:13
#5 0x69ccab in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1036:10
#6 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#7 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
#8 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#9 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#10 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
#11 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
#12 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
#13 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
#14 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
#15 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
#16 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
#17 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9

SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/sfnt/ttsbit.c:834:19 in tt_sbit_decoder_load_bit_aligned
Shadow bytes around the buggy address:
0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
0x0c047fff9d70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d90: fa fa fd fa fa fa 04 fa fa fa 00 fa fa fa fd fa
0x0c047fff9da0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22366==ABORTING
---
The issue was reported in https://savannah.nongnu.org/bugs/?46379.
PS4_3.11_Exploit.jpg
 
:idea: Reminder: Those without a Verified Badge yet on Discord to access the private areas we recommend Joining Us! Why? The waiting process takes a week for new Members, and there's a lot we're unable to share on public forums including the latest PS4 PKG Games. 🏴‍☠️

Comments

PSXHAX

Staff Member
Moderator
Contributor
Verified
Hmm, seems OK here although my browser settings may not be as strict as yours... the site being raw.githubusercontent.com which is spawned off github.com

If anyone else is having issues, here are some mirrors to the exploit file. :cool:
 

luix

Member
Contributor
Verified
thx for the info. nice to know that it seems to be safe to update to FW V3.15. either way, i updated before i read the news about the 3.11 exploit. :)
 

B7U3 C50SS

~ Team_Zer0 ~
Senior Member
Contributor
thx for the info. nice to know that it seems to be safe to update to FW V3.15. either way, i updated before i read the news about the 3.11 exploit. :)
Yeah i kinda did the same thing.. i wanted to digitally buy uncharted 4 last night.. (i mean pre-order) which i did do..and looks like it's a damn good thing it's still safe to be on 3.15. phew.

EDIT: i also wonder what this exploit is / is about and how it's used. :)
 

Chaos Kid

Developer
Senior Member
Contributor
How to run Linux in your PS4's Browser

I havnt had the time to test this out yet but will as soon as i can but it does seem legit and according to where its directed from i trieed it on a pc and booted.

If the above information is correct with it being built into browser like this you shod be able to actualy instal by mounting over the network and boot installing and may be possible to even boot from the drive itself but am unclear on this one for now.
 
Recent Articles
PS5 Development Kit (DevKit) Cooling System Revealed in New Patent
According to reports, as manufacturing nears completion and with Sony postponing the unveiling the likelihood of PS5's design leaking early increases... since the initial patent, leaked images and...
PS4 Tools Homebrew WIP Showcase FPKG by xXxTheDarkprogramerxXx
Following his PS4 HEN 2.1.4 Port, PlayStation 4 homebrew developer @TheDarkprograme made available via Twitter a work-in-progress (WIP) PS4 Tools Homebrew Showcase FPKG for PS4 jailbroken console...
BitHunter Tool to Extract / Pull PS4 Game Trophy Data by AlexKalopsia
Proceeding the MyTrophies PS4 Trophy Calculator for use on jailbroken PlayStation 4 consoles running PS4HEN comes BitHunter, which is a Python-based tool to extract / pull information from PS4...
Sony Unveils Latest PlayStation Now Games for June, 2020
The last additions to Sony's PlayStation Now digital video game library include survival horror title Metro Exodus, stealth action adventure Dishonored 2 and racing sim NASCAR Heat 4. 😎 Here's...
Top