PS4 4.55 BPF Race Condition Kernel Exploit Writeup by SpecterDev

Earlier this month we saw the PS4 4.55 WebKit Exploit Write-up by PlayStation 4 developer @SpecterDev, and now he announced on Twitter that he's added the PS4 4.55 / FreeBSD BPF kernel exploit writeup to his GitHub repository crediting qwertyoruiop and stating: "The bug is present on any system running FreeBSD such that you have privileges (which we did on PS4). Could be used on other systems for root to ring0 code execution."

Below is an excerpt from it, with the full documentation available on the Github Repo for those interested in learning more about it!

To quote: Conclusion

This was a pretty cool bug to exploit and write-up. While the bug is not incredibly helpful on most other systems as it cannot be exploited from an unprivileged user, it is still valid as a method of going from root to ring0 code execution.

I thought this would be a cool bug to write-up (plus I love writing them anyway) as the attack strategy is fairly unique (using a race condition to trigger an out-of-bounds write on the stack). It's also a fairly trivial exploit to implement, and the strategy of overwriting the return pointer on the stack is an easy method for learning security researchers to understand.

It also highlights how while an attack strategy may be old, perhaps this one being the oldest there is - they can still be applied in modern exploitation with slight variations.

Credits

• qwertyoruiopz

References

• Watson FreeBSD Kernel Cross Reference
• Microsoft Support : Description of race conditions and deadlocks

Thanks to Edark knight for the heads-up on this earlier today in the forums.

 

[Koh23]

Yes if you are new ps user, then this is for you, every game is a new game. If you have ps for some time, then you already have (or played) most of "must have" titles, but still it's great for some games.

One day with higher fw exploit, it will be for all of us

 

[kizabg]

And in the meantime, another fake video

 

[Mikeads]

5.50 I’m coming 2020 when ps5 out Sony will not care then

 

[Baun666]

@kizabg: How Can you see the video is fake ?

 

[drsilva]

very informative article, good for people that want to start researching ps4 system

 

[alex800]

Subscribe for kernel

 

[Czesio8094]

fake, delete it pls

 

[dugz]

my small mind has been thinking.... could it be possible to dump nor on 4.05 through debug expliot/patch the dump then maybe tweak the new ps3 software flasher 4 nor/nand to work with ps4.... to get a permanant expliot for a cfw to be installed just a thought in theory??

 

[mschumacher69]

No because we don't have Sony's private keys. This is not even possible on the newer PS3s which have been patched and cannot be dumped and flashed with CFW.

This is only possible on age old vulnerable PS3s, those that were released before June 2011.

If you are not a dev, don't think too much because if what you're thinking is possible, devs would have implemented already...

 

[dugz]

i still have my cfw ps3 i bought it from vietnam was last cech= that could be downgraded good fun using the e3 as well i bought a progskeet for my release but never got round to it dual nand bla bla bla lol.

it was only a thought as im off work and have been having fun injecting payloads, loading up fedora dumping my games to the harddrive, even set up my pi to be the exploit host the last time i checked it was 1.76 or the brazillian hack to be honest thought with the free-bsd kernel exploited and the console running fedora... but then i read sony were changing the open software quite dramatically with every update.

we are basically using windows as kali to exploit a vulnerability through the web browser to bypass the kernel temporarily to open up dev menu/debug settings. allowing us to run unsigned code. ill keep my 2 pence in my pocket next time i was meaning to read the article for the exploit maybe later this evening.......

​