Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Jun 3, 2019 at 8:47 AM       94,278       86            
Status
Not open for further replies.
Awhile back popular PS Vita scene developer TheFloW hinted that he'll be looking at the PS4 kernel in his H-ENcore Write-up, and today he shared on Twitter some details on a PS4 Kernel Bug discovered stating it is fxed somewhere between 5.05 and 6.20 OFW... with the PS4 Kernel Exploit 5.05 / 5.07 being the last public jailbreak currently available. :unsure:


PS4 kernel bug: sys_randomized_path could leak arbitrary amount of kernel stack:
Code:
char k_path[0x100];
int64_t max_len = fuword64(max_len_ptr);
if (path_len <= max_len) {
copyout(k_path, out_path, path_len);
} else {
copyout(k_path, out_path, max_len - 1);
}
Unfortunately fixed somewhere between 5.05 and 6.20.

:arrow: Update: TheFloW said his bug is not exploitable:

Nvm this bug is not exploitable, as copyout will simply abort if it dst+len wraps around or is higher than 0x8000000000000000. However, Sony did actually fix it by adding a max_len > 0 check, so I thought it could be abused.
From Pastebin.com:
Code:
// <6.00 bug (not exploitable) found by TheFloW, JS adaptation by CelesteBlue only useful for when we find an actual vulnerable syscall
    var try_sys_randomized_path_leak = function() {
        var mem = p.malloc(0x1000000); // allocate buffer
        alert(p.hexdump(mem, 0x500)); // display zeroed buffer
       
        var len_pointer = p.malloc(0x08); // allocate length
        p.write8(len_pointer, new int64(0, 2147483648)); // write length: 0x8000000000000000
        alert(p.hexdump(len_pointer, 8)); // display length
       
        alert(p.syscall("sys_randomized_path", 0, mem, len_pointer)); // trigger bug
        alert(p.hexdump(mem, 0x500)); // display buffer, should have been modified if success
    };
PS4 Kernel Bug Details by TheFloW, Fixed Between 5.05-6.20 OFW.jpg
 

Comments

Status
Not open for further replies.

PSXHAX

Staff Member
Moderator
Verified
It was patched somewhere between 5.05 and 6.20, so devs can examine those PS4 Firmware versions for the bug and hopefully find it still present in newer than 5.07.
 

SirSilvan83

Senior Member
Contributor
In general good news, as long as this is different string than it was used for already existing 5.05 kexploit, which also was fixed with 5.50 (between 5.05 and 6.20 ;))
 
Status
Not open for further replies.
Recent Articles
Sony Reveals PS5 Details on Compatible PS4 Peripherals and Accessories
In PS5 News today, Sony revealed details on compatible PS4 peripherals and accessories with their upcoming PlayStation 5 console launch that is just months away now. After unveiling the PS5...
PS4 IPv6 UAF 6.70-6.72 Kernel Exploit with Patches, Maybe More Stable!
Since his PS4 Save Mounter Utility release, the PS4 6.20 ROP Execution Method, PS4 Webkit Bad_Hoist Exploit, 7.02 PS4 KEX, PS4 Webkit Exploit 6.72 Port, PS4 6.72 Jailbreak Exploit, Backporting PS4...
PS4 JSON-2-SHA1 Python Script for Game PKG Files by Hosamn
Following the JSON Format details, PS4 PKGs via SEN and the JSON Entitlement Grabber Add-on this weekend developer hosamn made available a PS4-JSON-2-SHA1 Python Script for use in checking the...
PKGDT: PS4 PKG Downgrade Tools GUI for Backporting Games by Gerfra
There's no shortage of options when seeking a Windows utility for PS4 Backporting games from 6.72 to 5.05 Firmware, with the latest being PKGDT which is a suite of PS4 PKG Downgrade Tools...
Top