Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Jun 3, 2019 at 8:47 AM       90,825       86            
Status
Not open for further replies.
Awhile back popular PS Vita scene developer TheFloW hinted that he'll be looking at the PS4 kernel in his H-ENcore Write-up, and today he shared on Twitter some details on a PS4 Kernel Bug discovered stating it is fxed somewhere between 5.05 and 6.20 OFW... with the PS4 Kernel Exploit 5.05 / 5.07 being the last public jailbreak currently available. :unsure:


PS4 kernel bug: sys_randomized_path could leak arbitrary amount of kernel stack:
Code:
char k_path[0x100];
int64_t max_len = fuword64(max_len_ptr);
if (path_len <= max_len) {
copyout(k_path, out_path, path_len);
} else {
copyout(k_path, out_path, max_len - 1);
}
Unfortunately fixed somewhere between 5.05 and 6.20.

:arrow: Update: TheFloW said his bug is not exploitable:

Nvm this bug is not exploitable, as copyout will simply abort if it dst+len wraps around or is higher than 0x8000000000000000. However, Sony did actually fix it by adding a max_len > 0 check, so I thought it could be abused.
From Pastebin.com:
Code:
// <6.00 bug (not exploitable) found by TheFloW, JS adaptation by CelesteBlue only useful for when we find an actual vulnerable syscall
    var try_sys_randomized_path_leak = function() {
        var mem = p.malloc(0x1000000); // allocate buffer
        alert(p.hexdump(mem, 0x500)); // display zeroed buffer
       
        var len_pointer = p.malloc(0x08); // allocate length
        p.write8(len_pointer, new int64(0, 2147483648)); // write length: 0x8000000000000000
        alert(p.hexdump(len_pointer, 8)); // display length
       
        alert(p.syscall("sys_randomized_path", 0, mem, len_pointer)); // trigger bug
        alert(p.hexdump(mem, 0x500)); // display buffer, should have been modified if success
    };
PS4 Kernel Bug Details by TheFloW, Fixed Between 5.05-6.20 OFW.jpg
 

Comments

Status
Not open for further replies.
Status
Not open for further replies.
Recent Articles
PS4 .Env Decryptor: Python 2 Script for Decrypting Envelope Files
We've seen PS4 Envelope Files in Logs, the Decrypted sl-config.xml.env with Event Log Servers, some PS4 Envelope File Documentation earlier this week and today PlayStation 4 scene developer...
Star Wars Jedi Knight: Jedi Academy PS4 Launch and Free Themes
Today Star Wars Jedi Knight: Jedi Academy officially launched on the PlayStation 4 with two free PS4 Dynamic Themes available HERE from Aspyr inspired by Star Wars Jedi Knight II: Jedi Outcast and...
Predator: Hunting Grounds PS4 Trial Weekend Begins March 27th, Details
This weekend the Predator: Hunting Grounds PS4 4v1 multiplayer trial begins and will be available to download on March 27th in Japan at 3pm JST, in Europe at 4pm GMT and in North America at 5pm...
PS4 Backup And Restore (BAR) Keys & Envelope Files Documented
While many are patiently awaiting further details on the PS4 6.20 Kxploit in development, today PlayStation 4 scene developers @RedEyeX32 via @zecoxao shared Cipher and Hasher PS4 Backup And...
Top