Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Jun 3, 2019 at 8:47 AM       90,899       86            
Status
Not open for further replies.
Awhile back popular PS Vita scene developer TheFloW hinted that he'll be looking at the PS4 kernel in his H-ENcore Write-up, and today he shared on Twitter some details on a PS4 Kernel Bug discovered stating it is fxed somewhere between 5.05 and 6.20 OFW... with the PS4 Kernel Exploit 5.05 / 5.07 being the last public jailbreak currently available. :unsure:


PS4 kernel bug: sys_randomized_path could leak arbitrary amount of kernel stack:
Code:
char k_path[0x100];
int64_t max_len = fuword64(max_len_ptr);
if (path_len <= max_len) {
copyout(k_path, out_path, path_len);
} else {
copyout(k_path, out_path, max_len - 1);
}
Unfortunately fixed somewhere between 5.05 and 6.20.

:arrow: Update: TheFloW said his bug is not exploitable:

Nvm this bug is not exploitable, as copyout will simply abort if it dst+len wraps around or is higher than 0x8000000000000000. However, Sony did actually fix it by adding a max_len > 0 check, so I thought it could be abused.
From Pastebin.com:
Code:
// <6.00 bug (not exploitable) found by TheFloW, JS adaptation by CelesteBlue only useful for when we find an actual vulnerable syscall
    var try_sys_randomized_path_leak = function() {
        var mem = p.malloc(0x1000000); // allocate buffer
        alert(p.hexdump(mem, 0x500)); // display zeroed buffer
       
        var len_pointer = p.malloc(0x08); // allocate length
        p.write8(len_pointer, new int64(0, 2147483648)); // write length: 0x8000000000000000
        alert(p.hexdump(len_pointer, 8)); // display length
       
        alert(p.syscall("sys_randomized_path", 0, mem, len_pointer)); // trigger bug
        alert(p.hexdump(mem, 0x500)); // display buffer, should have been modified if success
    };
PS4 Kernel Bug Details by TheFloW, Fixed Between 5.05-6.20 OFW.jpg
 

Comments

Status
Not open for further replies.

aritoni01

Member
Contributor
Verified
I think this means that possible or publicly viable kernel exploit since 5.05 to 6.20 was patched at some point between the two, making the question: "Can we get some 5.55 hen somewhere in the future ?", a more accurate approach to what we can expect.
 

SirSilvan83

Senior Member
Contributor
Verified
@RazorMC
I guess he tested it working on 5.05, then he was only focused on Vita for a while, updated on 6.20 and recognized that it was fixed.
But only an estimation from my side

He never said that it was already fixed with 5.05 ☝🏻
 
Status
Not open for further replies.
Recent Articles
Lapy's River Raid 1.0 PS4 PKG Homebrew Game by Lapy05575948
Following the River Raid PS4 PKG Preview and his recent Easy PKG Extractor, PlayStation 4 homebrew developer @Lapy released a River Raid 1.0 PS4 PKG today on Twitter for those with a Jailbroken...
Resident Evil 3 Arrives with New PS4 Game Releases Next Week
Next week on April 3rd Resident Evil 3 arrives with the new PS4 video game releases where Jill Valentine witnesses the atrocities Umbrella performed in Raccoon City and as a result they unleash...
Random Content ID (CID) Generator for PS4 PKG Files by Backporter
Since his DDS Converter for PS4 Themes PlayStation 4 developer @Backporter returns this weekend via Twitter with a Random Content ID (CID) Generator that will generate a random Content ID for PS4...
Sony Announces End of PlayStation 3 (PS3) Partial Message Service
Proceeding their PS3 End of Production a few years back, Sony of Japan announced the end of PlayStation 3's partial message service as of June 30, 2020. ☠ This means message functions between...
Top