Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Jun 3, 2019 at 8:47 AM       86,302       86            
Status
Not open for further replies.
Awhile back popular PS Vita scene developer TheFloW hinted that he'll be looking at the PS4 kernel in his H-ENcore Write-up, and today he shared on Twitter some details on a PS4 Kernel Bug discovered stating it is fxed somewhere between 5.05 and 6.20 OFW... with the PS4 Kernel Exploit 5.05 / 5.07 being the last public jailbreak currently available. :unsure:


PS4 kernel bug: sys_randomized_path could leak arbitrary amount of kernel stack:
Code:
char k_path[0x100];
int64_t max_len = fuword64(max_len_ptr);
if (path_len <= max_len) {
copyout(k_path, out_path, path_len);
} else {
copyout(k_path, out_path, max_len - 1);
}
Unfortunately fixed somewhere between 5.05 and 6.20.

:arrow: Update: TheFloW said his bug is not exploitable:

Nvm this bug is not exploitable, as copyout will simply abort if it dst+len wraps around or is higher than 0x8000000000000000. However, Sony did actually fix it by adding a max_len > 0 check, so I thought it could be abused.
From Pastebin.com:
Code:
// <6.00 bug (not exploitable) found by TheFloW, JS adaptation by CelesteBlue only useful for when we find an actual vulnerable syscall
    var try_sys_randomized_path_leak = function() {
        var mem = p.malloc(0x1000000); // allocate buffer
        alert(p.hexdump(mem, 0x500)); // display zeroed buffer
       
        var len_pointer = p.malloc(0x08); // allocate length
        p.write8(len_pointer, new int64(0, 2147483648)); // write length: 0x8000000000000000
        alert(p.hexdump(len_pointer, 8)); // display length
       
        alert(p.syscall("sys_randomized_path", 0, mem, len_pointer)); // trigger bug
        alert(p.hexdump(mem, 0x500)); // display buffer, should have been modified if success
    };
PS4 Kernel Bug Details by TheFloW, Fixed Between 5.05-6.20 OFW.jpg
 

Comments

Status
Not open for further replies.
Status
Not open for further replies.
Recent Articles
Redbox Video Game Rentals to End This Year, Game Sales by Early 2020
As GameStop reported massive financial losses and announced the closing of more stores this year, it appears Redbox is getting out of the video game rental business by the end of 2019... they'll...
Horizon: Zero Dawn Camera PS4 Hacks Demo by ManFightDragon
Proceeding his P.T. Silent Hills Demo Camera PS4 Hacks and MHW: Iceborne x Horizon Zero Dawn: The Frozen Wilds, PlayStation 4 video game hacker @manfightdragon is back with a Horizon: Zero Dawn...
Minecraft Bedrock Version on PS4 Features Cross-Play and Marketplace
Back in October we reported that PS4 Cross-Play exited the Beta stage and was available to all PlayStation 4 developers, and today Mojang officially announced that the Minecraft Bedrock Version...
Open World Co-op RPG Ashen Joins New PS4 Game Releases Next Week
Among the new PS4 video game releases next week is open world co-op action RPG Ashen by A44 and Annapurna Interactive where you play a wanderer in search of a place to call home. In Ashen you'll...
Top