Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Jun 3, 2019 at 8:47 AM       60,333       83            
Awhile back popular PS Vita scene developer TheFloW hinted that he'll be looking at the PS4 kernel in his H-ENcore Write-up, and today he shared on Twitter some details on a PS4 Kernel Bug discovered stating it is fxed somewhere between 5.05 and 6.20 OFW... with the PS4 Kernel Exploit 5.05 / 5.07 being the last public jailbreak currently available. :unsure:


PS4 kernel bug: sys_randomized_path could leak arbitrary amount of kernel stack:
Code:
char k_path[0x100];
int64_t max_len = fuword64(max_len_ptr);
if (path_len <= max_len) {
copyout(k_path, out_path, path_len);
} else {
copyout(k_path, out_path, max_len - 1);
}
Unfortunately fixed somewhere between 5.05 and 6.20.

:arrow: Update: TheFloW said his bug is not exploitable:

Nvm this bug is not exploitable, as copyout will simply abort if it dst+len wraps around or is higher than 0x8000000000000000. However, Sony did actually fix it by adding a max_len > 0 check, so I thought it could be abused.
From Pastebin.com:
Code:
// <6.00 bug (not exploitable) found by TheFloW, JS adaptation by CelesteBlue only useful for when we find an actual vulnerable syscall
    var try_sys_randomized_path_leak = function() {
        var mem = p.malloc(0x1000000); // allocate buffer
        alert(p.hexdump(mem, 0x500)); // display zeroed buffer
       
        var len_pointer = p.malloc(0x08); // allocate length
        p.write8(len_pointer, new int64(0, 2147483648)); // write length: 0x8000000000000000
        alert(p.hexdump(len_pointer, 8)); // display length
       
        alert(p.syscall("sys_randomized_path", 0, mem, len_pointer)); // trigger bug
        alert(p.hexdump(mem, 0x500)); // display buffer, should have been modified if success
    };
PS4 Kernel Bug Details by TheFloW, Fixed Between 5.05-6.20 OFW.jpg
 

Comments

SirSilvan83

Senior Member
Contributor
Verified
So he left the official scene but gave a hint were to find the solution? So now it's up to some good Devs to find it and make it public?

Mhhh not sure whether this will lead to that what we're looking for...
 
Recent Articles
PS4 System Software / Firmware 6.72 Released, Don't Update!
Just over a month ago Sony released a PS4 OFW 6.71 Update followed by a few 6.80 Beta Updates for those in their PlayStation Preview Program, and today another PS4 System Software / Firmware 6.72...
PCSX-R Emulator PS4 Port Crash Bandicoot & Resident Evil PSOne Demos
Since the mGBA Emulator PS4 port and Yabause Sega Saturn Emulator PS4 port, PlayStation 4 homebrew developer Znullptr worked on a PCSXR (CodePlex Archive) PS4 port of the PlayStation emulator...
PS4 Puzzle Platformer Etherborn Shifts Onto PlayStation 4 Next Week
Last month we saw a MGS HD Remake made in Dreams on PlayStation 4, and in similar fashion comes an elegant leap in the gravity-puzzle genre... environmental puzzle platformer known as Etherborn...
Final Fantasy XIV (FFXIV) PS4 Screenshot Retimer Script by Skydeo
Following the Final Fantasy XIV: Stormblood and recent Final Fantasy XIV: Shadowbringers Final Fantasy XIV Online PS4 expansion pack comes a FFXIV PS4 Screenshot Retimer Python Script by Skydeo to...
Top