Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Jun 3, 2019 at 8:47 AM       86      
Status
Not open for further replies.
Awhile back popular PS Vita scene developer TheFloW hinted that he'll be looking at the PS4 kernel in his H-ENcore Write-up, and today he shared on Twitter some details on a PS4 Kernel Bug discovered stating it is fxed somewhere between 5.05 and 6.20 OFW... with the PS4 Kernel Exploit 5.05 / 5.07 being the last public jailbreak currently available. :unsure:


PS4 kernel bug: sys_randomized_path could leak arbitrary amount of kernel stack:
Code:
char k_path[0x100];
int64_t max_len = fuword64(max_len_ptr);
if (path_len <= max_len) {
copyout(k_path, out_path, path_len);
} else {
copyout(k_path, out_path, max_len - 1);
}
Unfortunately fixed somewhere between 5.05 and 6.20.

:arrow: Update: TheFloW said his bug is not exploitable:

Nvm this bug is not exploitable, as copyout will simply abort if it dst+len wraps around or is higher than 0x8000000000000000. However, Sony did actually fix it by adding a max_len > 0 check, so I thought it could be abused.
From Pastebin.com:
Code:
// <6.00 bug (not exploitable) found by TheFloW, JS adaptation by CelesteBlue only useful for when we find an actual vulnerable syscall
    var try_sys_randomized_path_leak = function() {
        var mem = p.malloc(0x1000000); // allocate buffer
        alert(p.hexdump(mem, 0x500)); // display zeroed buffer
       
        var len_pointer = p.malloc(0x08); // allocate length
        p.write8(len_pointer, new int64(0, 2147483648)); // write length: 0x8000000000000000
        alert(p.hexdump(len_pointer, 8)); // display length
       
        alert(p.syscall("sys_randomized_path", 0, mem, len_pointer)); // trigger bug
        alert(p.hexdump(mem, 0x500)); // display buffer, should have been modified if success
    };
PS4 Kernel Bug Details by TheFloW, Fixed Between 5.05-6.20 OFW.jpg
 

Comments

It was patched somewhere between 5.05 and 6.20, so devs can examine those PS4 Firmware versions for the bug and hopefully find it still present in newer than 5.07.
 
In general good news, as long as this is different string than it was used for already existing 5.05 kexploit, which also was fixed with 5.50 (between 5.05 and 6.20 ;))
 
Status
Not open for further replies.
Back
Top