PS5 Kernel Access Granted via Previously Disclosed PS4 Exploit by TheFloW0

Following his previously disclosed PS4 Kernel Exploit (Use-After-Free In IPV6_2292PKTOPTIONS) report and PS5 BD-J Hack Source Code, today Security Engineer theflow0 disclosed on HackerOne.com a Use-after-free in setsockopt IPV6_2292PKTOPTIONS vulnerability granting PS5 Kernel access to an attacker confirming the PlayStation 5 is also affected by CVE-2020-7457.

According to theflow0 on Twitter, more about the PS5 kernel exploit will be revealed at 17:15 (5:15 PM) on Saturday, October 15th during Hexacon 2022 which runs from October 14-15th.

• TheFloW0's Previous PS4 / PS5 exFAT Vulnerability Disclosed on HackerOne

Here's further details from his Use-after-free in setsockopt IPV6_2292PKTOPTIONS (CVE-2020-7457) H1 report for the PS5 Scene (PlayStation 5 Jailbreak Status), to quote:

The PS5 is vulnerable to hackerone.com/reports/826026 which easily grants kernel access to an attacker. This vulnerability had been reported by me for the PS4 2 years ago when the PS5 did not yet exist, thus this should be considered as a new report and not a duplicate.

I was able to use this vulnerability in conjunction with the bd-j exploit chain to gain kernel access.

See freebsd.org/security/advisories/FreeBSD-SA-20:20.ipv6.asc for more details.

Impact

Gain kernel access on PS5.

Cheers to kizabg and MSZ_MGS via Twitter for the heads-up on this earlier:

Spoiler: Related Tweets

 

[Gruntz]

@blimblim04 because unless it's news that people can pirate, nobody cares honestly.

 

[blimblim04]

@Gruntz
You are right.

 

[hanemay]

i just want homebrew

 

[UF0]

Waiting for some linux so think mines going to be gathering dust awhile

 

[Chivo777]

I’m telling you - Never disappointed Scene grows faster and faster like always!

 

[FateNightroad2]

I never understood why people don't just get an xbox if they just wanted homebrew.

 

[UltraLex]

I would love a PS4 CFW

 

[tommasi]

Finally I get to see if it’s worth it to stay on low FW or just update and move on.

 

[PressG]

Folks now that the others have discovered the BD-J as the attack vector, and Kernel Access is achieved, we just need to crack the PS5 Hyper-V (Extra security layer), which is going to be quite difficult.

• us-21-Mobius-Band-Explore-Hyper-V-Attack-Interface-Through-Vulnerabilities-Internals.pdf

 

[Edrokski777]

Has anyone ever exploited a Hypervisor? Didn't PS3 have one that was implemented wrong or something?