Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.
Following his previously disclosed PS4 Kernel Exploit (Use-After-Free In IPV6_2292PKTOPTIONS) report and PS5 BD-J Hack Source Code, today Security Engineer theflow0 disclosed on HackerOne.com a Use-after-free in setsockopt IPV6_2292PKTOPTIONS vulnerability granting PS5 Kernel access to an attacker confirming the PlayStation 5 is also affected by CVE-2020-7457. 🥳

⬆️ According to theflow0 on Twitter, more about the PS5 kernel exploit will be revealed at 17:15 (5:15 PM) on Saturday, October 15th during Hexacon 2022 which runs from October 14-15th.
Here's further details from his Use-after-free in setsockopt IPV6_2292PKTOPTIONS (CVE-2020-7457) H1 report for the PS5 Scene (PlayStation 5 Jailbreak Status), to quote:

The PS5 is vulnerable to hackerone.com/reports/826026 which easily grants kernel access to an attacker. This vulnerability had been reported by me for the PS4 2 years ago when the PS5 did not yet exist, thus this should be considered as a new report and not a duplicate.

I was able to use this vulnerability in conjunction with the bd-j exploit chain to gain kernel access.

See freebsd.org/security/advisories/FreeBSD-SA-20:20.ipv6.asc for more details.

Impact

Gain kernel access on PS5.

Cheers to kizabg and MSZ_MGS via Twitter for the heads-up on this earlier: 🍻

Spoiler: Related Tweets

PS5 Kernel Access Granted via Previously Disclosed PS4 Exploit by TheFloW0.jpg
 

Comments

well this is a very good step in the right direction, with kernel access the scene then moves toward decrypting kernel modules and dependencies which then hopefully will allow for modified dependencies to be injected via simple payload injection but clearly its still a decent ways off.

however this means the ps5 is possible hackable like the ps4, with payload injection via running the valid exploit chain then inserting and jumping to a viable payload. like i said still a ways off but were one step closer to touchdown.
 
@PressG
The information you have provided is interesting. Thanks

@stinger101mg
So we only have access to the kernel now. But theflow already had this access a year ago. He is a year ahead of us and then in a whole year he hasn't been able to do anything with hypervisor. Do you think we can do something?
 
@andisheegold how do you know he hasn't made a breakthrough with hypervisor? Im pretty sure he's broken it's security by now and hasn't said anything. He sells this information to playstation, he's not gonna disclose anything to the public until he gets paid and he definitely isn't going to be the first to disclose the hypervisor exploit.
 
Status
Not open for further replies.
Back
Top