Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.
Following his PS5 Kernel Exploit Vulnerability disclosure yesterday, theflow0 took to Twitter again today as his previous exFAT vulnerability affecting both PS4 (pOOBs4 9.00 Jailbreak) and PlayStation 5 consoles was finally disclosed on HackerOne.com. :geek:

Earlier TheOfficialFloW also confirmed more information on the PS5 kernel exploit will be revealed at 17:15 (5:15 PM) on Saturday, October 15th during Hexacon 2022. :love:

Here's what the HackerOne Report states for those in the PlayStation 5 Scene (PS5 Jailbreak Status), to quote: size_t-to-int vulnerability in exFAT leads to memory corruption via malformed USB flash drives

Summary


A heap-based buffer overflow can be triggered by a malformed exFAT USB flash drive.

Vulnerability

The vulnerability is in Sony's exFAT implementation where there is an integer truncation from 64bit to 32bit on a size variable that is used to allocate the up-case table:
Code:
int UVFAT_readupcasetable(void *unused, void *fileSystem) {
  ...
  size_t dataLength = *(size_t *)(upcaseEntry + 24);
  size_t size = sectorSize + dataLength - 1;
  size = size - size % sectorSize;
  uint8_t *data = sceFatfsCreateHeapVl(0, size);
  ...
  while (1) {
    ...
    UVFAT_ReadDevice(fileSystem, offset, sectorSize, data);
    ...
    data += sectorSize;
    ...
  }
}
Namely, dataLength and size are both 64bit wide, however the size argument of sceFatfsCreateHeapVl() is 32bit wide:
Code:
void *sceFatfsCreateHeapVl(void *unused, int size) {
  return malloc(size, M_EXFATFSPATH, M_WAITOK | M_ZERO);
}
When using a big size for dataLength, this function will therefore only allocate a small buffer, and as a result overflow and corrupt subsequent objects on the heap when calling UVFAT_ReadDevice().

For example, using sectorSize=0x200 and dataLength=0x100000200 we have:
Code:
size = (sectorSize + dataLength - 1) - (sectorSize + dataLength - 1) % sectorSize;
<=> size = (0x200 + 0x100000200 - 1) - (0x200 + 0x100000200 - 1) % 0x200;
<=> size = 0x1000003FF - 0x1FF;
<=> size = 0x100000200;
When passing this size to sceFatfsCreateHeapVl(), the leading 1 is cut off to 0x200.

Exploitation

This vulnerability allows us to allocate any buffer on the heap with size >= 512 and multiple of 512, and allows us to overflow by a multiple of 512. There are interesting objects that one could spray on the heap such as struct usb_endpoint which contain interesting pointers that one could corrupt.

Impact

Jailbreak the PS4/PS5 by plugging in the USB and directly getting kernel code execution. 🥳
TheFloW0's Previous PS4 PS5 exFAT Vulnerability Disclosed on HackerOne.png
 

Comments

Status
Not open for further replies.
Back
Top