Editing Bugs

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
The PS4 has bugs. Some bugs can lead to [[Vulnerabilities]]. Others lead to nothing useful (yet) but can serve as examples of what not to do.
== Theoretical Hardware Attacks ==
 
= Theoretical Hardware Attacks =
 
We already know for certain someone out there has hacked the SAMU or stolen Sony's keys because of leaked decrypted kernels. These are some end-all hardware solutions to hack the PS4, theorized by golden. I give a score out of 10 for each.
We already know for certain someone out there has hacked the SAMU or stolen Sony's keys because of leaked decrypted kernels. These are some end-all hardware solutions to hack the PS4, theorized by golden. I give a score out of 10 for each.
 
=== Power analysis against SAMU 9.9/10 ===
=== Power analysis against SAMU 9.9/10 ===
 
There are theories that this won't work because...
There are theories that this won't work because...
* SAMU silicon spoofs hamming weight (prevents differential power analysis and EM analysis)
* SAMU silicon spoofs hamming weight (prevents differential power analysis and EM analysis)
* It is running too fast and not feasible since cost is too high
* It is running too fast and not feasible since cost is too high
* You cannot slow down the SAMU clock since it is internally checked
* You can't slow down the SAMU clock since it is internally checked
* Some more issues?
* Some more issues?
 
If there is some sort of main CPU/SAMU PLL bypass we might be able to slow the clock down really easily, otherwise we must inject our own clock signal. I believe the SAMU clock is controlled by syscon? If the check is in syscon then we can just patch it out. Maybe write a custom Linux fork that never loads into usermode but just sits and constantly decrypts different self/sprx files. We could communicate with this Linux fork over UART. This attack only needs to work once to recover some keys.
If there is some sort of main CPU/SAMU PLL bypass we might be able to slow the clock down really easily, otherwise we must inject our own clock signal. I believe the SAMU clock is controlled by syscon? If the check is in syscon then we can just patch it out. Maybe write a custom Linux fork that never loads into usermode but just sits and constantly decrypts different self/sprx files. We could communicate with this Linux fork over UART. This attack only needs to work once to recover some keys.
 
=== SAMU power/clock glitch fault injection 5/10 ===
=== SAMU power/clock glitch fault injection 5/10 ===
 
During an AES round we might be able to do some SCA by injecting faults. See the paper from umass.edu in the section below. We would write a minimal operating system to reboot into after exploiting an older firmware. This 'operating system' will simply shutdown most of the CPU cores and pin one core. This code would communicate with the SAMU and do everything the normal SCE SAMU driver does for decryption. We can then use UART output from CPU to time our glitch attacks. The faulty data retrieved by our custom SAMU driver might be able to reveal secret key data. This attack only needs to work once to recover some keys.
During an AES round we might be able to do some SCA by injecting faults. See the paper from umass.edu in the section below. We would write a minimal operating system to reboot into after exploiting an older firmware. This 'operating system' will simply shutdown most of the CPU cores and pin one core. This code would communicate with the SAMU and do everything the normal SCE SAMU driver does for decryption. We can then use UART output from CPU to time our glitch attacks. The faulty data retrieved by our custom SAMU driver might be able to reveal secret key data. This attack only needs to work once to recover some keys.
 
=== SAMU backside UV/IR fault injection 3/10 ===
=== SAMU backside UV/IR fault injection 3/10 ===
 
Just as the title states. Very expensive to setup and do properly. If we can flip an even number of bits it the encrypted SAMU SRAM region of the chip (even since ECC parity bit), then some sort of side channel analysis might be able to be done to recover key material. Some silicon reverse engineering would be involved to find the SRAM region on die.
Just as the title states. Very expensive to setup and do properly. If we can flip an even number of bits it the encrypted SAMU SRAM region of the chip (even since ECC parity bit), then some sort of side channel analysis might be able to be done to recover key material. Some silicon reverse engineering would be involved to find the SRAM region on die.
 
"Moreover, it is no longer possible to hit a single SRAM cell with the current etching technologies, since the width of the gate dielectric is now more than 10 times smaller than the shortest wavelength of visible light." To get an idea of the cost of this equipment... "A class of threats which cannot be ignored if the attackers have access to a larger budget (above the aforementioned $3000 and up to millions of dollars)" (http://euler.ecs.umass.edu/research/bbkn-IEEEP-2012.pdf)
"Moreover, it is no longer possible to hit a single SRAM cell with the current etching technologies, since the width of the gate dielectric is now more than 10 times smaller than the shortest wavelength of visible light." To get an idea of the cost of this equipment... "A class of threats which cannot be ignored if the attackers have access to a larger budget (above the aforementioned $3000 and up to millions of dollars)" (hxxp://euler.ecs.umass.edu/research/bbkn-IEEEP-2012.pdf)
 
The fault injection is all infeasible unless some elite hackzor came out of the woodwork. We only need to have this work once.
The fault injection is all infeasible unless some elite hackzor came out of the woodwork. We only need to have this work once.
 
=== SEM/FIB/microprobes 2/10 ===
=== SEM/FIB/microprobes 2/10 ===
 
We might be able to readout the bootrom with some microprobes? Sniff data lines somewhere? The SAMU SRAM memory is encrypted so we would have to probe the LM32 instruction bus or something... infeasible but possible.
We might be able to readout the bootrom with some microprobes? Sniff data lines somewhere? The SAMU SRAM memory is encrypted so we would have to probe the LM32 instruction bus or something... infeasible but possible.
 
=== USB ===
=== USB pwnage ===
 
The FreeBSD USB stack has been theorized, by a well know security researcher, to contain some high profile bugs. A dongle might just be possible. For example, last year someone ran a fuzzer on the Linux USB stack and found some crazy bugs: https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md
The FreeBSD USB stack has been theorized, by a well know security researcher, to contain some high profile bugs. A dongle might just be possible. For example, last year someone ran a fuzzer on the Linux USB stack and found some crazy bugs: hxxps://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md
 
=== Bluetooth ===
=== Bluetooth pwnage ===
 
Look at Blueborne and CVE-2017-0781. There are probably some bugs in the Sony/FreeBSD Bluetooth stack. Sony has a habit of ruining their own copy and paste. One of the reasons fail0verflow decided to attack the DS4 controller firmware was because it had a nice interface to the kernel which could contain bugs.
Look at Blueborne and CVE-2017-0781. There are probably some bugs in the Sony/FreeBSD Bluetooth stack. Sony has a habit of ruining their own copy and paste. One of the reasons fail0verflow decided to attack the DS4 controller firmware was because it had a nice interface to the kernel which could contain bugs.


= Software Bugs =
== Software Bugs ==


=== SnagFilms ===
=== SnagFilms ===
Line 84: Line 86:
PATCHED: Sony has hotfixed this exploit via content hashing the file while in transit. Some people have managed to reverse the hotfix but the method is not known. The PS4 checks the content hash HTTP header from the HMAC header.
PATCHED: Sony has hotfixed this exploit via content hashing the file while in transit. Some people have managed to reverse the hotfix but the method is not known. The PS4 checks the content hash HTTP header from the HMAC header.


When you launch VidNow for the first time it gets http://sceecatalogs.vidzone.tv/386/vidzone_386_US.db.psarc. This file is 5MB.
When you launch Vidnow for the first time it gets http://sceecatalogs.vidzone.tv/386/vidzone_386_US.db.psarc. This file is 5MB.
This file loads into a 60 kB TCP buffer. No checks are done at all on the files sizes/hashes/contents. Therefore, it is possible to redirect VidNow to load a substitute file. When VidNow is redirected to load a large enough file the TCP Window buffer is overrun, somewhere between bytes 34,125,000 and 35,000,000 of the substitute file. Despite the buffer overflow and crash, the substitute data is still transmitted and the application only throws the exception when another TCP packet is sent. As a result, the application crashes and the console locks up for a minute. Directly before the console resumes normal operations after the crash, an unusually large number of TCP (RST) packets are sent. While no exploit that makes use of this crash is currently available, a carefully crafted file '''may''' be able to exploit this or similar issues to gain usermode ROP code execution, among other things.
This file loads into a 60k tcp buffer. No checks are done at all on the files size/hash/contents. Therefore, it is possible to redirect Vidnow to load a substitute file. When vidnow is redirected to load a large enough file the TCP Window buffer is overrun,somewhere between byte 34,125,000 and 35,000,000 of the substitute file. Despite the buffer overflow and crash, the substitute data is still transmitted and the application only throws the exception when another tcp packet is sent. As a result, the application crashes and the console locks up for a minute. Directly before the console resumes normal operations after the crash, an unusually large number of tcp (RST) packets are sent. While no exploit that makes use of this crash is currently available, a carefully crafted file '''may''' be able to exploit this or similar issues to gain code execution, among other things.
 
* Note: a related DRM file was available at: http://sceeassets.vidzone.tv/High/000/000/012/524/12524.drm.


====  Crash Timeline ====
====  Crash Timeline ====
Line 98: Line 98:
  17:17:48.500567000 Response
  17:17:48.500567000 Response
  17:17:50.356427000 (System no longer locked up) Console Regains Control (74 byte packet sent)
  17:17:50.356427000 (System no longer locked up) Console Regains Control (74 byte packet sent)
  17:17:50.357555000 Contacts Crashlog Server / System Operation Resumes
  17:17:50.357555000 Contacts Crashlog Server/System Operation Resumes


=== Leap second 23:59:60 bug ===
=== Leap second 23:59:60 bug ===
Line 104: Line 104:
[http://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat Leap second 2015 June 30, 23h 59m 60s should theoretically not be a problem, since PS4 is based on BSD which can implement 23:59:60].
[http://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat Leap second 2015 June 30, 23h 59m 60s should theoretically not be a problem, since PS4 is based on BSD which can implement 23:59:60].


=== 6.20+ DevKit Specific Bug ===
== Reference sites ==
 
<pre>
The Development Kit comes with breakpoint feature that can pause the execution of an application program when the application program accesses a certain location in memory. This data breakpoint is only triggered when an application program accesses memory, but, because of a bug that occurred in version 6.00 of the system software, such breakpoints may be triggered when the kernel accesses the memory of an application program. When this happens, the PlayStation 4 system determines that a serious error has occurred and automatically shuts down the Development Kit.
</pre>
 
=== 6.50 DevKit Specific Bug ===
 
<pre>
This bug occurs regardless of the method used to set the data breakpoint (occurring both when a breakpoint is set with the host tool and when it is set with the sceDbgSetHardwareBreakPoint() API). Version 6.50 of the system software will be fixed so that data breakpoints are not triggered when the kernel accesses an application program's memory (thus returning to the behavior of versions of the system software prior to version 6.00).
</pre>
 
= WebKit =
 
== JIT disabled ==
 
<pre>
CVE-2023-41074
Affecting WebKitGTK.
CVE-2023-42917
Affecting WebKitGTK.
</pre>
 
=== FW ?10.00-11.52? - Immediate overflow/underflow in JSC SBFX (CVE-2024-27833) leading to arbitrary code execution ===
 
==== Credits ====
* Manfred Paul (@_manfp), working with Trend Micro Zero Day Initiative, for discovering the vulnerability on Apple Safari at pwn2own 2024 (2024-03-21) [https://twitter.com/thezdi/status/1770611705510293546 Zero Day Initiative's tweet]
* Justin Michaud for fix commit, Yusuke Suzuki for fix commit review (2024-05-15)
* Apple disclose that Safari update integrates the fix (2024-06-10)
* xvonfers and Bearseater (@JamesMa52390215) for discovering it affects PS4 and PS5 (2024-06-11) [https://twitter.com/xvonfers/status/1800426437486485635 xvonfer's tweet]
 
==== Analysis ====
* [https://github.com/WebKit/WebKit/commit/1ea4ef8127276fd00ca43ffcb22bed162072abde WebKit fix commit by Justin Michaud (2024-05-15)]
* [https://bugs.webkit.org/show_bug.cgi?id=271491 WebKit Bugzilla #271491 with restricted access]
 
==== Bug Description ====
There is an integer underflow in WebKit renderer. It was addressed with improved input validation.
 
The JavaScriptCore Isel SBFX patterns in JavaScriptCore/b3/B3LowerToAir.cpp allowed immediate overflow as 'lsb' and 'width' are not properly checked.
 
SBFX stands for Signed Bitfield Extract. See [https://www.scs.stanford.edu/~zyedidia/arm64/sbfx_sbfm.html] and [https://developer.arm.com/documentation/101273/0001/The-Cortex-M55-Instruction-Set--Reference-Material/Bit-field-instructions/SBFX-and-UBFX]. SBFX is an alias for SBFM (Signed Bitfield Move). See [https://www.scs.stanford.edu/~zyedidia/arm64/sbfm.html]. SBFM is a bitfield extraction opcode.
 
Isel is a short name for Instruction SELect. This pass transforms generic machine instructions into equivalent target-specific instructions. It traverses the MachineFunction bottom-up, selecting uses before definitions, enabling trivial dead code elimination.
 
==== Exploit Implementation ====
* [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/sbfx-offset-overflow.js Vulnerability test by Justin Michaud]
 
==== Patched ====
'''Yes''' on PS4 FW 12.00 and PS5 FW ?10.00?.
 
==== Tested ====
Tested working on PS4 FWs 11.50 and PS5 FWs ?6.00-9.60?. Not working on PS4 <= 9.00 and PS5 >= 10.01.
----
 
=== FW ?10.00-11.02? - JSC::DFG::clobberize() needs to be more precise with the *ByOffset nodes (CVE-2023-41993) leading to arbitrary RW ===
 
==== Credits ====
* Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group for discoverting the vulnerability and reporting it (2023-09-21)
* Keith Miller for the WebKit fix commit (2023-10-09)
* po6ix for his writeup (2023-10-15)
 
==== Analysis ====
* [https://github.com/WebKit/WebKit/commit/08d5d17c766ffc7ca6a7c833c5720eb71b427784 WebKit fix commit by Keith Miller (2023-10-09)]
* [https://github.com/po6ix/POC-for-CVE-2023-41993 Writeup by po6ix (2023-10-15)]
 
==== Bug Description ====
clobberize needs to be more precise with the *ByOffset nodes. CSE phase uses clobberize to figure out if it's safe to merge two operations that def the same HeapLocation. Since HeapLocation does not currently have a way to track the offset used by the various *ByOffset nodes it can get confused and think that two ByOffset instructions produce the same value even if they do not use the same offset. This patch solves this by adding a new field to HeapLocation, which takes the metadata associated with the corresponding *ByOffset node. If two *ByOffset operations don't share the same metadata then they cannot be CSEed.
 
This vulnerability is ranked 7.5 (HIGH) on CVSS:3.1.
 
This vulnerability should provide r/w primitive to the webcontent process, but currently the PoC is written only up to addrof/fakeobj.
 
==== Exploit Implementation ====
* [https://github.com/po6ix/POC-for-CVE-2023-41993 PoC written only up to addrof/fakeobj by po6ix (2023-10-15)]
 
==== Patched ====
'''Maybe''' on PS4 FW 12.00 and PS5 ?10.00?
 
==== Tested ====
Not tested yet. According to open source code, PS4 FW 11.00 should be vulnerable.
----
 
=== FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to crash ===
 
==== Credits ====
* Alexey Shvayka for vulnerability discovery and fixes in WebKit (2023-05-01)
* ENKI for public disclose and writeup (2024-06-03)
* abc (anonymous) for tests and analysis (2024-10-01)
 
==== Analysis ====
* [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc Analysis by ENKI (2024-06-03)]
* [https://github.com/WebKit/WebKit/commit/1b0741f400ee2d31931ae30f2ddebe66e8fb0945 Patch commit #1 for vulnerability detection (2023-07-31)]
* [https://github.com/WebKit/WebKit/commit/39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f Patch commit #2 (2023-05-01)]
* [https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons Inverting Your Assumptions: A Guide to JIT Comparisons by Jasiel Spelman (2018-04-12)]
 
==== Bug Description ====
Note that the PS4 web browser JIT support has been removed since around PS4 System Software version 5.00 or lower so using the article directly is not applicable.
 
The clobber bug PoC turns out not to be a memory corruption. Just like the article said, you can access a `GetterSetter` directly. The crash came from triggering `GetterSetter`'s methods that will call `RELEASE_ASSERT()`.
 
We actually have [[#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects|a bug that can leak `GetterSetter`s]].
 
In summary with tinkering with this bug, abc (anonymous) do not think that an attacker can do anything useful with accessing a `GetterSetter`. The clobberWorld bug however does allow setting properties in places where you usually cannot like `Function's prototype` as shown in the article. But without JIT, one probably cannot cause any memory corruption. The impact for both bugs (clobberWorld and ProxyObject) is probably just JavaScript execution, which we already have, which is a no go in some context (JS injection) but it does not help in gaining usermode ROP execution on PS4 or PS5.
 
==== Exploit Implementation ====
* [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc PoC by ENKI (2024-06-03)]
 
==== Patched ====
'''Yes''' on PS4 FW 11.50 and PS5 FW 9.00.
 
==== Tested ====
Tested working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60. PS4 FWs <= ?9.60? and PS5 FWs <= ?5.50? are invulnerable.
----
 
== Memory exhausted but not corrupted ==
 
=== FW ?10.00?-11.52 - Unknown heap and string overflow (no CVE) leading to crash ===
 
==== Credits ====
* Debty for PoC public disclose (2024-08-29)
 
==== Analysis ====
* [https://github.com/Debvt/Wm/tree/Root0 PoC and analysis by Debty (2024-08-29)]
 
==== Bug Description ====
* TODO
 
Implementation description by Debty:<br />
String exploit is not actually an exploit but just a memory exhauster. It is not actually viable so instead there is a feature called "latest iteration".
 
==== Exploit Implementation ====
* [https://github.com/Debvt/Wm/tree/Root0 PoC by Debty (2024-08-29)]
 
==== Patched ====
'''Yes''' on PS4 FW 12.00 and PS5 FW 10.00.
 
==== Tested ====
Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60.
----
 
= Reference sites =


* http://www.vulnerability-lab.com/
* http://www.vulnerability-lab.com/
Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps4/Bugs"