Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1,293: Line 1,293:
==== Patched ====
==== Patched ====
'''Yes''' somewhere between 6.00 and 6.20 FW
'''Yes''' somewhere between 6.00 and 6.20 FW
----
=== FW <= 4.07 - sys_thr_get_ucontext Information Leak (kASLR defeat) ===
==== Analysis ====
[https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md#vector-sys_thr_get_ucontext Specter's Writeup]
==== Bug Description ====
System call 634 or sys_thr_get_ucontext() allows to obtain information on a given thread. The vulnerability is, some areas of memory copied out are not initialized, and thus the function leaks memory at certain spots. This vector was patched in 4.50, as now before the buffer is used it is initialized to 0 via bzero().
==== Exploit Implementation ====
[https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit PS4 4.05 WebKit + Kernel Exploit]
==== Patched ====
'''Yes''' in 4.50 FW
----
----


Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)