Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 231: | Line 231: | ||
=== WebKit sources === | === WebKit sources === | ||
[https://web.archive.org/web/20231108165430/https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources] Currently archived up to version 10.01. Useful for developers that can't access PlayStation URLs and also for when Sony inevitably stops hosting the sources in the future. | [https://web.archive.org/web/20231108165430/https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources] Currently archived up to version 10.01. Useful for developers that can't access PlayStation URLs and also for when Sony inevitably stops hosting the sources in the future. | ||
=== FW 6.00-9.60 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW === | === FW 6.00-9.60 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW === | ||
Line 823: | Line 803: | ||
* 2024-03 iMrDJAi for porting CVE-2006-4304 to PS4 and PS5. | * 2024-03 iMrDJAi for porting CVE-2006-4304 to PS4 and PS5. | ||
* 2024-04-25 TheFloW for disclosing his HackerOne report including the second spp bug description. | * 2024-04-25 TheFloW for disclosing his HackerOne report including the second spp bug description. | ||
==== Analysis ==== | ==== Analysis ==== | ||
Line 830: | Line 809: | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
A malicious PPPoE server can cause denial-of-service or remote code execution in kernel context on the PS4/PS5 | A malicious PPPoE server can cause denial-of-service or potentially remote code execution in kernel context on the PS4/PS5. There are two vulnerabilities that can be chained together to cause remote kernel Denial of Service, kernel ASLR defeat or kernel code execution : Heap buffer overwrite and overread in sppp_lcp_RCR and sppp_ipcp_RCR (CVE-2006-4304) and Integer underflow in sppp_pap_input leading to heap-buffer overread (no-CVE). | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://github.com/iMrDJAi/FreeBSD9-CVE-2006-4304 CVE-2006-4304 PoC for FreeBSD9 by iMrDJAi (2024-04-07)] | * [https://github.com/iMrDJAi/FreeBSD9-CVE-2006-4304 CVE-2006-4304 PoC for FreeBSD9 by iMrDJAi (2024-04-07)] | ||
* [https://gist.github.com/iMrDJAi/847a4f2eeff9669657ffcdf85ac7a901 CVE-2006-4304 PoC for PS4 and PS5 by iMrDJAi (2024-04-07)] | * [https://gist.github.com/iMrDJAi/847a4f2eeff9669657ffcdf85ac7a901 CVE-2006-4304 PoC for PS4 and PS5 by iMrDJAi (2024-04-07)] | ||
==== Patched ==== | ==== Patched ==== |