Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 101: | Line 101: | ||
== Usermode Exploits (Game Savedata) == | == Usermode Exploits (Game Savedata) == | ||
=== | === PS2 games savedata exploits === | ||
==== GTA III ==== | |||
* [https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 vulnerability] | |||
The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata. | |||
==== Dark Cloud ==== | |||
= | * [https://www.youtube.com/results?search_query=%22dark+cloud%22+item+glitch+menu+before%3A2008-01-01 video of bug triggering] | ||
Moving the cursor and pressing X on the same frame in the items menu allows us to pick up an item from out-of-bounds memory, which results in exploitable behaviour. | |||
==== Okage Shadow King ==== | |||
* | ===== Credits ===== | ||
* CTurt for discovering these vulnerabilities in September 2021. | |||
* CTurt for public disclosure [https://twitter.com/CTurtE/status/1570189920844804097 on twitter] https://twitter.com/CTurtE/status/1570189920844804097(2022-09-14) | |||
* flatz, balika011, theflow0, chicken(s), PlayStation for helping CTurt | |||
* McCaulay for sharing publicly his implementation in February 2023. | |||
===== Analysis ===== | |||
* [https://mccaulay.co.uk/mast1c0re-part-1-modifying-ps2-game-save-files Writeup part 1 by McCaulay (2023-02-08)] | |||
* | * [https://mccaulay.co.uk/mast1c0re-part-2-arbitrary-ps2-code-execution Writeup part 2 by McCaulay (2023-02-10)] | ||
* | |||
===== Bug Description ===== | |||
Okage Shadow King has a typical stack buffer overflow if you extend the player or town name in a savedata. | |||
* [https://store.playstation.com/en-us/product/UP9000-CUSA02199_00-SCUS971290000001 PS4 digital version CUSA02199 of SCUS97129 on PS Store] | |||
Okage Shadow King for PS4 (CUSA02282) base version (1.00) requires FW version 3.15, although it was compiled with SDK version 3.008.000. Okage Shadow King for PS4 (CUSA02199 and CUSA02282) patch 1.01 requires FW version 4.05. | |||
=== | ===== Exploit Implementation ===== | ||
* [https://github.com/McCaulay/okrager Okrager by McCaulay (2023-02-04)] | |||
===== Patched ===== | |||
'''No'''. Unpatchable in theory. | |||
=== PS4/PS5 PS2emu sandbox escape (mast1c0re) === | === PS4/PS5 PS2emu sandbox escape (mast1c0re) === | ||
Advantages of the PS4/PS5 PS2emu sandbox escape exploit over most WebKit exploits: | Advantages of the PS4/PS5 PS2emu sandbox escape exploit over most WebKit exploits: | ||
* Bigger kernel attack surface (more usermode privileges) versus WebKit very restricted and becoming more and more with firmware revisions. For example, the PS2emu process uses libkernel_sys, which supports nmount and so | * Bigger kernel attack surface (more usermode privileges) versus WebKit very restricted and becoming more and more with firmware revisions. For example, the PS2emu process uses libkernel_sys, which supports nmount and so mount of system partitions, whilst neither libkernel_web nor regular libkernel do. | ||
* 100% reliable versus WebKit exploits becoming less and less stable with firmware revisions | * 100% reliable versus WebKit exploits becoming less and less stable with firmware revisions | ||
* Firmware agnostic (ROP-less code execution) versus almost one WebKit revision every three firmware update | * Firmware agnostic (ROP-less code execution) versus almost one WebKit revision every three firmware update | ||
Line 266: | Line 160: | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://github.com/McCaulay/mast1c0re | * [https://github.com/McCaulay/mast1c0re (2023-02-18)] | ||
==== Patched ==== | ==== Patched ==== | ||
'''No''' as of PS4 FW 11. | '''No''' as of PS4 FW 11.00 and PS5 FW 8.00. Using the game Okage Shadow King, the exploit should work starting from PS4 FW 3.15 and PS5 FW 1.00. | ||
== Usermode Exploits (BD-J) == | == Usermode Exploits (BD-J) == | ||
Line 352: | Line 234: | ||
[https://web.archive.org/web/20231108165430/https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources] Currently archived up to version 10.01. Useful for developers that can't access PlayStation URLs and also for when Sony inevitably stops hosting the sources in the future. | [https://web.archive.org/web/20231108165430/https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources] Currently archived up to version 10.01. Useful for developers that can't access PlayStation URLs and also for when Sony inevitably stops hosting the sources in the future. | ||
=== FW ?10.00 | === FW ?10.00-11.02? - Unknown heap and string overflow (no CVE) leading to crash === | ||
==== Credits ==== | ==== Credits ==== | ||
* | * debvt for PoC public disclose (2024-08-29) | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://github.com/Debvt/Wm/tree/Root0 | * [https://github.com/Debvt/Wm/tree/Root0] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
* TODO | * TODO | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://github.com/Debvt/Wm/tree/Root0 PoC by | * [https://github.com/Debvt/Wm/tree/Root0 PoC by debvt (2024-08-29)] | ||
==== Patched ==== | ==== Patched ==== | ||
''' | '''Maybe'''. | ||
Tested working on PS4 FWs 10.00-11. | Tested working on PS4 FWs ?10.00-11.02? and PS5 FWs ?6.00-8.60?. | ||
=== FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to | === FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to arbitrary RW === | ||
==== Credits ==== | ==== Credits ==== | ||
Line 386: | Line 265: | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
* TODO | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
Line 406: | Line 280: | ||
* Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013) | * Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013) | ||
* Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14) | * Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14) | ||
* | * Anonymous for making an OOM PoC for webkit-gtk, PS4 and PS5 (2023-10-03) then making an arbitrary RW PoC (PSFree) for webkit-gtk, PS4 6.00-9.60 and PS5 1.00-5.50 (2023-10-24) | ||
* CelesteBlue for testing and porting | * CelesteBlue for testing and porting anonymous' PSFree to PS4 6.00-9.60 and PS5 1.00-5.50 (2023-11-04) | ||
==== Analysis ==== | ==== Analysis ==== | ||
Line 461: | Line 335: | ||
* Simple PoC for ASAN webkit-gtk by Maddie Stone in Maddie Stone's writeups | * Simple PoC for ASAN webkit-gtk by Maddie Stone in Maddie Stone's writeups | ||
* [https://github.com/springsec/CVE-2022-22620/blob/main/CVE-2022-22620_infoleak_exploit.html Information leak PoC for webkit-gtk by springsec] | * [https://github.com/springsec/CVE-2022-22620/blob/main/CVE-2022-22620_infoleak_exploit.html Information leak PoC for webkit-gtk by springsec] | ||
* [https://discord.com OOM PoC for PS4 and PS5 by | * [https://discord.com OOM PoC for PS4 and PS5 by anonymous on ps4-dev discord (to mirror)] | ||
* [https://discord.com Arbitrary RW PoC (PSFree) for PS4 6.00-9.60 and PS5 1.00-5.50 by | * [https://discord.com Arbitrary RW PoC (PSFree) for PS4 6.00-9.60 and PS5 1.00-5.50 by anonymous on ps4-dev discord (to mirror)] | ||
==== Patched ==== | ==== Patched ==== | ||
Line 802: | Line 676: | ||
==== Tested ==== | ==== Tested ==== | ||
Works on 3.15, 3.50 FW. Maybe working on 3.51 FW. | Works on 3.15, 3.50 FW. Maybe working on 3.51 FW. | ||
---- | ---- | ||
Line 940: | Line 788: | ||
=== Module imports table cleaned before execution === | === Module imports table cleaned before execution === | ||
* Between 1.76 and 4.05, Sony did that to prevent | * Between 1.76 and 4.05, Sony did that to prevent webkit exploiters from defeating usermode ASLR easily. | ||
* Now we have to dump entire usermode sandboxed memory, and by studying it we can defeat ASLR: | * Now we have to dump entire usermode sandboxed memory, and by studying it we can defeat ASLR: | ||
1. Chose a function (ex: __stack_chk_fail) imported from libkernel.sprx by libSceWebkit2.sprx | 1. Chose a function (ex: __stack_chk_fail) imported from libkernel.sprx by libSceWebkit2.sprx | ||
Line 953: | Line 801: | ||
=== DEP / NX === | === DEP / NX === | ||
* "Data Execution Prevention" / "No eXecute" is enabled on all firmwares. It prevents allocating memory as both RW and RX at same time (RWX) so preventing us from writing shellcode to usermode memory then executing it. | * "Data Execution Prevention" / "No eXecute" is enabled on all firmwares. It prevents allocating memory as both RW and RX at same time (RWX) so preventing us from writing shellcode to usermode memory then executing it. | ||
* 2 ways to bypass this security: JiT vulnerability (FW <= 1.76) or ROP (all FWs). | * 2 ways to bypass this security: JiT vulnerability (FW <= 1.76) or ROP (all FWs). | ||
=== JiT removed from webbrowser === | === JiT removed from webbrowser === | ||
* On FW <= 1.76, you could map RWX memory from ROP by abusing the JiT functionality and the sys_jitshm_create and sys_jitshm_alias system calls. This however was fixed after 1.76, as WebKit has been split into two processes. One handles javascript compilation and the other handles other web page elements like image rendering and DOM. The second process will request JiT memory upon hitting JavaScript via IPC (Inter-Process Communication). Since we no longer have access to the process responsible for JiT, we can no longer (at least currently), map RWX memory for proper code execution unless the kernel is patched. | * On FW <= 1.76, you could map RWX memory from ROP by abusing the JiT functionality and the sys_jitshm_create and sys_jitshm_alias system calls. This however was fixed after 1.76, as WebKit has been split into two processes. One handles javascript compilation and the other handles other web page elements like image rendering and DOM. The second process will request JiT memory upon hitting JavaScript via IPC (Inter-Process Communication). Since we no longer have access to the process responsible for JiT, we can no longer (at least currently), map RWX memory for proper code execution unless the kernel is patched. | ||
* Checking the source code at [https://doc.dl.playstation.net/doc/ps4-oss/webkit.html ps4-oss], starting as early as FW 6.00, ENABLE_JIT=OFF for -DPORT=PlayStation4. It means that JIT functionality is completely removed from WebKit and there is no JIT coprocess that is allowed to request RWX memory to even attack. Even if there are JIT bugs that can lead us to request RWX memory in other platforms, we can't on the PS4 as there is no longer any JIT process. Unchecked all source codes, JIT process could have been removed earlier than 6.00. All exploits must use ROP. | * Checking the source code at [https://doc.dl.playstation.net/doc/ps4-oss/webkit.html ps4-oss], starting as early as FW 6.00, ENABLE_JIT=OFF for -DPORT=PlayStation4. It means that JIT functionality is completely removed from WebKit and there is no JIT coprocess that is allowed to request RWX memory to even attack. Even if there are JIT bugs that can lead us to request RWX memory in other platforms, we can't on the PS4 as there is no longer any JIT process. Unchecked all source codes, JIT process could have been removed earlier than 6.00. All exploits must use ROP. | ||
Line 964: | Line 810: | ||
=== Syscalls removed === | === Syscalls removed === | ||
=== Syscall 0 disabled i.e Error Kernel: The application directly issues a syscall instruction (24) === | === Syscall 0 disabled i.e Error Kernel: The application directly issues a syscall instruction (24) === | ||
Line 978: | Line 822: | ||
=== bpf_open function blocked for unprivileged processes === | === bpf_open function blocked for unprivileged processes === | ||
* On 5.50, opening BPF has been blocked for unprivileged processes such as WebKit and other apps/games. It's still present in the sandbox, however attempting to open it will fail and yield EPERM. This aims blocking BPF kernel exploits especially qwertyoruiop's BPF double free UAF. | * On 5.50, opening BPF has been blocked for unprivileged processes such as WebKit and other apps/games. It's still present in the sandbox, however attempting to open it will fail and yield EPERM. This aims blocking BPF kernel exploits especially qwertyoruiop's BPF double free UAF. | ||
=== bpf_ioctl function blocked or removed === | === bpf_ioctl function blocked or removed === | ||
* Moreover, on FW 5.50+, opening BPF is still possible in less sandboxed apps like test/devkits fselfs. But this is useless because ioctl does not work. | |||
* | |||
=== Device access blocked/removed from webbrowser === | === Device access blocked/removed from webbrowser === | ||
* Around 6.50-6.70, device access got blocked or removed. Now you can no longer access devices from | * Around 6.50-6.70, device access got blocked or removed. Now you can no longer access devices from webbrowser | ||
=== | === WebKit implements pointer poisoning for 6.xx firmwares === | ||
* For select types implemented by WebKit (such as JSC::JSFunction), certain pointer fields are XOR'ed by a cryptographic key generated at runtime. The key is generated once every process launch, one must recover it to unpoison the pointers. | * For select types implemented by WebKit (such as JSC::JSFunction), certain pointer fields are XOR'ed by a cryptographic key generated at runtime. The key is generated once every process launch, one must recover it to unpoison the pointers. | ||
Line 1,003: | Line 845: | ||
* 2024-03 iMrDJAi for porting CVE-2006-4304 to PS4 and PS5. | * 2024-03 iMrDJAi for porting CVE-2006-4304 to PS4 and PS5. | ||
* 2024-04-25 TheFloW for disclosing his HackerOne report including the second spp bug description. | * 2024-04-25 TheFloW for disclosing his HackerOne report including the second spp bug description. | ||
* 2024-04-30 | * 2024-04-30 TheFLoW for releasing his exploit code for PS4 9.00 and 11.00. | ||
==== Analysis ==== | ==== Analysis ==== |