Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 127: | Line 127: | ||
* [https://github.com/TheOfficialFloW/Presentations/blob/master/2022-hardwear-io-bd-jb.pdf Pages 27 and 28 of slides presented at hardwear.io by TheFloW (2022-06-10)] | * [https://github.com/TheOfficialFloW/Presentations/blob/master/2022-hardwear-io-bd-jb.pdf Pages 27 and 28 of slides presented at hardwear.io by TheFloW (2022-06-10)] | ||
* [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)] | * [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Basing on | Basing on BD-JB1 exploit files, in /bdmv/bdjo.xml changing bdjo/applicationManagementTable/baseDirectory to a path of the form `file:///app0/cdc/lib/../../../disc/BDMV/JAR/00000.jar` allows loading a JAR Java executable file. | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://twitter.com/theflow0/status/1717088032031982066 | * [https://twitter.com/theflow0/status/1717088032031982066 PoC by TheFloW (2023-10-25)] | ||
==== Patched ==== | ==== Patched ==== | ||
'''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00 | '''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00. | ||
=== FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW === | === FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW === | ||
Line 153: | Line 151: | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
TO ADD DESCRIPTION OF EACH ONE OF THE 5 BUGS: | |||
* #1 com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl userprefs hijack leading to classes instantiation under privileged context (affecting ?PS3?, PS4, PS5) | |||
* #2 com.oracle.security.Service leading to privileged constructor call (affecting ?PS3?, PS4, not PS5) | |||
* #3 com.sony.gemstack.org.dvb.io.ixc.IxcProxy leading to privileged method call (affecting ?PS3?, PS4, PS5) | |||
* #4 JIT compiler hack leading to usermode arbitrary RW and arbitrary usermode code execution (affecting ?PS3?, PS4, not PS5) | |||
* #5 UDF buffer overflow kernel exploit (affecting ?PS3?, PS4, PS5) | |||
This exploit chain alone does not allow one to run pirated games on PS4 or PS5 as there is not enough RAM allowed in the BD-J process and there are other constraints. | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== |