Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
== | == To sort exploits == | ||
=== Decryption of any GEN3 PUP === | |||
* Discovered by flatz. | |||
* A bug in the handlers of PUP decryption allows any PS4 on FW 1.62 GEN3 or below to decrypt any GEN3 PUP (retail, testkit, devkit, beta) with a version above 1.00 (post-prototype). | |||
* SM code doesn't reset state after SMI checks failure, so to decrypt arbitrary PUP, you need to ignore mailbox error after PupDecryptHeader cmd (1). | |||
* Fixed around 1.70 | |||
=== Decryption of any usermode SELF from FW 1.00 to 3.70 === | |||
* Sony reused keys from FW 1.00 to 3.70 on usermode modules. As a result, any usermode module from those FWs can be decrypted on a PS4 running FW between 1.00 and 3.70. | |||
* Fixed in 4.00 with the introduction of new keyset. | |||
=== .strtab/.symtab kernel table of symbols kept on very low FWs === | |||
* Sony used to have two tables of symbols on very low versions: .strtab/.symtab and .dynstr/.dynsym (.strtab/.symtab had all symbols, .dynstr/.dynsym had ~75% of them). | |||
* Seen in 1.01 kernel. Patched in 1.03. | |||
=== .dynstr/.dynsym kernel table of symbols kept on low FWs === | |||
* After Sony removed .strtab/.symtab, they still kept the .dynstr/.dynsym one. | |||
* Patched in 2.50 | |||
=== IDPS leak in sceSblAuthMgrDriveData on low retail FWs === | |||
* Discovered by flatz. | |||
* Dump IDPS from 2 EID blocks from kernel: sceSblAuthMgrDriveData(0, in_buf, 0x160, out_buf, 0xA4, 1). Pass 0x160 bytes at 0x90C00 from sflash0s1.crypt into `in_buf` and dump `out_buf`. | |||
* It is possible because someone from sony forgot to encrypt output and that is how it was patched later. | |||
* Patched in 3.00 retail. Works on any TestKit/DevKit FW. | |||
=== Partial SAMU KeyRings bruteforce by missing HMAC length check in secure kernel === | |||
* Discovered by flatz. | |||
* PS4 Crypto Coprocessor (CCP) interface in secure kernel has a bug that allows to dump (or better saying, bruteforce) key rings from SAMU. | |||
That is how AES/HMAC keys from PFS, portability keys, VTRM keys, etc can be retrieved. A crypto flaw was in ability to issue HMAC operation with key length < 16, for example, by setting it to 1 you can bruteforce key bytes one by one by comparing HMAC result with HMAC result with known partial key. | |||
* This trick may work on other crypto hardware as well if it does not restrict key lengths. Amazingly, Intel Secure Key Storage (SKS) of CSME subsystem also has a bug allowing to brute-force any key slot, but the issue exists at hardware level - insecure design of the keys distribution to crypto engines (AES, SHA, RC4). Intel didn't recognize the bug arguing that to access SKS the CSME privileged arbitrary code execution is required, but SKS is exactly designed to protect the ROM generated keys from CSME firmware... | |||
Related: | |||
* https://twitter.com/qlutoo/status/1027691272369262594 | |||
* https://yifan.lu/2017/02/19/psvimgtools-decrypt-vita-backups/ | |||
* https://www.lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/ | |||
* [https://gist.github.com/flatz/22215327864d7512e52268f9c9c51cd8 Exploit PoC for PS4 FW 7.55] | |||
* Patched since a FW between 7.55 (unpatched) and 9.00 (patched). | |||
=== Crashdumps encryption using symmetrical key and same key across FW === | |||
* [https://fail0verflow.com/blog/2017/ps4-crashdump-dump/#crashdump-decryptor see FoF article] | |||
* The keys never changed between 1.01 and 3.15 FWs. Then between 3.50 and 4.07 FWs they changed the keys many times but still used symmetrical key. | |||
* Patched on FW 4.50 by using asymmetrical key. Tested between 1.01 and 4.07 FWs. | |||
== Hardware Exploits == | |||
=== PCIe man-in-the-middle attack === | |||
* First done on 1.01 by failoverflow on PS4 launch ! | |||
* Detailed at 33c3: [https://fail0verflow.com/media/33c3-slides/#/5 33c3 slides by Marcan] | |||
* Permits kernel and usermode dumping | |||
=== Syscon glitching === | |||
It is possible to glitch the [[Syscon]] debug interface to allow access and dump keys. It was originally done by an anonymous member of fail0verflow. | |||
=== Aeolia and Belize (Southbridge) SCA/DPA === | |||
Side Channel Analysis (SCA) with Differential Power Analysis (DPA) on Aeolia and Belize (PS4 Southbridge revisions) has been shown to be able to recover key material. Since Sony never used private/public key pairs, it is possible to exploit this and gain complete control over the [[Southbridge]]. You can attack the main FreeBSD kernel from here. | |||
Nearly same methods are working on recent PS4 Pro motherboard NVB-003 that has Belize [[Southbridge]] ([[CXD90046GG]]). | |||
Contrarly to Aeolia, Belize has ROM readout protection and clears stack which makes it more secure. | |||
Old notes: | |||
This is a hack to gain unsigned code execution on the [[Southbridge]] for all motherboard/console revisions. You might be able to glitch the EMC bootrom in order to bypass further signature checks and break the chain of trust. This hack might involve slowing down the [[Syscon]] clock. Timing the glitch based on SPI read accesses then either doing a power glitch or clock glitch to skip signature check. If the glitch fails, then we simply reset. This can be done with a very cheap CPLD/FPGA. Most Xbox 360 glitching modchips used a Xilinx Coolrunner because it is cheap and easy to use (board can cost as low as $5). | |||
Related: | |||
* [https://fail0verflow.com/blog/2018/ps4-aeolia/ fail0verflow's writeup] | |||
* [https://twitter.com/fail0verflow/status/1047690778527653889 fail0verflow's tweet] | |||
* [https://www.youtube.com/watch?v=sMroXa-zYxk Playstation 4 Rest Mode DEMO REcon Brussels 2018 by Volodymyr Pikhur] | |||
* [https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-Mess-with-the-best-die-like-the-rest_(mode).pdf Slides of REcon Brussels 2018 by Volodymyr Pikhur] | |||
* [https://www.psxhax.com/threads/ps4-southbridge-reverse-engineered-code-examination-by-jogolden.6736/ jogolden's writeup] | |||
== Usermode Exploits (Game Savedata) == | |||
=== PS2 games savedata exploits === | === PS2 games savedata exploits === | ||
See [ | See [https://www.psdevwiki.com/ps2/Vulnerabilities#PS2_Savedata_exploits PS2 savedata exploits on PS2 Dev Wiki]. | ||
Official PS2onPS4 games sold on the PS Store (as of May 31, 2020): | |||
* The King of Fighters Collection: The Orochi Saga | |||
* The King of Fighters '98 Ultimate Match | |||
* The King of Fighters 2000 | |||
* Jak II: Renegade | |||
* Jak 3 | |||
* Jak X: Combat Racing | |||
* Jak and Daxter: The Precursor Legacy | |||
* Art of Fighting Anthology | |||
* Red Faction | |||
* Red Faction II | |||
* Star Ocean Till The End Of Time | |||
* Resident Evil Code: Veronica X | |||
* Harvest Moon: Save the Homeland | |||
* Harvest Moon: A Wonderful Life Special Edition | |||
* Fatal Fury Battle Archives Vol. 2 | |||
* ADK Damshii | |||
* Fu'un Super Combo | |||
* Destroy All Humans! | |||
* Destroy All Humans! 2 | |||
* Samurai Shodown VI | |||
* Red Dead Revolver | |||
* Metal Slug Anthology | |||
* Everybody's Tennis | |||
* Indigo Prophecy | |||
* Ape Escape 2 | |||
* Psychonauts | |||
* The Warriors | |||
* Forbidden Siren | |||
* Primal | |||
* Kinetica | |||
* Wild Arms 3 | |||
* Max Payne | |||
* Okage: Shadow King | |||
* Bully | |||
* Manhunt | |||
* Rise of the Kasai | |||
* Puzzle Quest: Challenge of the Warlords | |||
* Dark Chronicle | |||
* Star Wars Bounty Hunter | |||
* Star Wars Racer Revenge | |||
* Arc the Lad: Twilight of the Spirits | |||
* FantaVision | |||
* PaRappa the Rapper 2 | |||
* Dark Cloud | |||
* GTA III | |||
* GTA Vice City | |||
* GTA San Andreas | |||
* Rogue Galaxy | |||
* The Mark of Kri | |||
* Twisted Metal: Black | |||
* War of the Monsters | |||
Official PS2onPS4 games sold on Bluray Discs: | |||
* Jak X Combat Racing™® UP9000-CUSA07842 | |||
* Jak II UP9000-CUSA07840 | |||
* Jak 3 UP9000-CUSA07841 | |||
* Jak and Daxter: The Precursor Legacy™ UP9000-CUSA02522_00-SCUS971240000001 https://image.api.playstation.com/cdn/UP9000/CUSA02522_00/o9zJoXqpd4lzarjIbvvZLFjYGLsLvqCp.png | |||
* Psychonauts UP2154-CUSA03881 | |||
* Red Faction 2 UP4389-CUSA06405 | |||
* Red Faction UP4389-CUSA06402 | |||
* Star Wars Racers Revenge UP1082-CUSA03474 | |||
* STAR WARS™ BOUNTY HUNTER™ (US version) UP1082-CUSA03472_00-SLUS204200000001 | |||
* STAR WARS™ BOUNTY HUNTER™ (EU version) EP1006-CUSA03493_00-SLES508310000001 | |||
* Indigo Prophecy™ UP1642-CUSA04798 | |||
* ADK Damashii UP0576-CUSA03783 | |||
* Fu'un Super Combo v2 UP0576-CUSA03784 | |||
* METAL SLUG ANTHOLOGY™ (US version by Limited Run #364) UP0576-CUSA03749_00-SLUS215500000001 https://image.api.playstation.com/cdn/UP0576/CUSA03749_00/ImHDRENlttkdiXlm3K8ejNVgLURd3uTw.png | |||
* METAL SLUG ANTHOLOGY™ (EU version by SNK) EP0576-CUSA04156_00-SLES546770000001 https://image.api.playstation.com/cdn/EP0576/CUSA04156_00/NN7npbsEvxIRGI8lBVhm9I5BwFzdGlOK.png | |||
* Destroy All Humans! (2005) (PS2 Classic by Limited Run #370, not to be confused with the remake EP4389-CUSA14910_00-DAH1REMAKEEU0000) UP4389-CUSA05232_00-SLUS209450000001 https://image.api.playstation.com/cdn/UP4389/CUSA05232_00/XrgVkqoR5rvZk4tAGi2j7OFfHpAZWKUu.png | |||
These PS2onPS4 games can be bought online directly via Limited Run Games for brand new or for example on Ebay for second hand or like new. | |||
=== PS4/PS5 PS2emu sandbox escape (mast1c0re) === | === PS4/PS5 PS2emu sandbox escape (mast1c0re) === | ||
Line 46: | Line 205: | ||
'''No''' as of PS4 FW 11.50 and PS5 FW 8.00. Using the PS2onPS4 game Okage Shadow King, the exploit should work starting from PS4 FW 3.15 and PS5 FW 1.00. | '''No''' as of PS4 FW 11.50 and PS5 FW 8.00. Using the PS2onPS4 game Okage Shadow King, the exploit should work starting from PS4 FW 3.15 and PS5 FW 1.00. | ||
=== PS4/PS5 game savedata | === PS4/PS5 game savedata LUA exploit === | ||
* Used by Flatz on 2023-07-27 in [https://wololo.net/2023/07/28/ps5-flat_z-dumps-ps5-secure-processor-confirms-he-has-a-ps5-hypervisor-exploit-via-a-ps4-game-save-exploit/ his Hypervisor exploit]. | * Used by Flatz on 2023-07-27 in [https://wololo.net/2023/07/28/ps5-flat_z-dumps-ps5-secure-processor-confirms-he-has-a-ps5-hypervisor-exploit-via-a-ps4-game-save-exploit/ his Hypervisor exploit]. | ||
* Used by Flatz on 2024-09-14 in [https://gist.github.com/flatz/5e12f75cdb210516d31df03069f7ed0a his implementation of the umtx UaF kernel exploit]. | * Used by Flatz on 2024-09-14 in [https://gist.github.com/flatz/5e12f75cdb210516d31df03069f7ed0a his implementation of the umtx UaF kernel exploit]. | ||
* Some PS4 (or maybe PS5) games, in disc version (probably also available in PS Store version but potentially patched), can be exploited as they use some LUA interpreter, by crafting an evil save data. | |||
Some PS4 ( | |||
* Possible vulnerable games: Pay Day 2, Mafia III, God of War (which one?). | |||
* Not patched as of PS4 FW ?12.00? and PS5 FW 7.61. | |||
* | |||
== Usermode Exploits (BD-J) == | == Usermode Exploits (BD-J) == | ||
Line 125: | Line 232: | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)] | * [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Basing on | Basing on BD-JB1 exploit files, in /bdmv/bdjo.xml changing bdjo/applicationManagementTable/baseDirectory to a path of the form `file:///app0/cdc/lib/../../../disc/BDMV/JAR/00000.jar` allows loading a JAR Java executable file. | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://twitter.com/theflow0/status/1717088032031982066 | * [https://twitter.com/theflow0/status/1717088032031982066 PoC by TheFloW (2023-10-25)] | ||
==== Patched ==== | ==== Patched ==== | ||
'''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00 | '''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00. | ||
=== FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW === | === FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW === | ||
Line 153: | Line 257: | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
TO ADD DESCRIPTION OF EACH ONE OF THE 5 BUGS: | |||
* #1 com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl userprefs hijack leading to classes instantiation under privileged context (affecting ?PS3?, PS4, PS5) | |||
* #2 com.oracle.security.Service leading to privileged constructor call (affecting ?PS3?, PS4, not PS5) | |||
* #3 com.sony.gemstack.org.dvb.io.ixc.IxcProxy leading to privileged method call (affecting ?PS3?, PS4, PS5) | |||
* #4 JIT compiler hack leading to usermode arbitrary RW and arbitrary usermode code execution (affecting ?PS3?, PS4, not PS5) | |||
* #5 UDF buffer overflow kernel exploit (affecting ?PS3?, PS4, PS5) | |||
This exploit chain alone does not allow one to run pirated games on PS4 or PS5 as there is not enough RAM allowed in the BD-J process and there are other constraints. | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
Line 194: | Line 284: | ||
=== WebKit sources === | === WebKit sources === | ||
[https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources] | [https://web.archive.org/web/20231108165430/https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources] Currently archived up to version 10.01. Useful for developers that can't access PlayStation URLs and also for when Sony inevitably stops hosting the sources in the future. | ||
=== FW ?10.00?-11.52 - Unknown heap and string overflow (no CVE) leading to crash === | |||
=== FW ? | |||
==== Credits ==== | ==== Credits ==== | ||
* | * Debty for PoC public disclose (2024-08-29) | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://github.com/ | * [https://github.com/Debvt/Wm/tree/Root0 PoC and analysis by Debty (2024-08-29)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
* TODO | * TODO | ||
Implementation description by Debty:<br /> | |||
String exploit is not actually an exploit but just a memory exhauster. It is not actually viable so instead there is a feature called "latest iteration". | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://github.com/ | * [https://github.com/Debvt/Wm/tree/Root0 PoC by Debty (2024-08-29)] | ||
==== Patched ==== | ==== Patched ==== | ||
''' | '''Yes''' on PS4 FW 12.00 and PS5 FW 10.00. | ||
Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60. | |||
=== FW | === FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to arbitrary RW === | ||
==== Credits ==== | ==== Credits ==== | ||
* | * ENKI for public disclose and analysis (2024-06-03) | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https:// | * [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc Analysis by ENKI (2024-06-03)] | ||
* [https://github.com/WebKit/WebKit/commit/ | * [https://github.com/WebKit/WebKit/commit/1b0741f400ee2d31931ae30f2ddebe66e8fb0945 Patch commit #1 (2023-07-31)] | ||
* [https://github.com/WebKit/WebKit/commit/39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f Patch commit #2 (2023-05-01)] | |||
* [https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons Inverting Your Assumptions: A Guide to JIT Comparisons by Jasiel Spelman (2018-04-12)] | |||
==== Bug Description ==== | ==== Bug Description ==== | ||
* TODO | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https:// | * [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc PoC by ENKI (2024-06-03)] | ||
==== Patched ==== | ==== Patched ==== | ||
''' | '''Yes''' on PS4 FW 11.50 and PS5 FW 9.00. | ||
Tested working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60. PS4 FWs <= ?9.60? and PS5 FWs <= ?5.50? are invulnerable. | |||
=== FW 6.00-9.60 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW === | === FW 6.00-9.60 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW === | ||
Line 301: | Line 335: | ||
* Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013) | * Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013) | ||
* Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14) | * Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14) | ||
* | * Anonymous for making an OOM PoC for webkit-gtk, PS4 and PS5 (2023-10-03) then making an arbitrary RW PoC (PSFree) for webkit-gtk, PS4 6.00-9.60 and PS5 1.00-5.50 (2023-10-24) | ||
* CelesteBlue for testing and porting | * CelesteBlue for testing and porting anonymous' PSFree to PS4 6.00-9.60 and PS5 1.00-5.50 (2023-11-04) | ||
==== Analysis ==== | ==== Analysis ==== | ||
Line 356: | Line 390: | ||
* Simple PoC for ASAN webkit-gtk by Maddie Stone in Maddie Stone's writeups | * Simple PoC for ASAN webkit-gtk by Maddie Stone in Maddie Stone's writeups | ||
* [https://github.com/springsec/CVE-2022-22620/blob/main/CVE-2022-22620_infoleak_exploit.html Information leak PoC for webkit-gtk by springsec] | * [https://github.com/springsec/CVE-2022-22620/blob/main/CVE-2022-22620_infoleak_exploit.html Information leak PoC for webkit-gtk by springsec] | ||
* [https://discord.com OOM PoC for PS4 and PS5 by | * [https://discord.com OOM PoC for PS4 and PS5 by anonymous on ps4-dev discord (to mirror)] | ||
* [https://discord.com Arbitrary RW PoC (PSFree) for PS4 6.00-9.60 and PS5 1.00-5.50 by | * [https://discord.com Arbitrary RW PoC (PSFree) for PS4 6.00-9.60 and PS5 1.00-5.50 by anonymous on ps4-dev discord (to mirror)] | ||
==== Patched ==== | ==== Patched ==== | ||
Line 364: | Line 398: | ||
The patch changes the stateObject argument to loadInSameDocument from a raw pointer, SerializedScriptValue*, to a reference-counted pointer, RefPtr<SerializedScriptValue>, so that loadInSameDocument now increments the reference count on the object. | The patch changes the stateObject argument to loadInSameDocument from a raw pointer, SerializedScriptValue*, to a reference-counted pointer, RefPtr<SerializedScriptValue>, so that loadInSameDocument now increments the reference count on the object. | ||
Tested working on PS4 FWs 6.00-9.60 and PS5 FWs 1.00-5.50. PS4 FWs <= 5.56 are invulnerable as the HTML input field stays focused (blue outline) after second timeout whilst it should not if the console were exploitable. | Tested working on PS4 FWs 6.00-9.60 and PS5 FWs 1.00-5.50. PS4 FWs <= 5.56 are invulnerable as the HTML input field stays focused (blue outline) after second timeout whilst it should not if the console were exploitable. | ||
=== FW 9.00-9.04 - WebCore::CSSFontFaceSet vulnerabilities leading to arbitrary RW === | === FW 9.00-9.04 - WebCore::CSSFontFaceSet vulnerabilities leading to arbitrary RW === | ||
Line 389: | Line 421: | ||
* [https://github.com/WebKit/WebKit/commit/fbf37d27e313d8d0a150a74cc8fab956eb7f3c59 WebKit fix commit by Myles C. Maxfield merged by Russell Epstein (2021-09-09)] | * [https://github.com/WebKit/WebKit/commit/fbf37d27e313d8d0a150a74cc8fab956eb7f3c59 WebKit fix commit by Myles C. Maxfield merged by Russell Epstein (2021-09-09)] | ||
* [https://github.com/WebKit/WebKit/blob/74bd0da94fa1d31a115bc4ee0e3927d8b2ea571e/Source/WebCore/css/CSSFontFaceSet.cpp#L223 Part of vulnerable code] | * [https://github.com/WebKit/WebKit/blob/74bd0da94fa1d31a115bc4ee0e3927d8b2ea571e/Source/WebCore/css/CSSFontFaceSet.cpp#L223 Part of vulnerable code] | ||
* [https://web.archive.org/web/20211020134808/https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html (archive) Write-up and PoC by Maddie Stone (2021-10-13)]. Maddie Stone's vulnerability is not CVE-2021-30858 but | * [https://web.archive.org/web/20211020134808/https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html (archive) Write-up and PoC by Maddie Stone (2021-10-13)]. Maddie Stone's vulnerability is not CVE-2021-30858 but was guessed to be by Maddie Stone. See [https://github.com/googleprojectzero/0days-in-the-wild/commit/65fcdf0473ada4e80dc967662ea8f3f3ce4ea81e#diff-1a428c43cedcf140e5bd6f92e4527f169c3c717780e1586f2fab589e4f467b52 write-up edit commit]. Warning: Maddie Stone's vulnerability was wrongly classified as a use-after-free by Maddie Stone according to sleirsgoevy. | ||
* [https://wololo.net/2021/10/14/use-after-free-webkit-vulnerability-impacts-ps4-possibly-up-to-firmware-9-00-included/ Vulnerability description by Wololo (2021-10-14)] | * [https://wololo.net/2021/10/14/use-after-free-webkit-vulnerability-impacts-ps4-possibly-up-to-firmware-9-00-included/ Vulnerability description by Wololo (2021-10-14)] | ||
Line 395: | Line 427: | ||
Description in WebKit fix commit by Myles C. Maxfield: | Description in WebKit fix commit by Myles C. Maxfield: | ||
After r256659, asking for a failed CSSFontFace's families() returns nullopt. It | After r256659, asking for a failed CSSFontFace's families() returns nullopt. It's possible to add a failed font to a CSSFontFaceSet (of course). When we do that, we recognize the font is failed and do not update our internal data structures, because there's no need to - we cannot do anything useful with a failed font. If you _then_ try to remove the font from the CSSFontFace, we do not call families(), but instead just pull out the raw m_families member, and look in our internal data structures for it, but we do not find it, because it was never added. | ||
Description in Maddie Stone's write-up: | Description in Maddie Stone's write-up: | ||
Line 407: | Line 439: | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://web.archive.org/web/20211024215236/http://vdsina.sleirsgoevy.dynv6.net:8081/ (archive) First exploit PoC for Safari by sleirsgoevy (2021-10-24)] | * [https://web.archive.org/web/20211024215236/http://vdsina.sleirsgoevy.dynv6.net:8081/ (archive) First exploit PoC for Safari by sleirsgoevy (2021-10-24)] | ||
* [https://gist.github.com/sleirsgoevy/6beca32893909095f4bba1ce29167992 First exploit PoC for PS4 FW 9.00-9.04 and PS5 FW 3.00-4. | * [https://gist.github.com/sleirsgoevy/6beca32893909095f4bba1ce29167992 First exploit PoC for PS4 FW 9.00-9.04 and PS5 FW 3.00-4.50 by sleirsgoevy (2021-10-27)] | ||
* [https://github.com/ChendoChap/pOOBs4/blob/main/webkit.js Implementation for PS4 FW 9.00 with exFAT kernel exploit in pOOBs4 by ChendoChap (2022-01-17)] | * [https://github.com/ChendoChap/pOOBs4/blob/main/webkit.js Implementation for PS4 FW 9.00 with exFAT kernel exploit in pOOBs4 by ChendoChap (2022-01-17)] | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' on PS4 FW 9.50 and '''No''' as of PS5 FW 4. | '''Yes''' on PS4 FW 9.50 and '''No''' as of PS5 FW 4.50. | ||
Might have been introduced in PS4 FW 3.50 and before PS5 FW 1.00 according to dates (need to check). However the vulnerability cannot be exploited in some conditions depending on how WebKit was compiled. For example, on PS4 FWs 7.55-8. | Might have been introduced in PS4 FW 3.50 and before PS5 FW 1.00 according to dates (need to check). However the vulnerability cannot be exploited in some conditions depending on how WebKit was compiled. For example, on PS4 FWs 7.55-8.53 and PS5 FWs <= 2.00, the FontFaceSet constructor returns with an exception that is propagated to JavaScript, preventing exploitation this way. | ||
Tested working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.50. Untested: PS5 FWs 2.10-2.50, 4.51. | |||
Tested working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4. | |||
=== FW 6.00-7.55 - WebCore::ValidationMessage::buildBubbleTree() UaF leading to arbitrary RW === | === FW 6.00-7.55 - WebCore::ValidationMessage::buildBubbleTree() UaF leading to arbitrary RW === | ||
Line 445: | Line 475: | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' in 8.00 FW. | '''Yes''' in 8.00 FW. Tested working on FWs 6.00-7.55, not working on FWs <= 5.56. HTML textarea guessed addresses for FWs 6.70-7.55 are known but not for FWs 6.00-6.51 so an attacker needs to make tests to determine these addresses on FWs 6.00-6.51. | ||
Tested working on FWs 6.00-7.55, not working on FWs <= 5.56. HTML textarea guessed addresses for FWs 6.70-7.55 are known but not for FWs 6.00-6.51 so an attacker needs to make tests to determine these addresses on FWs 6.00-6.51. | |||
=== FW 6.00-6.72 - bad_hoist Type Confusion exploit (CVE-2018-4386) leading to arbirary RW === | === FW 6.00-6.72 - bad_hoist Type Confusion exploit (CVE-2018-4386) leading to arbirary RW === | ||
Line 492: | Line 518: | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' in 7.00 FW. | '''Yes''' in 7.00 FW. Vulnerable on PS4 FWs 4.50-6.72. Not vulnerable on FWs <= 4.07. Not vulnerable on FWs >=7.00 according to manual tests but need to check WebKit sources. | ||
Vulnerable on PS4 FWs 4.50-6.72. Not vulnerable on FWs <= 4.07. Not vulnerable on FWs >=7.00 according to manual tests but need to check WebKit sources. | |||
---- | ---- | ||
Line 518: | Line 541: | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' in 6.50 FW. | '''Yes''' in 6.50 FW. It does not work on <= 4.07 FW PS4 according to tests as the exploit fails at step "Triggering memory corruption". | ||
It does not work on <= 4.07 FW PS4 according to tests as the exploit fails at step "Triggering memory corruption". | |||
---- | ---- | ||
Line 662: | Line 682: | ||
==== Tested ==== | ==== Tested ==== | ||
Works on 3.15-4.07. Not working on <= 3.11. | Works on 3.15-4.07. Not working on <= 3.11. | ||
---- | ---- | ||
Line 719: | Line 692: | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://blog.xyz.is/2016/webkit-360.html PSVita 3.60 | * [https://blog.xyz.is/2016/webkit-360.html PSVita 3.60 HENKaku WebKit exploit writeup] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Line 737: | Line 710: | ||
=== FW <= 3.50 - WebCore::TimerBase::heapPopMin() Heap UaF leading to crash === | === FW <= 3.50 - WebCore::TimerBase::heapPopMin() Heap UaF leading to crash === | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://github.com/WebKit/WebKit-http/commit/98845d940e30529098eea7e496af02e14301c704 WebKit fix commit ( | * [https://github.com/WebKit/WebKit-http/commit/98845d940e30529098eea7e496af02e14301c704 WebKit fix commit (17-05-2016)] | ||
* [https://xz.aliyun.com/t/292 Summary of Critical and Exploitable iOS Vulnerabilities in 2016 by Min (Spark) Zheng, Cererdlong, Eakerqiu @ Team OverSky] | * [https://xz.aliyun.com/t/292 Summary of Critical and Exploitable iOS Vulnerabilities in 2016 by Min (Spark) Zheng, Cererdlong, Eakerqiu @ Team OverSky] | ||
Line 749: | Line 719: | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [http://psxhax.com/threads/ps4-3-50-webkit-exploit-from-playstation-4-dev-qwertyoruiop.450/ Article about qwertyoruiop's tests ( | * [http://psxhax.com/threads/ps4-3-50-webkit-exploit-from-playstation-4-dev-qwertyoruiop.450/ Article about qwertyoruiop's tests (20-05-2016)] | ||
* [http://psxhax.com/threads/ps4-heap-use-after-free-at-webcore-3-50-poc-by-hunter128.452/ Article about initial PoC for PS4 ( | * [http://psxhax.com/threads/ps4-heap-use-after-free-at-webcore-3-50-poc-by-hunter128.452/ Article about initial PoC for PS4 (21-05-2016)] | ||
* [http://wololo.net/talk/viewtopic.php?t=45888 Initial PoC for PS4 ( | * [http://wololo.net/talk/viewtopic.php?t=45888 Initial PoC for PS4 (21-05-2016)] | ||
* [https://web.archive.org/web/20161030085033/http://cryptoanarchic.me/wat.txt iOS 9.3.2 WebKit RCE via heapPopMin (2016 | * [https://web.archive.org/web/20161030085033/http://cryptoanarchic.me/wat.txt iOS 9.3.2 WebKit RCE via heapPopMin (07-2016)] | ||
* [https://twitter.com/qwertyoruiopz/status/756268361282125824 qwertyoruiop's tweet ( | * [https://twitter.com/qwertyoruiopz/status/756268361282125824 qwertyoruiop's tweet (22-07-2016)] | ||
* [https://github.com/Jailbreaks/jbme/tree/master mirror of iOS 9.3.2 WebKit RCE via heapPopMin] | * [https://github.com/Jailbreaks/jbme/tree/master mirror of iOS 9.3.2 WebKit RCE via heapPopMin] | ||
Line 761: | Line 731: | ||
==== Tested ==== | ==== Tested ==== | ||
Works on 3.15, 3.50 FW. Maybe working on 3.51 FW. | Works on 3.15, 3.50 FW. Maybe working on 3.51 FW. | ||
---- | ---- | ||
Line 862: | Line 806: | ||
* Vitaliy Toropov for the exploit on Mac OS X Safari (September 4, 2013) | * Vitaliy Toropov for the exploit on Mac OS X Safari (September 4, 2013) | ||
* nas and Proxima for the first PS4 POC on 1.76 PS4 ( | * nas and Proxima for the first PS4 POC on 1.76 PS4 (Oct. 23, 2014) | ||
* sony for patching the exploit in FW 2.00 ( | * sony for patching the exploit in FW 2.00 (Oct 27, 2014) | ||
* CTurt for the rewriting (PS4 1.76 PlayGround) and implementation with his 1.76 kexploit (December 6, 2015) [https://twitter.com/CTurtE/status/673581693207502849] | * CTurt for the rewriting (PS4 1.76 PlayGround) and implementation with his 1.76 kexploit (December 6, 2015) [https://twitter.com/CTurtE/status/673581693207502849] | ||
Line 887: | Line 831: | ||
==== Tested ==== | ==== Tested ==== | ||
* Working on | * Working on 1.00-1.76 FW, AppleWebKit/531.3-536.26 | ||
* Might work on | * Might work on FW 0.930.020. | ||
== Usermode securities == | == Usermode securities == | ||
Line 957: | Line 870: | ||
* See the PS4 [[Syscalls]] list. | * See the PS4 [[Syscalls]] list. | ||
=== | === Syscall 0 disabled i.e Error Kernel: The application directly issues a syscall instruction (24) === | ||
* Between 2.00 and 2.57, SCE has removed system call 0, so we can no longer call any syscall we want by specifying the call number in the rax register. | |||
* Doing so now crashes the app and gives error CE-34878-0, SCE_KERNEL_ABORT_REASON_SYSTEM_ILLEGAL_FUNCTION_CALL, with the message "Kernel: The application directly issues a syscall instruction (24)". | |||
* We now have to use wrappers provided to us from the libkernel / libkernel_web / libkernel_sys modules to access system calls. | |||
=== bpf_write function stripped out of the kernel === | === bpf_write function stripped out of the kernel === | ||
Line 990: | Line 896: | ||
* For select types implemented by WebKit (such as JSC::JSFunction), certain pointer fields are XOR'ed by a cryptographic key generated at runtime. The key is generated once every process launch, one must recover it to unpoison the pointers. | * For select types implemented by WebKit (such as JSC::JSFunction), certain pointer fields are XOR'ed by a cryptographic key generated at runtime. The key is generated once every process launch, one must recover it to unpoison the pointers. | ||
== Kernel Exploits == | |||
== Kernel == | |||
=== FW <= 11.00 - Remote vulnerabilities in spp (yielding kernel ASLR defeat) (CVE-2006-4304 and no-CVE) === | === FW <= 11.00 - Remote vulnerabilities in spp (yielding kernel ASLR defeat) (CVE-2006-4304 and no-CVE) === | ||
Line 1,036: | Line 911: | ||
* [https://www.freebsd.org/security/advisories/FreeBSD-SA-06:18.ppp.asc FreeBSD Security Advisory for CVE-2006-4304 (2006-08-23)] | * [https://www.freebsd.org/security/advisories/FreeBSD-SA-06:18.ppp.asc FreeBSD Security Advisory for CVE-2006-4304 (2006-08-23)] | ||
* [https://hackerone.com/reports/2177925 HackerOne report about Remote vulnerabilities in spp by TheFloW (2023-09-22)] | * [https://hackerone.com/reports/2177925 HackerOne report about Remote vulnerabilities in spp by TheFloW (2023-09-22)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Line 1,243: | Line 1,116: | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' in PS4 7.50 FW and in PS5 5.00 or 5.02 FW. Not working in PS5 FWs <= 2. | '''Yes''' in PS4 7.50 FW and in PS5 5.00 or 5.02 FW. Not working in PS5 FWs <= 2.50. | ||
---- | ---- | ||
Line 1,319: | Line 1,192: | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/ fail0verflow's writeup on the | * [https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/ fail0verflow's writeup on the 1.01-4.05 namedobj kernel exploit] (2017-10-19) | ||
* [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/NamedObj%20Kernel%20Exploit%20Overview.md Specter's first writeup] (2017-10-20) | * [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/NamedObj%20Kernel%20Exploit%20Overview.md Specter's first writeup] (2017-10-20) | ||
* [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md Specter's writeup on his | * [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md Specter's writeup on his 4.05 implementation] (2017-12-28) | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Line 1,329: | Line 1,200: | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
[https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit PS4 4.05 WebKit + Kernel Exploit] | |||
==== Patched ==== | ==== Patched ==== | ||
Line 1,336: | Line 1,207: | ||
==== Tested ==== | ==== Tested ==== | ||
Works on FWs 4.00-4.05. On <= 3.70 FW we have not found a way to leak the target object, but it might be doable as Fail0verflow did it on 1.01. | Works on FWs 4.00-4.05. On <= 3.70 FW we have not found a way to leak the target object, but it might be doable as Fail0verflow did it on 1.01. | ||
---- | ---- | ||
Line 1,444: | Line 1,261: | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' in 2.00 FW | '''Yes''' in 2.00 FW | ||
=== FW ??? - setlogin Information Leak (CVE-2014-8476) === | === FW ??? - setlogin Information Leak (CVE-2014-8476) === | ||
Line 1,472: | Line 1,288: | ||
==== Patched ==== | ==== Patched ==== | ||
? | |||
== Kernel securities == | == Kernel securities == | ||
Line 1,508: | Line 1,314: | ||
* [https://github.com/sleirsgoevy/ps4jb/blob/master/src/oldkex.c#L451 cli/sti SMAP bypass in 6.72 PS4 kernel exploit] | * [https://github.com/sleirsgoevy/ps4jb/blob/master/src/oldkex.c#L451 cli/sti SMAP bypass in 6.72 PS4 kernel exploit] | ||
==== | ==== SMAP bypass method: CVE-2021-29628 ==== | ||
A SMAP bypass has been found by m00nbsd while working on FreeBSD 12. It is named CVE-2021-29628 and affects FreeBSD 12.2 and later (til it was patched). It does not work on PS4 because PS4 kernel is based on FreeBSD 9 which did not contain the vulnerability and because PS4 SMAP does not come from FreeBSD but is custom from Sony. It used to work on PS5 before it was disclosed and patched on PS5 FW 2.30 or later according to dates. | |||
* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29628 CVE-2021-29628 (FreeBSD SMAP bypass) by m00nbsd] | |||
* [https://hackerone.com/reports/1048322 CVE-2021-29628 (PS5 SMAP bypass) by m00nbsd] | |||
=== CR0.WP protection === | === CR0.WP protection === | ||
At least since | At least since firmware 6.51 Sony instrumented all instructions that write to the CR0 register with checks for attempts to clear CR0.WP (Write Protect), which is necessary for patching the kernel. This is what it looks like in 6.51 kernel: | ||
a1b79: 0f 22 c0 mov cr0,rax | a1b79: 0f 22 c0 mov cr0,rax | ||
Line 1,525: | Line 1,334: | ||
Bypasses (in chronological order): | Bypasses (in chronological order): | ||
* Use an "unintended" mov to cr0 in the middle of another instruction (e.g. instruction "call $+0x220f1c" (e8 17 0f 22 00) contains an unintended "mov cr0, rax" (0f 22 00)) | |||
* | * Use kernel write to give your process JIT permissions, allocate JIT memory, and put entirely custom code there (avoids the problem altogether, as it is specific to ROP) | ||
* Since the IDT is writable on FreeBSD and PS4, it is possible to overwrite an exception handler without clearing CR0.WP first. One can overwrite the handler of #UD with a gadget of their choice (a stack pivot, or a "add rsp, ... ; ret", or whatever else), and the UD2 instruction in the mitigation code will happily jump to it instead of the real handler, with CR0.WP cleared. | |||
* | |||
* | |||