Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 3: | Line 3: | ||
=== PS1 games savedata exploits === | === PS1 games savedata exploits === | ||
See [ | See [https://www.psdevwiki.com/ps1/Vulnerabilities PS1 savedata exploits on PS1 Dev Wiki]. | ||
Official PS Classic games (warning: some may be remastered, to check) on PS4/PS5 available on PS Store: | |||
* Ape Escape - First-time NA re-release on PS4/PS5 | |||
* Cool Boarders (2000) | |||
* Hot Shots Golf - First-time NA re-release on PS4/PS5 | |||
* I.Q. Intelligence Qube - First-time NA re-release on PS4/PS5 | |||
* Jumping Flash! - Free PS4/PS5 version for PS3 PSone Classics owners | |||
* MediEvil (1998) | |||
* Mr. Driller - PlayStation Plus Premium subscription only (?) | |||
* Oddworld: Abe’s Oddysee - Free PS4/PS5 version for PS3 PSone Classics owners | |||
* G-Police (1997) | |||
* R4: Ridge Racer Type 4 (1998) | |||
* Resident Evil: Director’s Cut - PlayStation Plus Premium subscription only | |||
* Syphon Filter - Free PS4/PS5 version for PS3 PSone Classics owners | |||
* Tekken 2 - PlayStation Plus Premium subscription only | |||
* The Legend of Dragoon (1999) | |||
* Toy Story 2: Buzz Lightyear To The Rescue! - Free PS4/PS5 version for PS3 PSone Classics owners | |||
* Twisted Metal (1995) UP9000-CUSA43359_00-SCUS943040000000 or JP9000-CUSA43360_00-SIPS600070000000 | |||
* Twisted Metal 2 / Twisted Metal EX UP9000-CUSA43361_00-SCUS943060000000 or JP9000-CUSA43362_00-SIPS600210000000 | |||
* Wild Arms - Free PS4/PS5 version for PS3 PSone Classics owners | |||
* Worms World Party - First-time NA re-release on PS4/PS5 | |||
* Worms Armageddon - First-time NA re-release on PS4/PS5 | |||
* https://www.playstation.com/en-us/editorial/iconic-must-play-titles-on-playstation-plus-classics-catalog/ | |||
* https://www.reddit.com/r/PS3/comments/1cscsb2/all_ps1pspps3_games_that_have_crossbuy_or_free/ | |||
* https://www.reddit.com/r/PlayStationPlus/comments/vfg39t/is_there_a_clear_list_of_which_ps1_classic_ps4ps5/ | |||
"I have bought some of them on the PS3/Vita and the ones I could claim on the PS4/PS5 were Tekken 2 (which previously was not redeemable), all Syphon Filter games, all Wild Arms games, Legend of Dragoon, Ridge Racer Type 4 and Jumping Flash. Resident Evil Director's Cut is NOT redeemable. The rule of thumb is: if you can buy it on PS4/PS5 - and not only claim it through plus premium/deluxe sub, like Resident Evil 1 - they are redeemable from a previous purchase on PS3/PSP/Vita." | |||
Official PS Classic games (warning: some may be remastered, to check) on PS4/PS5 sold on Bluray Discs: | |||
* Tomba! by LRG (for PS5: UP6893-PPSA21381_00-0240103642659799-U001) | |||
* TBA 2025 by LRG: Tomba 2 The Evil Swine Return | |||
* TBA 2025 by LRG: Gex Trilogy: Gex, Gex Enter the Gecko, Gex 3 Deep Cover Gecko | |||
* TBA 2025 by LRG: Clock Tower: Rewind https://store.playstation.com/en-us/concept/10010305 Notice: PS1 Clock Tower is not the original game. The first game in the series was Clock Tower (1995) - first released on the SNES, later ported to PS1, PC and WonderSwan, but only ever released in Japan. The PS1 game is the second game, and was called Clock Tower 2 in Japan but just Clock Tower everywhere else, even though it is a sequel and not a port of the original. So Clock Tower 2 on the PS1 is the third game, and Clock Tower 3 on the PS2 is the fourth game. | |||
* TBA 2025 by LRG: Fear Effect | |||
* TBA 2025 by LRG: Fighting Force and Fighting Force 2 | |||
"Five PS1 games were recently announced for PS5 and PS4 with trophy support: Gex, Gex Enter the Gecko, Gex 3 Deep Cover Gecko, Clock Tower, and Tomba. All five games were announced to be using Limited Run Games' Carbon Engine, which so far has been primarily used to support older console emulation like the SNES and Sega Genesis, but has now officially revealed support for Sony's original PlayStation as well. These PS1 ports for PS5 and PS4 will use Limited Run Games' "Carbon Engine," which allows these classic titles to implement modern features like trophy support." | |||
=== PS2 games savedata exploits === | === PS2 games savedata exploits === | ||
See [ | See [https://www.psdevwiki.com/ps2/Vulnerabilities#PS2_Savedata_exploits PS2 savedata exploits on PS2 Dev Wiki]. | ||
Official PS2onPS4 games sold on the PS Store (as of September, 2024): | |||
* ADK DAMASHII™ UP0576-CUSA03783_00-SLPS259060000001 https://image.api.playstation.com/cdn/UP0576/CUSA03783_00/BpMMUC8q1MRAsL9iWDh6vbW844hq3JXK.png | |||
* Arc the Lad: Twilight of the Spirits | |||
* Art of Fighting Anthology | |||
* Ape Escape 2 | |||
* Bully (Canis Canem Edit) | |||
* Dark Chronicle (Dark Cloud 2) UP9000-CUSA02037_00-SCUS972130000001 https://image.api.playstation.com/cdn/UP9000/CUSA02037_00/hIKSKqBMerypNW49TCECATZSBBUcSBph.png | |||
* Dark Cloud | |||
* Destroy All Humans! | |||
* Destroy All Humans! 2 | |||
* Eternal Ring UP1022-CUSA04654_00-SLUS200150000001 https://image.api.playstation.com/cdn/UP1022/CUSA04654_00/DRIS0z7mtNMYZPchoqLnKlhJqyNvM8mZ.png | |||
* FantaVision | |||
* Fatal Fury Battle Archives Vol. 2 | |||
* Forbidden Siren EP9000-CUSA02274_00-SCES519200000001 patch 1.01 requires PS4 3.10 | |||
* Fu'un Super Combo UP0576-CUSA03784_00-SLPS257810000001 https://image.api.playstation.com/cdn/UP0576/CUSA03784_00/QWsetumZLYupFHsOIkoGbKYpySGBdtlp.png | |||
* Ghosthunter (English, Japanese) UP9000-CUSA47996_00-SLUS209930000000 | |||
* GTA III | |||
* GTA Vice City | |||
* GTA San Andreas | |||
* Harvest Moon: Save the Homeland | |||
* Harvest Moon: A Wonderful Life Special Edition | |||
* Hot Shots® Tennis (Everybody's Tennis) UP9000-CUSA02193_00-SCUS976100000001 https://image.api.playstation.com/cdn/UP9000/CUSA02193_00/FrJXexHruy7pjB6bCgDidXRbakNfNJJc.png | |||
* Indigo Prophecy | |||
* Jak and Daxter™ HP9000-CUSA08427_00-SCPS560030000001 patch 1.01 requires PS4 4.73 | |||
* Jak and Daxter: The Precursor Legacy™ UP9000-CUSA02522_00-SCUS971240000001 patch 1.01 requires PS4 4.73 | |||
* Jak and Daxter™: The Precursor Legacy EP9000-CUSA07934_00-SCES503610000001 patch 1.03 requires PS4 4.73 | |||
* Jak II™ UP9000-CUSA07840_00-SCUS972650000001 patch 1.01 requires PS4 5.01 | |||
* Jak II™ EP9000-CUSA07990_00-SCES516080000001 patch 1.02 requires PS4 5.01 | |||
* Jak II™ HP9000-CUSA08422_00-SCKA200100000001 patch 1.01 requires PS4 5.01 | |||
* Jak 3™ UP9000-CUSA07841_00-SCUS973300000001 patch 1.01 requires PS4 5.01 | |||
* Jak 3™ EP9000-CUSA07991_00-SCES524600000001 patch 1.01 requires PS4 5.01 | |||
* Jak 3™ HP9000-CUSA08423_00-SCKA200400000001 patch 1.01 requires PS4 5.01 | |||
* Jak X: Combat Racing UP9000-CUSA07842_00-SCUS974290000001 patch 1.02 requires PS4 5.01 | |||
* Jak™ X EP9000-CUSA07992_00-SCUS974290000001 patch 1.02 requires PS4 5.01 | |||
* Kinetica UP9000-CUSA01725_00-SCUS971320000001 https://image.api.playstation.com/cdn/UP9000/CUSA01725_00/EKH34FKOEt3dTXLCiccuawdS8iGIqGLF.png | |||
* Manhunt | |||
* Max Payne | |||
* Metal Slug Anthology | |||
* Mister Mosquito UP9000-CUSA48755_00-SLUS203750000000 (for PS5: UP9000-PPSA22948_00-SLUS203750000000) patch 1.02 requires PS4 11.52 or PS5 9.60 | |||
* Okage: Shadow King UP9000-CUSA02199_00-SCUS971290000001, requires PS4 FW version 3.15, although it was compiled with PS4 SDK version 3.008.000, latest patch requires PS4 FW 4.05 | |||
* PaRappa the Rapper 2 | |||
* Primal | |||
* Psychonauts | |||
* Puzzle Quest: Challenge of the Warlords | |||
* Red Dead Revolver | |||
* Red Faction | |||
* Red Faction II | |||
* Resident Evil Code: Veronica X | |||
* Rise of the Kasai | |||
* Rogue Galaxy | |||
* Samurai Shodown VI | |||
* Siren UP9000-CUSA02198_00-SCUS973550000001 (for PS5: UP9000-PPSA22947_00-SCUS973550000000) PS4 patch 1.02 requires PS4 3.00 and PS5 patch 1.00 requires PS5 9.40 | |||
* SkyGunner UP9000-CUSA49210_00-SLUS203840000000 (for PS5: UP9000-PPSA23535_00-SLUS203840000000) patch 1.03 requires PS4 11.52 or PS5 9.60 | |||
* Sly Raccoon (2002), Sly Cooper and the Thievius Racoonus UP9000-CUSA47431_00-SCUS971980000000 requires PS4 FW ?11.00? (update requires PS4 11.508.000) | |||
* Star Ocean Till The End Of Time | |||
* Star Wars Bounty Hunter | |||
* Star Wars Racer Revenge | |||
* STAR WARS: Jedi Starfighter UP1082-CUSA03473_00-SLUS202930000001 https://image.api.playstation.com/cdn/UP1082/CUSA03473_00/PGRyqtcRKUoAsP4bJAhcoziTwL8940k1.png | |||
EP1006-CUSA03494_00-SLES503710000001 | |||
https://image.api.playstation.com/cdn/EP1006/CUSA03494_00/9MsXVY5UULzSHB5BTreuKhwep3KZwvQP.png | |||
* STAR WARS The Clone Wars UP1082-CUSA48010_00-SLUS205100000000 | |||
* Summoner UP4389-CUSA48889_00-SLUS200740000000 (for PS5: UP4389-PPSA23124_00-SLUS200740000000) PS4 patch 1.01 requires PS4 11.50, PS5 patch 1.02 requires PS5 9.40 | |||
* The King of Fighters Collection: The Orochi Saga | |||
* The King of Fighters '98 Ultimate Match | |||
* The King of Fighters 2000 | |||
* The Mark of Kri | |||
* The Warriors | |||
* Timesplitters EP4062-CUSA49387_00-SLUS200900000000 (for PS5: EP4062-PPSA23799_00-SLUS200900000000) PS4 patch 1.01 requires PS4 11.52, PS5 patch 1.00 requires PS5 9.40 | |||
* TimeSplitters 2 EP4062-CUSA49392_00-SLUS203140000000 (for PS5: EP4062-PPSA23801_00-SLUS203140000000) PS4 patch 1.01 requires PS4 11.52, PS5 patch 1.00 requires PS5 9.40 | |||
* TimeSplitters: Future Perfect EP4062-CUSA49435_00-SLUS211480000000 (for PS5: EP4062-PPSA23847_00-SLUS211480000000) PS4 patch 1.01 requires PS4 11.52, PS5 patch 1.00 requires PS5 9.40 | |||
* Tomb Raider: Legend UP8489-CUSA48389_00-SLUS212030000000 https://store.playstation.com/store/api/chihiro/00_09_000/titlecontainer/SE/en/999/CUSA48389_00/image | |||
* Twisted Metal: Black | |||
* War of the Monsters | |||
* Wild Arms 3 | |||
* See [https://www.playstation.com/en-us/editorial/iconic-must-play-titles-on-playstation-plus-classics-catalog/]. | |||
Official PS2onPS4 games sold on Bluray Discs: | |||
* ADK DAMASHII™ UP0576-CUSA03783_00-SLPS259060000001 https://image.api.playstation.com/cdn/UP0576/CUSA03783_00/BpMMUC8q1MRAsL9iWDh6vbW844hq3JXK.png | |||
* Art of Fighting Anthology (by Limited Run #375) UP0576-CUSA03754_00-SLUS214870000001 https://image.api.playstation.com/cdn/UP0576/CUSA03754_00/Hf5lUn48Ds3UDNp8NNjdzv7f1BZWGaai.png | |||
* Destroy All Humans! (2005) (PS2 Classic by Limited Run #370, not to be confused with the remake EP4389-CUSA14910_00-DAH1REMAKEEU0000) UP4389-CUSA05232_00-SLUS209450000001 https://image.api.playstation.com/cdn/UP4389/CUSA05232_00/XrgVkqoR5rvZk4tAGi2j7OFfHpAZWKUu.png | |||
* Fatal Fury Battle Archives Vol. 2 (by Limited Run #371) UP0576-CUSA03750_00-SLUS217230000001 https://image.api.playstation.com/cdn/UP0576/CUSA03750_00/gFCLAhlGZwvFkra1p2sozwIZ5SH1OyZO.png | |||
* Fu'un Super Combo UP0576-CUSA03784_00-SLPS257810000001 https://image.api.playstation.com/cdn/UP0576/CUSA03784_00/QWsetumZLYupFHsOIkoGbKYpySGBdtlp.png | |||
* Indigo Prophecy™ (aka Fahrenheit 2005, by Limited Run #331) UP1642-CUSA04798_00-SLUS211960000001 https://image.api.playstation.com/cdn/UP1642/CUSA04798_00/WJFDq83f1tcZ0E2PkEa1rXOba8laaZUV.png | |||
* Jak and Daxter: The Precursor Legacy™ UP9000-CUSA02522_00-SCUS971240000001 https://image.api.playstation.com/cdn/UP9000/CUSA02522_00/o9zJoXqpd4lzarjIbvvZLFjYGLsLvqCp.png | |||
* Jak X Combat Racing™® UP9000-CUSA07842 | |||
* Jak II UP9000-CUSA07840 | |||
* Jak 3 UP9000-CUSA07841 | |||
* METAL SLUG ANTHOLOGY™ (US version by Limited Run #364) UP0576-CUSA03749_00-SLUS215500000001 https://image.api.playstation.com/cdn/UP0576/CUSA03749_00/ImHDRENlttkdiXlm3K8ejNVgLURd3uTw.png | |||
* METAL SLUG ANTHOLOGY™ (EU version by SNK) EP0576-CUSA04156_00-SLES546770000001 https://image.api.playstation.com/cdn/EP0576/CUSA04156_00/NN7npbsEvxIRGI8lBVhm9I5BwFzdGlOK.png | |||
* Psychonauts UP2154-CUSA03881 | |||
* Red Faction (by Limited Run #281) UP4389-CUSA06402_00-SLUS200730000001 https://image.api.playstation.com/cdn/UP4389/CUSA06402_00/T07Bf136claKzP3SHF30QLa2xMAFjSpP.png | |||
* Samurai Shodown VI (by Limited Run #329) UP0576-CUSA03787_00-SLUS216290000001 or EP0576-CUSA04158_00-SLES552920000001 https://image.api.playstation.com/cdn/UP0576/CUSA03787_00/CuLRRdOYvdge0IW9LL9Vewj44RCc6OAU.png https://image.api.playstation.com/cdn/EP0576/CUSA04158_00/7SrtqugKMJixAcbprEE0ExGUOHlhL0F7.png | |||
* STAR WARS™ BOUNTY HUNTER™ (US version) UP1082-CUSA03472_00-SLUS204200000001 | |||
* STAR WARS™ BOUNTY HUNTER™ (EU version) EP1006-CUSA03493_00-SLES508310000001 | |||
* Star Wars Racer Revenge UP1082-CUSA03474, requires PS4 FW version ?3.15, although it was compiled with SDK version 3.008.000? | |||
* The King of Fighters '98 Ultimate Match (by Limited Run #344) UP0576-CUSA03751_00-SLUS218160000001 https://image.api.playstation.com/cdn/UP0576/CUSA03751_00/bp4LfKIjcVTMfKP3O4LrDJHWzY6vZDar.png | |||
* The King of Fighters 2000 (by Limited Run #386) UP0576-CUSA03748_00-SLUS208340000001 https://image.api.playstation.com/cdn/UP0576/CUSA03748_00/tvXJmFqa9zkXAAKCij20B3spadkqGuka.png | |||
* The King of Fighters™ Collection: the Orochi Saga (by Limited Run #393) UP0576-CUSA03753_00-SLUS215540000001 https://image.api.playstation.com/cdn/UP0576/CUSA03753_00/E3gFtUUjCu2WDBSIGeXMV40sfF4uHzZi.png | |||
These PS2onPS4 games can be bought online directly via Limited Run Games for brand new or for example on Ebay for second hand or like new. | |||
=== PSP games savedata exploits === | === PSP games savedata exploits === | ||
See [ | See [https://www.psdevwiki.com/psp/Vulnerabilities PSP savedata exploits on PSP Dev Wiki]. | ||
* https://wololo.net/2012/09/01/when-the-psp-and-the-vita-show-their-battle-scars/ | |||
* https://wololo.net/talk/viewtopic.php?f=52&t=11183&start=10#p143779 | |||
* https://www.playstation.com/en-us/editorial/iconic-must-play-titles-on-playstation-plus-classics-catalog/ | |||
Official PS2onPS4 games sold on the PS Store (as of September, 2024): | |||
* Tekken 6 UP0700-CUSA33754_00-TEKKEN6000000000 | |||
* Killzone: Liberation (2006) EP9000-CUSA37875_00-UCES002790000000 | |||
* Ratchet & Clank: Size Matters (2007) UP9000-CUSA41395_00-UCUS986330000000 | |||
* Syphon Filter: Logan's Shadow (2007) EP9000-CUSA32631_00-UCES007100000000 | |||
* Pursuit Force (2005) UP9000-CUSA37191_00-UCUS986400000000 or EP9000-CUSA37192_00-UCES000190000000 or HP9000-CUSA37193_00-UCKS450160000000 | |||
* Pursuit Force: Extreme Justice UP9000-CUSA34853_00-UCUS987030000000 | |||
* Super Stardust Portable (2007) EP9000-CUSA33036_00-NPEG000080000000 | |||
* Resistance: Retribution (2009) UP9000-CUSA32636_00-UCUS986680000000 or EP9000-CUSA32637_00-UCES011840000000 | |||
* Jeanne d’Arc (2006) UP9000-CUSA41018_00-UCUS987000000000 | |||
* Jak and Daxter: The Lost Frontier UP9000-CUSA41282_00-NPUG803300000000 (for PS5: UP9000-PPSA14325_00-NPUG803300000000-U001) patch 1.02 requires PS4 11.50 or PS5 9.00 | |||
* LEGO Star Wars II: The Original Trilogy UP1082-CUSA41250_00-ULUS101550000000 (for PS5: UP1082-PPSA14300_00-ULUS101550000000, UP1082-PPSA14300_00-0804842924824650-U002) or EP1006-CUSA41251_00-ULES004790000000, patch 1.01 requires PS4 11.50 or PS5 9.20 | |||
* Daxter UP9000-CUSA36097_00-NPUG803290000000 (for PS5: UP9000-PPSA09695_00-NPUG803290000000-U001) patch 1.01 requires PS4 11.50 or PS5 9.20 | |||
=== PS4/PS5 PS2emu sandbox escape (mast1c0re) === | === PS4/PS5 PS2emu sandbox escape (mast1c0re) === | ||
Line 46: | Line 198: | ||
'''No''' as of PS4 FW 11.50 and PS5 FW 8.00. Using the PS2onPS4 game Okage Shadow King, the exploit should work starting from PS4 FW 3.15 and PS5 FW 1.00. | '''No''' as of PS4 FW 11.50 and PS5 FW 8.00. Using the PS2onPS4 game Okage Shadow King, the exploit should work starting from PS4 FW 3.15 and PS5 FW 1.00. | ||
=== PS4/PS5 game savedata | === PS4/PS5 game savedata LUA exploit === | ||
==== Credits ==== | ==== Credits ==== | ||
* Used by Flatz on 2023-07-27 in [https://wololo.net/2023/07/28/ps5-flat_z-dumps-ps5-secure-processor-confirms-he-has-a-ps5-hypervisor-exploit-via-a-ps4-game-save-exploit/ his Hypervisor exploit]. | * Used by Flatz on 2023-07-27 in [https://wololo.net/2023/07/28/ps5-flat_z-dumps-ps5-secure-processor-confirms-he-has-a-ps5-hypervisor-exploit-via-a-ps4-game-save-exploit/ his Hypervisor exploit]. | ||
* Used by Flatz on 2024-09-14 in [https://gist.github.com/flatz/5e12f75cdb210516d31df03069f7ed0a his implementation of the umtx UaF kernel exploit]. | * Used by Flatz on 2024-09-14 in [https://gist.github.com/flatz/5e12f75cdb210516d31df03069f7ed0a his implementation of the umtx UaF kernel exploit]. | ||
==== Bug description ==== | ==== Bug description ==== | ||
Some PS4 ( | Some PS4 (or maybe PS5) games, in disc version (probably also available in PS Store version but potentially patched), can be exploited as they use some LUA interpreter, by crafting an evil save data. | ||
==== Vulnerable games ==== | ==== Vulnerable games ==== | ||
Not confirmed: | |||
Pay Day 2, Mafia III, God of War (which one?). | |||
Confirmed: | |||
TODO | |||
==== Analysis ==== | ==== Analysis ==== | ||
==== Patched | |||
==== Patched | |||
'''No''' as of PS4 FW ?12.00? and PS5 FW 7.61. | '''No''' as of PS4 FW ?12.00? and PS5 FW 7.61. | ||
Line 125: | Line 235: | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)] | * [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Basing on | Basing on BD-JB1 exploit files, in /bdmv/bdjo.xml changing bdjo/applicationManagementTable/baseDirectory to a path of the form `file:///app0/cdc/lib/../../../disc/BDMV/JAR/00000.jar` allows loading a JAR Java executable file. | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://twitter.com/theflow0/status/1717088032031982066 | * [https://twitter.com/theflow0/status/1717088032031982066 PoC by TheFloW (2023-10-25)] | ||
==== Patched ==== | ==== Patched ==== | ||
'''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00 | '''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00. | ||
=== FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW === | === FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW === | ||
Line 153: | Line 260: | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
TO ADD DESCRIPTION OF EACH ONE OF THE 5 BUGS: | |||
* #1 com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl userprefs hijack leading to classes instantiation under privileged context (affecting ?PS3?, PS4, PS5) | |||
* #2 com.oracle.security.Service leading to privileged constructor call (affecting ?PS3?, PS4, not PS5) | |||
* #3 com.sony.gemstack.org.dvb.io.ixc.IxcProxy leading to privileged method call (affecting ?PS3?, PS4, PS5) | |||
* #4 JIT compiler hack leading to usermode arbitrary RW and arbitrary usermode code execution (affecting ?PS3?, PS4, not PS5) | |||
* #5 UDF buffer overflow kernel exploit (affecting ?PS3?, PS4, PS5) | |||
This exploit chain alone does not allow one to run pirated games on PS4 or PS5 as there is not enough RAM allowed in the BD-J process and there are other constraints. | |||
==== Exploit Implementation ==== | |||
* [https://github.com/TheOfficialFloW/bd-jb Implementation of BD-J usermode code execution on PS4 using bugs #1, #2, #3 and #4 by TheFloW (2021-10-24)] | |||
* [https://github.com/TheOfficialFloW/bd-jb/blob/master/src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java Vuln #1 com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl implementation by TheFloW] | |||
==== Exploit Implementation ==== | |||
* [https://github.com/TheOfficialFloW/bd-jb Implementation of BD-J usermode code execution on PS4 using bugs #1, #2, #3 and #4 by TheFloW (2021-10-24)] | |||
* [https://github.com/TheOfficialFloW/bd-jb/blob/master/src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java Vuln #1 com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl implementation by TheFloW] | |||
* [https://github.com/TheOfficialFloW/bd-jb/blob/master/src/com/bdjb/exploit/sandbox/ExploitServiceProxyImpl.java Vuln #2 com.oracle.security.Service and #3 com.sony.gemstack.org.dvb.io.ixc.IxcProxy chained together by TheFloW] | * [https://github.com/TheOfficialFloW/bd-jb/blob/master/src/com/bdjb/exploit/sandbox/ExploitServiceProxyImpl.java Vuln #2 com.oracle.security.Service and #3 com.sony.gemstack.org.dvb.io.ixc.IxcProxy chained together by TheFloW] | ||
* [https://github.com/TheOfficialFloW/bd-jb/blob/master/src/com/bdjb/jit/JitCompilerReceiverImpl.java Vuln #4 JIT compiler hack implementation by TheFloW] | * [https://github.com/TheOfficialFloW/bd-jb/blob/master/src/com/bdjb/jit/JitCompilerReceiverImpl.java Vuln #4 JIT compiler hack implementation by TheFloW] | ||
Line 197: | Line 290: | ||
[https://web.archive.org/web/20241007081407/https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources] archived currently up to version 11.00. Useful for people that cannot access PlayStation URLs and also for when Sony will inevitably stop hosting the sources. | [https://web.archive.org/web/20241007081407/https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources] archived currently up to version 11.00. Useful for people that cannot access PlayStation URLs and also for when Sony will inevitably stop hosting the sources. | ||
=== Untested - mmap issue involving pointer address misalignment leading to nothing for now === | |||
==== Credits ==== | |||
* Jasmine, working for Sony, for information through a WebKit commit (2022-10-19) | |||
==== Analysis ==== | |||
* https://bugs.webkit.org/show_bug.cgi?id=246763 | |||
==== Bug Description ==== | |||
There is a mmap issue involving pointer address misalignmen because of a failing assert [https://github.com/WebKit/WebKit/blob/main/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp#L94 here]. A workaround is to set HAVE_MAP_ALIGNED flag as OFF in OptionsPlayStation.cmake: [https://github.com/WebKit/WebKit/commit/626585db9857b7630cf34d82f9a0555720f15bca]. This workaround can be reverted after the mmap issue is resolved. Currently, the workaround is still enabled: [https://github.com/WebKit/WebKit/blob/ab2fff92b37e52d6c65e215b155e6b92f1646954/Source/cmake/OptionsPlayStation.cmake#L251] | |||
==== Exploit Implementation ==== | |||
==== Patched ==== | |||
'''Maybe''' | |||
==== Tested ==== | |||
Not tested yet on PS4 or PS5. | |||
---- | |||
=== FW ?6.00-11.52? - get_by_id_with_this associated with ProxyObject can leak JSScope objects === | === FW ?6.00-11.52? - get_by_id_with_this associated with ProxyObject can leak JSScope objects === | ||
Line 236: | Line 349: | ||
---- | ---- | ||
=== FW ? | === FW ?10.00-11.52? - Integer underflow in WebKit renderer (CVE-2024-27833) leading to arbitrary code execution === | ||
==== Credits ==== | ==== Credits ==== | ||
* | * Manfred Paul (@_manfp), working with Trend Micro Zero Day Initiative, for discovering the vulnerability on Apple Safari at pwn2own 2024 (2024-03-21) [https://twitter.com/thezdi/status/1770611705510293546 Zero Day Initiative's tweet] | ||
* Apple Safari update integrates a fix (2024-06-10) | |||
* | |||
==== Analysis ==== | ==== Analysis ==== | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
There is an integer underflow in WebKit renderer. It was addressed with improved input validation. | |||
It is associated with WebKit Bugzilla #271491. | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
==== Patched ==== | ==== Patched ==== | ||
'''Maybe''' | '''Maybe''' on PS4 FW 12.00 and PS5 FW ?10.00?. | ||
==== Tested ==== | ==== Tested ==== | ||
Not tested | Not tested as there is no PoC available. | ||
---- | ---- | ||
=== FW ? | === FW ?10.00-11.52? - Immediate overflow in JSC SBFX leading to crash === | ||
==== Credits ==== | ==== Credits ==== | ||
* Justin Michaud for fix commit, Yusuke Suzuki for fix commit review (2024-05-15) | |||
* Justin Michaud, | * xvonfers for discovering it affects PS4 and PS5 (2024-06-11) [https://twitter.com/xvonfers/status/1800426437486485635 xvonfer's tweet] | ||
* | |||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://github.com/WebKit/WebKit/commit/ | * [https://github.com/WebKit/WebKit/commit/1ea4ef8127276fd00ca43ffcb22bed162072abde WebKit fix commit by Justin Michaud (2024-05-15)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
The JavaScriptCore Isel SBFX patterns in JavaScriptCore/b3/B3LowerToAir.cpp allowed immediate overflow as 'lsb' and 'width' are not properly checked. | |||
The | SBFX stands for Signed Bitfield Extract. See [https://www.scs.stanford.edu/~zyedidia/arm64/sbfx_sbfm.html] and [https://developer.arm.com/documentation/101273/0001/The-Cortex-M55-Instruction-Set--Reference-Material/Bit-field-instructions/SBFX-and-UBFX]. SBFX is an alias for SBFM (Signed Bitfield Move). See [https://www.scs.stanford.edu/~zyedidia/arm64/sbfm.html]. SBFM is a bitfield extraction opcode. | ||
Isel is a short name for Instruction SELect. This pass transforms generic machine instructions into equivalent target-specific instructions. It traverses the MachineFunction bottom-up, selecting uses before definitions, enabling trivial dead code elimination. | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://github.com/ | * [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/sbfx-offset-overflow.js Vulnerability test by Justin Michaud] | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' on PS4 FW | '''Yes''' on PS4 FW 12.00 and PS5 FW ?10.00?. | ||
==== Tested ==== | ==== Tested ==== | ||
Tested working on PS4 FWs | Tested working on PS4 FWs 11.50 and PS5 FWs ?6.00-9.60?. Not working on PS4 <= 9.00 and PS5 >= 10.01. | ||
---- | ---- | ||
=== FW | === FW ?10.00?-11.52 - Unknown heap and string overflow (no CVE) leading to crash === | ||
==== Credits ==== | ==== Credits ==== | ||
* | * Debty for PoC public disclose (2024-08-29) | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://github.com/ | * [https://github.com/Debvt/Wm/tree/Root0 PoC and analysis by Debty (2024-08-29)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
* TODO | |||
Implementation description by Debty:<br /> | |||
String exploit is not actually an exploit but just a memory exhauster. It is not actually viable so instead there is a feature called "latest iteration". | |||
==== Exploit Implementation ==== | |||
* [https://github.com/Debvt/Wm/tree/Root0 PoC by Debty (2024-08-29)] | |||
==== Patched ==== | |||
'''Yes''' on PS4 FW 12.00 and PS5 FW 10.00. | |||
==== Tested ==== | |||
Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60. | |||
---- | |||
=== FW ?6.00-11.52? - integer underflow vulnerability (CVE-2023-38600) === | |||
function pop(event) { | ==== Credits ==== | ||
alert('you get a crash after you close this alert'); | * anonymous researcher for discovering the vulnerability and reporting it to Zero Day Initiative (2023-05) | ||
event.state; // use the freed SerializedScriptValue | * Hossein Lotfi for publishing a writeup (2023-10-18) | ||
alert('WebKit version not vulnerable'); | |||
} | ==== Analysis ==== | ||
* [https://www.zerodayinitiative.com/blog/2023/10/17/cve-2023-38600-story-of-an-innocent-apple-safari-copywithin-gone-way-outside Writeup by Hossein Lotfi (2023-10-18)] | |||
addEventListener('popstate', pop); | |||
==== Bug Description ==== | |||
history.pushState('state1', '', location + '#foo'); // URL with a hash | |||
history.pushState('state2', ''); | ==== Exploit Implementation ==== | ||
setTimeout(() => { | ==== Patched ==== | ||
input.focus(); | '''Maybe''' | ||
==== Tested ==== | |||
Not tested yet on PS4 nor PS5. | |||
---- | |||
=== FW ?10.00-11.02? - JSC::DFG::clobberize() needs to be more precise with the *ByOffset nodes (CVE-2023-41993) leading to arbitrary RW === | |||
==== Credits ==== | |||
* Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group for discoverting the vulnerability and reporting it (2023-09-21) | |||
* Keith Miller for the WebKit fix commit (2023-10-09) | |||
* po6ix for his writeup (2023-10-15) | |||
==== Analysis ==== | |||
* [https://github.com/WebKit/WebKit/commit/08d5d17c766ffc7ca6a7c833c5720eb71b427784 WebKit fix commit by Keith Miller (2023-10-09)] | |||
* [https://github.com/po6ix/POC-for-CVE-2023-41993 Writeup by po6ix (2023-10-15)] | |||
==== Bug Description ==== | |||
clobberize needs to be more precise with the *ByOffset nodes. CSE phase uses clobberize to figure out if it's safe to merge two operations that def the same HeapLocation. Since HeapLocation does not currently have a way to track the offset used by the various *ByOffset nodes it can get confused and think that two ByOffset instructions produce the same value even if they do not use the same offset. This patch solves this by adding a new field to HeapLocation, which takes the metadata associated with the corresponding *ByOffset node. If two *ByOffset operations don't share the same metadata then they cannot be CSEed. | |||
This vulnerability is ranked 7.5 (HIGH) on CVSS:3.1. | |||
This vulnerability should provide r/w primitive to the webcontent process, but currently the PoC is written only up to addrof/fakeobj. | |||
==== Exploit Implementation ==== | |||
* [https://github.com/po6ix/POC-for-CVE-2023-41993 PoC written only up to addrof/fakeobj by po6ix (2023-10-15)] | |||
==== Patched ==== | |||
'''Maybe''' on PS4 FW 12.00 and PS5 ?10.00? | |||
==== Tested ==== | |||
Not tested yet. According to open source code, PS4 FW 11.00 should be vulnerable. | |||
---- | |||
=== FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to crash === | |||
==== Credits ==== | |||
* ENKI for public disclose and analysis (2024-06-03) | |||
* abc (anonymous) for tests and analysis (2024-10-01) | |||
==== Analysis ==== | |||
* [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc Analysis by ENKI (2024-06-03)] | |||
* [https://github.com/WebKit/WebKit/commit/1b0741f400ee2d31931ae30f2ddebe66e8fb0945 Patch commit #1 (2023-07-31)] | |||
* [https://github.com/WebKit/WebKit/commit/39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f Patch commit #2 (2023-05-01)] | |||
* [https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons Inverting Your Assumptions: A Guide to JIT Comparisons by Jasiel Spelman (2018-04-12)] | |||
==== Bug Description ==== | |||
Note that the PS4 web browser JIT support has been removed since around PS4 System Software version 5.00 or lower so using the article directly is not applicable. | |||
The clobber bug PoC turns out not to be a memory corruption. Just like the article said, you can access a `GetterSetter` directly. The crash came from triggering `GetterSetter`'s methods that will call `RELEASE_ASSERT()`. | |||
We actually came across a bug that can leak `GetterSetter`s at WebKit's git main branch: `ceb7e89febcd [JSC] get_by_id_with_this + ProxyObject can leak JSScope objects https://bugs.webkit.org/show_bug.cgi?id=267425 <rdar://120777816>` | |||
In summary with tinkering with this bug, abc (anonymous) do not think that an attacker can do anything useful with accessing a `GetterSetter`. The clobberWorld bug however does allow setting properties in places where you usually cannot like `Function's prototype` as shown in the article. But without JIT, one probably cannot cause any memory corruption. The impact for both bugs (clobberWorld and ProxyObject) is probably just JavaScript execution, which we already have, which is a no go in some context (JS injection) but it does not help in gaining usermode ROP execution on PS4 or PS5. | |||
==== Exploit Implementation ==== | |||
* [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc PoC by ENKI (2024-06-03)] | |||
==== Patched ==== | |||
'''Yes''' on PS4 FW 11.50 and PS5 FW 9.00. | |||
==== Tested ==== | |||
Tested working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60. PS4 FWs <= ?9.60? and PS5 FWs <= ?5.50? are invulnerable. | |||
---- | |||
=== FW 6.00-9.60 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW === | |||
==== Credits ==== | |||
* Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013) | |||
* Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14) | |||
* abc (anonymous) for making an OOM PoC for webkit-gtk, PS4 and PS5 (2023-10-03) then making an arbitrary RW PoC (PSFree) for webkit-gtk, PS4 6.00-9.60 and PS5 1.00-5.50 (2023-10-24) | |||
* CelesteBlue for testing and porting abc' PSFree to PS4 6.00-9.60 and PS5 1.00-5.50 (2023-11-04) | |||
==== Analysis ==== | |||
* [https://github.com/WebKit/WebKit/commit/aa31b6b4d09b09acdf1cec11f2f7f35bd362dd0e WebKit bug-reintroducing commit by Darin Adler reviewed by Alex Christensen (2016-12-31)] | |||
* [https://bugs.webkit.org/show_bug.cgi?id=235551 WebKit fix talk by Yusuke Suzuki reviewed by Mark Lam (2022-01-24)] | |||
* [https://github.com/WebKit/WebKit/commit/486816dc355c19f1de1b8056f85d0bbf7084dd6e WebKit fix commit by Yusuke Suzuki reviewed by Mark Lam (2022-01-25)] | |||
* [https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-22620.html Short writeup by Maddie Stone (2022-06-14)] | |||
* [https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html Detailed writeup by Maddie Stone (2022-06-14)] | |||
==== Bug Description ==== | |||
The History API allows access to (and modification of) a stack of the pages visited in the current frame, and these page states are stored as a <code>SerializedScriptValue</code>. The History API exposes a getter for state, and a method <code>replaceState()</code> which allows overwriting the "most recent" history entry. | |||
The bug is that <code>FrameLoader::loadInSameDocument()</code> takes the state as an argument (<code>stateObject</code>), but does not increase its reference count. Only a <code>HistoryItem</code> object holds a reference to the <code>stateObject</code>. <code>loadInSameDocument()</code> can trigger a callback into user JavaScript through the <code>onblur</code> event. The user's callback can call <code>replaceState()</code> to replace the <code>HistoryItem</code>'s state with a new object, therefore dropping the only reference to the <code>stateObject</code>. When the callback returns, <code>loadInSameDocument()</code> will still use this free'd object in its call to <code>statePopped()</code>, leading to the use-after-free. | |||
When <code>loadInSameDocument()</code> is called it changes the focus to the element its scrolling to. If we set the focus on a different element prior to <code>loadInSameDocument()</code>'s execution, the blur event will be fired on that element. Then we can free the <code>stateObject</code> by calling <code>replaceState()</code> in the <code>onblur</code> event handler. | |||
The bug is triggered by <code>history.back()</code> with the target state whose URL contains a hash. Here's a Proof-of-Concept that will crash: | |||
<source lang="js"> | |||
input = document.body.appendChild(document.createElement('input')); | |||
foo = document.body.appendChild(document.createElement('a')); | |||
foo.id = 'foo'; | |||
function pop(event) { | |||
alert('you get a crash after you close this alert'); | |||
event.state; // use the freed SerializedScriptValue | |||
alert('WebKit version not vulnerable'); | |||
} | |||
addEventListener('popstate', pop); | |||
history.pushState('state1', '', location + '#foo'); // URL with a hash | |||
history.pushState('state2', ''); | |||
setTimeout(() => { | |||
input.focus(); | |||
input.onblur = () => { | input.onblur = () => { | ||
history.replaceState('state3', '') | history.replaceState('state3', '') | ||
Line 416: | Line 620: | ||
==== Tested ==== | ==== Tested ==== | ||
Tested working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2. | Tested working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.50 and >=5.00. | ||
---- | ---- | ||
Line 892: | Line 1,096: | ||
=== Possible WebKit vulnerabilities === | === Possible WebKit vulnerabilities === | ||
Affecting WebKitGTK: CVE-2023-41074, CVE-2023-42917. | |||
CVE- | |||
== Usermode securities == | == Usermode securities == | ||
Line 957: | Line 1,134: | ||
* See the PS4 [[Syscalls]] list. | * See the PS4 [[Syscalls]] list. | ||
=== | === Syscall 0 disabled i.e Error Kernel: The application directly issues a syscall instruction (24) === | ||
* Between 2.00 and 2.57, SCE has removed system call 0, so we can no longer call any syscall we want by specifying the call number in the rax register. | |||
* Doing so now crashes the app and gives error CE-34878-0, SCE_KERNEL_ABORT_REASON_SYSTEM_ILLEGAL_FUNCTION_CALL, with the message "Kernel: The application directly issues a syscall instruction (24)". | |||
* We now have to use wrappers provided to us from the libkernel / libkernel_web / libkernel_sys modules to access system calls. | |||
=== bpf_write function stripped out of the kernel === | === bpf_write function stripped out of the kernel === | ||
Line 990: | Line 1,160: | ||
* For select types implemented by WebKit (such as JSC::JSFunction), certain pointer fields are XOR'ed by a cryptographic key generated at runtime. The key is generated once every process launch, one must recover it to unpoison the pointers. | * For select types implemented by WebKit (such as JSC::JSFunction), certain pointer fields are XOR'ed by a cryptographic key generated at runtime. The key is generated once every process launch, one must recover it to unpoison the pointers. | ||
== Kernel Exploits == | |||
== Kernel == | |||
=== FW <= 11.52 - Double free in bnet_netevent_set_queue === | === FW <= 11.52 - Double free in bnet_netevent_set_queue === | ||
Line 1,036: | Line 1,200: | ||
* [https://www.freebsd.org/security/advisories/FreeBSD-SA-06:18.ppp.asc FreeBSD Security Advisory for CVE-2006-4304 (2006-08-23)] | * [https://www.freebsd.org/security/advisories/FreeBSD-SA-06:18.ppp.asc FreeBSD Security Advisory for CVE-2006-4304 (2006-08-23)] | ||
* [https://hackerone.com/reports/2177925 HackerOne report about Remote vulnerabilities in spp by TheFloW (2023-09-22)] | * [https://hackerone.com/reports/2177925 HackerOne report about Remote vulnerabilities in spp by TheFloW (2023-09-22)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Line 1,243: | Line 1,405: | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' in PS4 7.50 FW and in PS5 5.00 or 5.02 FW. Not working in PS5 FWs <= 2. | '''Yes''' in PS4 7.50 FW and in PS5 5.00 or 5.02 FW. Not working in PS5 FWs <= 2.50. | ||
---- | ---- | ||
Line 1,319: | Line 1,481: | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/ fail0verflow's writeup on the | * [https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/ fail0verflow's writeup on the 1.01-4.05 namedobj kernel exploit] (2017-10-19) | ||
* [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/NamedObj%20Kernel%20Exploit%20Overview.md Specter's first writeup] (2017-10-20) | * [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/NamedObj%20Kernel%20Exploit%20Overview.md Specter's first writeup] (2017-10-20) | ||
* [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md Specter's writeup on his | * [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md Specter's writeup on his 4.05 implementation] (2017-12-28) | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Line 1,329: | Line 1,489: | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
[https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit PS4 4.05 WebKit + Kernel Exploit] | |||
==== Patched ==== | ==== Patched ==== | ||
Line 1,336: | Line 1,496: | ||
==== Tested ==== | ==== Tested ==== | ||
Works on FWs 4.00-4.05. On <= 3.70 FW we have not found a way to leak the target object, but it might be doable as Fail0verflow did it on 1.01. | Works on FWs 4.00-4.05. On <= 3.70 FW we have not found a way to leak the target object, but it might be doable as Fail0verflow did it on 1.01. | ||
---- | ---- | ||
Line 1,537: | Line 1,665: | ||
* Discovered by yifan lu (2017-02-19), plutoo and Proxima (2018-08-09), Davee (2018-12-29) for PS Vita, by flatz (2021-12-18) for PlayStation 4. | * Discovered by yifan lu (2017-02-19), plutoo and Proxima (2018-08-09), Davee (2018-12-29) for PS Vita, by flatz (2021-12-18) for PlayStation 4. | ||
=== Bug description === | |||
The PS4 Crypto Coprocessor (CCP) interface in Secure Kernel has a bug that allows to dump (or better saying, bruteforce) key rings from SAMU. | |||
That is how AES/HMAC keys from PFS, portability keys, VTRM keys, etc can be retrieved. A crypto flaw was in the ability to issue HMAC operation with key length stricly lower than 16. For example, by setting it to 1 you can bruteforce key bytes one by one by comparing HMAC result with HMAC result with known partial key. | |||
This trick may work on other crypto hardware as well if it does not restrict key lengths. Amazingly, Intel Secure Key Storage (SKS) of CSME subsystem also has a bug allowing to brute-force any key slot, but the issue exists at hardware level - insecure design of the keys distribution to crypto engines (AES, SHA, RC4). Intel did not recognize the bug arguing that to access SKS the CSME privileged arbitrary code execution is required, but SKS is exactly designed to protect the ROM generated keys from CSME firmware... | |||
This can be used to dump the AES XTS key and HMAC key of a specific PS4 game PKG. Then one can use maxton's LibOrbisPkg or flatz's pkg_pfs_tool to unpack this PKG file. | |||
==== Analysis ==== | ==== Analysis ==== | ||
Line 1,576: | Line 1,679: | ||
* https://twitter.com/qlutoo/status/1027691272369262594 | * https://twitter.com/qlutoo/status/1027691272369262594 | ||
* https://www.lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/ | * https://www.lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/ | ||
* | * https://twitter.com/flat_z/status/1472243592815169546 | ||
==== Implementation ==== | ==== Implementation ==== | ||
* [https://github.com/jocover/ps4-hen-vtx/releases/tag/pfs_dump Compiled payload for PS4 5.05 by jogolden | * [https://github.com/jocover/ps4-hen-vtx/releases/tag/pfs_dump Compiled payload for PS4 5.05 by jogolden] | ||
* [https://github.com/jocover/ps4-hen-vtx/tree/samu_key_dump Implementation for PS4 5.05 by jogolden | * [https://github.com/jocover/ps4-hen-vtx/tree/samu_key_dump Implementation for PS4 5.05 by jogolden] | ||
* [https://gist.github.com/flatz/22215327864d7512e52268f9c9c51cd8 Exploit PoC for PS4 7.55 by flatz] | |||
* [https://gist.github.com/flatz/22215327864d7512e52268f9c9c51cd8 Exploit PoC for PS4 7.55 by flatz | |||
==== Patched ==== | ==== Patched ==== | ||
Line 1,699: | Line 1,801: | ||
It was also not present on 1.76 and below, so probably appeared when Sony worked on adding ASLR in PS4 Kernel. Also note that Matroska kernel is present on 3.15 even though there is no Kernel ASLR in this version. | It was also not present on 1.76 and below, so probably appeared when Sony worked on adding ASLR in PS4 Kernel. Also note that Matroska kernel is present on 3.15 even though there is no Kernel ASLR in this version. | ||
== Hardware == | == Hardware Exploits == | ||
=== PCIe man-in-the-middle attack === | === PCIe man-in-the-middle attack === |