Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 73: | Line 73: | ||
==== Vulnerable games ==== | ==== Vulnerable games ==== | ||
Confirmed: | |||
Confirmed | |||
* Raspberry Cube (CUSA16074) | * Raspberry Cube (CUSA16074) | ||
* Aibeya (CUSA17068) | * Aibeya (CUSA17068) | ||
Line 81: | Line 79: | ||
* Hamidashi Creative Demo (CUSA27390) | * Hamidashi Creative Demo (CUSA27390) | ||
Almost confirmed: | |||
* Most else all PS Vita / PS4 games using the Artemis visual novel engine. | |||
* Nora, Princess, and Stray cat (CUSA13303) | |||
Not confirmed: | |||
* Pay Day 2, Mafia III, God of War (which one?). | * Pay Day 2, Mafia III, God of War (which one?). | ||
* Games using the MUGEN engine are vulnerable to many exploits, but it is unknown if some PS4 games use this engine. https://mugen-cheap.fandom.com/wiki/SuperNull | * Games using the MUGEN engine are vulnerable to many exploits, but it is unknown if some PS4 games use this engine. https://mugen-cheap.fandom.com/wiki/SuperNull | ||
Line 125: | Line 127: | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)] | * [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Basing on | Basing on BD-JB1 exploit files, in /bdmv/bdjo.xml changing bdjo/applicationManagementTable/baseDirectory to a path of the form `file:///app0/cdc/lib/../../../disc/BDMV/JAR/00000.jar` allows loading a JAR Java executable file. | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://twitter.com/theflow0/status/1717088032031982066 | * [https://twitter.com/theflow0/status/1717088032031982066 PoC by TheFloW (2023-10-25)] | ||
==== Patched ==== | ==== Patched ==== | ||
'''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00 | '''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00. | ||
=== FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW === | === FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW === | ||
Line 153: | Line 152: | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
TO ADD DESCRIPTION OF EACH ONE OF THE 5 BUGS: | |||
* #1 com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl userprefs hijack leading to classes instantiation under privileged context (affecting ?PS3?, PS4, PS5) | |||
* #2 com.oracle.security.Service leading to privileged constructor call (affecting ?PS3?, PS4, not PS5) | |||
* #3 com.sony.gemstack.org.dvb.io.ixc.IxcProxy leading to privileged method call (affecting ?PS3?, PS4, PS5) | |||
* #4 JIT compiler hack leading to usermode arbitrary RW and arbitrary usermode code execution (affecting ?PS3?, PS4, not PS5) | |||
* #5 UDF buffer overflow kernel exploit (affecting ?PS3?, PS4, PS5) | |||
This exploit chain alone does not allow one to run pirated games on PS4 or PS5 as there is not enough RAM allowed in the BD-J process and there are other constraints. | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
Line 236: | Line 221: | ||
---- | ---- | ||
=== FW ? | === FW ?10.00-11.52? - Immediate overflow/underflow in JSC SBFX (CVE-2024-27833) leading to arbitrary code execution === | ||
==== Credits ==== | ==== Credits ==== | ||
* | * Manfred Paul (@_manfp), working with Trend Micro Zero Day Initiative, for discovering the vulnerability on Apple Safari at pwn2own 2024 (2024-03-21) [https://twitter.com/thezdi/status/1770611705510293546 Zero Day Initiative's tweet] | ||
* | * Justin Michaud for fix commit, Yusuke Suzuki for fix commit review (2024-05-15) | ||
* | * Apple disclose that Safari update integrates the fix (2024-06-10) | ||
* xvonfers and Bearseater (@JamesMa52390215) for discovering it affects PS4 and PS5 (2024-06-11) [https://twitter.com/xvonfers/status/1800426437486485635 xvonfer's tweet] | |||
==== Analysis ==== | ==== Analysis ==== | ||
* [https:// | * [https://github.com/WebKit/WebKit/commit/1ea4ef8127276fd00ca43ffcb22bed162072abde WebKit fix commit by Justin Michaud (2024-05-15)] | ||
* [https:// | * [https://bugs.webkit.org/show_bug.cgi?id=271491 WebKit Bugzilla #271491 with restricted access] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
It | There is an integer underflow in WebKit renderer. It was addressed with improved input validation. | ||
The JavaScriptCore Isel SBFX patterns in JavaScriptCore/b3/B3LowerToAir.cpp allowed immediate overflow as 'lsb' and 'width' are not properly checked. | |||
The | SBFX stands for Signed Bitfield Extract. See [https://www.scs.stanford.edu/~zyedidia/arm64/sbfx_sbfm.html] and [https://developer.arm.com/documentation/101273/0001/The-Cortex-M55-Instruction-Set--Reference-Material/Bit-field-instructions/SBFX-and-UBFX]. SBFX is an alias for SBFM (Signed Bitfield Move). See [https://www.scs.stanford.edu/~zyedidia/arm64/sbfm.html]. SBFM is a bitfield extraction opcode. | ||
Isel is a short name for Instruction SELect. This pass transforms generic machine instructions into equivalent target-specific instructions. It traverses the MachineFunction bottom-up, selecting uses before definitions, enabling trivial dead code elimination. | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https:// | * [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/sbfx-offset-overflow.js Vulnerability test by Justin Michaud] | ||
* [https://github.com/ | |||
==== Patched ==== | |||
'''Yes''' on PS4 FW 12.00 and PS5 FW ?10.00?. | |||
==== Tested ==== | |||
Tested working on PS4 FWs 11.50 and PS5 FWs ?6.00-9.60?. Not working on PS4 <= 9.00 and PS5 >= 10.01. | |||
---- | |||
=== FW ?10.00?-11.52 - Unknown heap and string overflow (no CVE) leading to crash === | |||
==== Credits ==== | |||
* Debty for PoC public disclose (2024-08-29) | |||
==== Analysis ==== | |||
* [https://github.com/Debvt/Wm/tree/Root0 PoC and analysis by Debty (2024-08-29)] | |||
==== Bug Description ==== | |||
* TODO | |||
Implementation description by Debty:<br /> | |||
String exploit is not actually an exploit but just a memory exhauster. It is not actually viable so instead there is a feature called "latest iteration". | |||
==== Exploit Implementation ==== | |||
* [https://github.com/Debvt/Wm/tree/Root0 PoC by Debty (2024-08-29)] | |||
==== Patched ==== | ==== Patched ==== | ||
''' | '''Yes''' on PS4 FW 12.00 and PS5 FW 10.00. | ||
==== Tested ==== | ==== Tested ==== | ||
Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60. | |||
---- | ---- | ||
=== FW ?6.00-11. | === FW ?6.00-11.52? - Integer underflow in JSC genericTypedArrayViewProtoFuncCopyWithin (CVE-2023-38600) === | ||
==== Credits ==== | ==== Credits ==== | ||
* | * anonymous researcher for discovering the vulnerability and reporting it to Zero Day Initiative (2023-05) | ||
* | * Yusuke Suzuki and Mark Lam for fixing the bug in WebKit (2023-07-31) | ||
* | * Hossein Lotfi for publishing a writeup (2023-10-18) | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://github.com/WebKit/WebKit/commit/ | * [https://www.zerodayinitiative.com/blog/2023/10/17/cve-2023-38600-story-of-an-innocent-apple-safari-copywithin-gone-way-outside Writeup by Hossein Lotfi (2023-10-18)] | ||
* [https://github.com/WebKit/WebKit/commit/6e7e654417b61630d67f02b65798439cf3d6b0b5 WebKit fix commit by Yusuke Suzuki (2023-07-31)] | |||
==== Bug Description ==== | |||
It is required to recompute length properly when resize happens during TypedArray copyWithin. | |||
copyWithin's side effectful operation can resize resizable ArrayBuffer. WebKit has a code catching this and recompute the appropriate copy count again, but it can overflow if `to` or `from` are larger than the newly updated `length`. The patch handles this case correctly: returning since there is no copying content in this case. | |||
The issue was patched by aborting the copy if either of the two variables to or from is larger than the updated length. | |||
The values used during the exploit were sane as they went through a sanitizer function. However, in the final stage, the values were updated without checking if there are inside the buffer length bounds. | |||
According to PS4 WebKit source code for System Software version 11.00, not only it is not patched but it uses code from 2021! Looking at [https://github.com/WebKit/WebKit/blob/cccb58deac3c56a831678458ce95ea5b7c837614/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h#L177 a version close to one in the PS4 source code for System Software version 11.00], it should be exploitable. | |||
==== Exploit Implementation ==== | |||
* [https://gist.github.com/zdi-team/ad320bdc6ad095cc210c7031e0f0ecda/raw/746ce622fe73344ccb9cd51bc03ad97950f4ea3b/CVE-2023-38600-0.js Minimal PoC by Hossein Lotfi (2023-10-18)] | |||
* [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/resizable-array-buffer-copy-within-length-update.js Vulnerability test code by Yusuke Suzuki (2023-07-31)] | |||
==== Patched ==== | |||
'''Maybe''' in FW 11.50. | |||
==== Tested ==== | |||
Not tested yet on PS4 nor PS5. To test on PS4 11.00. | |||
---- | |||
=== FW ?10.00-11.02? - JSC::DFG::clobberize() needs to be more precise with the *ByOffset nodes (CVE-2023-41993) leading to arbitrary RW === | |||
==== Credits ==== | |||
* Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group for discoverting the vulnerability and reporting it (2023-09-21) | |||
* Keith Miller for the WebKit fix commit (2023-10-09) | |||
* po6ix for his writeup (2023-10-15) | |||
==== Analysis ==== | |||
* [https://github.com/WebKit/WebKit/commit/08d5d17c766ffc7ca6a7c833c5720eb71b427784 WebKit fix commit by Keith Miller (2023-10-09)] | |||
* [https://github.com/po6ix/POC-for-CVE-2023-41993 Writeup by po6ix (2023-10-15)] | |||
==== Bug Description ==== | |||
clobberize needs to be more precise with the *ByOffset nodes. CSE phase uses clobberize to figure out if it's safe to merge two operations that def the same HeapLocation. Since HeapLocation does not currently have a way to track the offset used by the various *ByOffset nodes it can get confused and think that two ByOffset instructions produce the same value even if they do not use the same offset. This patch solves this by adding a new field to HeapLocation, which takes the metadata associated with the corresponding *ByOffset node. If two *ByOffset operations don't share the same metadata then they cannot be CSEed. | |||
This vulnerability is ranked 7.5 (HIGH) on CVSS:3.1. | |||
This vulnerability should provide r/w primitive to the webcontent process, but currently the PoC is written only up to addrof/fakeobj. | |||
==== Exploit Implementation ==== | |||
* [https://github.com/po6ix/POC-for-CVE-2023-41993 PoC written only up to addrof/fakeobj by po6ix (2023-10-15)] | |||
==== Patched ==== | |||
'''Maybe''' on PS4 FW 12.00 and PS5 ?10.00? | |||
==== Tested ==== | |||
Not tested yet. According to open source code, PS4 FW 11.00 should be vulnerable. | |||
---- | |||
=== FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to crash === | |||
==== Credits ==== | |||
* Alexey Shvayka for vulnerability discovery and fixes in WebKit (2023-05-01) | |||
* ENKI for public disclose and writeup (2024-06-03) | |||
* abc (anonymous) for tests and analysis (2024-10-01) | |||
==== Analysis ==== | |||
* [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc Analysis by ENKI (2024-06-03)] | |||
* [https://github.com/WebKit/WebKit/commit/1b0741f400ee2d31931ae30f2ddebe66e8fb0945 Patch commit #1 for vulnerability detection (2023-07-31)] | |||
* [https://github.com/WebKit/WebKit/commit/39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f Patch commit #2 (2023-05-01)] | |||
* [https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons Inverting Your Assumptions: A Guide to JIT Comparisons by Jasiel Spelman (2018-04-12)] | |||
==== Bug Description ==== | |||
Note that the PS4 web browser JIT support has been removed since around PS4 System Software version 5.00 or lower so using the article directly is not applicable. | |||
The clobber bug PoC turns out not to be a memory corruption. Just like the article said, you can access a `GetterSetter` directly. The crash came from triggering `GetterSetter`'s methods that will call `RELEASE_ASSERT()`. | |||
We actually have [[#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects|a bug that can leak `GetterSetter`s]]. | |||
The | In summary with tinkering with this bug, abc (anonymous) do not think that an attacker can do anything useful with accessing a `GetterSetter`. The clobberWorld bug however does allow setting properties in places where you usually cannot like `Function's prototype` as shown in the article. But without JIT, one probably cannot cause any memory corruption. The impact for both bugs (clobberWorld and ProxyObject) is probably just JavaScript execution, which we already have, which is a no go in some context (JS injection) but it does not help in gaining usermode ROP execution on PS4 or PS5. | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https:// | * [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc PoC by ENKI (2024-06-03)] | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' on PS4 FW | '''Yes''' on PS4 FW 11.50 and PS5 FW 9.00. | ||
==== Tested ==== | ==== Tested ==== | ||
Tested working on PS4 FWs | Tested working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60. PS4 FWs <= ?9.60? and PS5 FWs <= ?5.50? are invulnerable. | ||
---- | ---- | ||
Line 416: | Line 489: | ||
==== Tested ==== | ==== Tested ==== | ||
Tested working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2. | Tested working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.50 and >=5.00. | ||
---- | ---- | ||
Line 892: | Line 965: | ||
=== Possible WebKit vulnerabilities === | === Possible WebKit vulnerabilities === | ||
Affecting WebKitGTK: CVE-2023-41074, CVE-2023-42917. | |||
CVE- | |||
== Usermode securities == | == Usermode securities == | ||
Line 957: | Line 1,003: | ||
* See the PS4 [[Syscalls]] list. | * See the PS4 [[Syscalls]] list. | ||
=== | === Syscall 0 disabled i.e Error Kernel: The application directly issues a syscall instruction (24) === | ||
* Between 2.00 and 2.57, SCE has removed system call 0, so we can no longer call any syscall we want by specifying the call number in the rax register. | |||
* Doing so now crashes the app and gives error CE-34878-0, SCE_KERNEL_ABORT_REASON_SYSTEM_ILLEGAL_FUNCTION_CALL, with the message "Kernel: The application directly issues a syscall instruction (24)". | |||
* We now have to use wrappers provided to us from the libkernel / libkernel_web / libkernel_sys modules to access system calls. | |||
=== bpf_write function stripped out of the kernel === | === bpf_write function stripped out of the kernel === | ||
Line 989: | Line 1,028: | ||
* For select types implemented by WebKit (such as JSC::JSFunction), certain pointer fields are XOR'ed by a cryptographic key generated at runtime. The key is generated once every process launch, one must recover it to unpoison the pointers. | * For select types implemented by WebKit (such as JSC::JSFunction), certain pointer fields are XOR'ed by a cryptographic key generated at runtime. The key is generated once every process launch, one must recover it to unpoison the pointers. | ||
== Kernel == | == Kernel == | ||
Line 1,243: | Line 1,276: | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' in PS4 7.50 FW and in PS5 5.00 or 5.02 FW. Not working in PS5 FWs <= 2. | '''Yes''' in PS4 7.50 FW and in PS5 5.00 or 5.02 FW. Not working in PS5 FWs <= 2.50. | ||
---- | ---- | ||
Line 1,537: | Line 1,570: | ||
* Discovered by yifan lu (2017-02-19), plutoo and Proxima (2018-08-09), Davee (2018-12-29) for PS Vita, by flatz (2021-12-18) for PlayStation 4. | * Discovered by yifan lu (2017-02-19), plutoo and Proxima (2018-08-09), Davee (2018-12-29) for PS Vita, by flatz (2021-12-18) for PlayStation 4. | ||
=== Bug description === | |||
The PS4 Crypto Coprocessor (CCP) interface in Secure Kernel has a bug that allows to dump (or better saying, bruteforce) key rings from SAMU. | |||
That is how AES/HMAC keys from PFS, portability keys, VTRM keys, etc can be retrieved. A crypto flaw was in the ability to issue HMAC operation with key length stricly lower than 16. For example, by setting it to 1 you can bruteforce key bytes one by one by comparing HMAC result with HMAC result with known partial key. | |||
This trick may work on other crypto hardware as well if it does not restrict key lengths. Amazingly, Intel Secure Key Storage (SKS) of CSME subsystem also has a bug allowing to brute-force any key slot, but the issue exists at hardware level - insecure design of the keys distribution to crypto engines (AES, SHA, RC4). Intel did not recognize the bug arguing that to access SKS the CSME privileged arbitrary code execution is required, but SKS is exactly designed to protect the ROM generated keys from CSME firmware... | |||
This can be used to dump the AES XTS key and HMAC key of a specific PS4 game PKG. Then one can use maxton's LibOrbisPkg or flatz's pkg_pfs_tool to unpack this PKG file. | |||
==== Analysis ==== | ==== Analysis ==== | ||
Line 1,576: | Line 1,584: | ||
* https://twitter.com/qlutoo/status/1027691272369262594 | * https://twitter.com/qlutoo/status/1027691272369262594 | ||
* https://www.lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/ | * https://www.lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/ | ||
* | * https://twitter.com/flat_z/status/1472243592815169546 | ||
==== Implementation ==== | ==== Implementation ==== | ||
* [https://github.com/jocover/ps4-hen-vtx/releases/tag/pfs_dump Compiled payload for PS4 5.05 by jogolden | * [https://github.com/jocover/ps4-hen-vtx/releases/tag/pfs_dump Compiled payload for PS4 5.05 by jogolden] | ||
* [https://github.com/jocover/ps4-hen-vtx/tree/samu_key_dump Implementation for PS4 5.05 by jogolden | * [https://github.com/jocover/ps4-hen-vtx/tree/samu_key_dump Implementation for PS4 5.05 by jogolden] | ||
* [https://gist.github.com/flatz/22215327864d7512e52268f9c9c51cd8 Exploit PoC for PS4 7.55 by flatz] | |||
* [https://gist.github.com/flatz/22215327864d7512e52268f9c9c51cd8 Exploit PoC for PS4 7.55 by flatz | |||
==== Patched ==== | ==== Patched ==== |