Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 73: Line 73:


==== Vulnerable games ====
==== Vulnerable games ====
See [[Artemis Engine]] for a list of candidate games.
Confirmed:
 
Confirmed exploitable games:
* Raspberry Cube (CUSA16074)
* Raspberry Cube (CUSA16074)
* Aibeya (CUSA17068)
* Aibeya (CUSA17068)
Line 81: Line 79:
* Hamidashi Creative Demo (CUSA27390)
* Hamidashi Creative Demo (CUSA27390)


Other games that may use Lua scripts:
Almost confirmed:
* Most else all PS Vita / PS4 games using the Artemis visual novel engine.
* Nora, Princess, and Stray cat (CUSA13303)
 
Not confirmed:
* Pay Day 2, Mafia III, God of War (which one?).
* Pay Day 2, Mafia III, God of War (which one?).
* Games using the MUGEN engine are vulnerable to many exploits, but it is unknown if some PS4 games use this engine. https://mugen-cheap.fandom.com/wiki/SuperNull
* Games using the MUGEN engine are vulnerable to many exploits, but it is unknown if some PS4 games use this engine. https://mugen-cheap.fandom.com/wiki/SuperNull
Line 125: Line 127:


==== Analysis ====
==== Analysis ====
* [https://github.com/TheOfficialFloW/Presentations/blob/master/2022-hardwear-io-bd-jb.pdf Pages 27 and 28 of slides presented at hardwear.io by TheFloW (2022-06-10)]
* [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)]
* [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)]
* [https://github.com/TheOfficialFloW/bd-jb/commit/44713ef59f897ff2125efccbdcb5d07dbe1ffdb5 Diff between UserPreferenceManagerImpl hijack and Path traversal sandbox escape implementations by TheFloW (2024-11-28)]


==== Bug Description ====
==== Bug Description ====
Basing on the BD-JB1 exploit files, in /bdmv/bdjo.xml changing bdjo/applicationManagementTable/baseDirectory to a path of the form `file:///app0/cdc/lib/../../../disc/BDMV/JAR/00000.jar` allows loading a JAR Java executable file. This vulnerability can efficiently replace the UserPreferenceManagerImpl to extend the supported System Software versions range compared to BD-JB1.
Basing on BD-JB1 exploit files, in /bdmv/bdjo.xml changing bdjo/applicationManagementTable/baseDirectory to a path of the form `file:///app0/cdc/lib/../../../disc/BDMV/JAR/00000.jar` allows loading a JAR Java executable file.


==== Exploit Implementation ====
==== Exploit Implementation ====
* [https://twitter.com/theflow0/status/1717088032031982066 Removed PoC by TheFloW (2023-10-25)]
* [https://twitter.com/theflow0/status/1717088032031982066 PoC by TheFloW (2023-10-25)]
* [https://github.com/TheOfficialFloW/bd-jb/blob/d21fd76c0768d05ad01c4722eb21480fa8a8b619/src/com/bdjb/Loader.java#L62 Implementation by TheFloW (2024-11-28)]


==== Patched ====
==== Patched ====
'''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00. Probably not patched on PS3.
'''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00.


=== FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW ===
=== FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW ===
Line 153: Line 152:


==== Bug Description ====
==== Bug Description ====
This exploit chain alone does not allow one to run pirated games on PS4 or PS5 as there is not enough RAM allowed in the BD-J process and there are other constraints.
TO ADD DESCRIPTION OF EACH ONE OF THE 5 BUGS:


TODO!: ADD DESCRIPTION OF EACH ONE OF THE 5 BUGS:
* #1 com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl userprefs hijack leading to classes instantiation under privileged context (affecting ?PS3?, PS4, PS5)
* #2 com.oracle.security.Service leading to privileged constructor call (affecting ?PS3?, PS4, not PS5)
* #3 com.sony.gemstack.org.dvb.io.ixc.IxcProxy leading to privileged method call (affecting ?PS3?, PS4, PS5)
* #4 JIT compiler hack leading to usermode arbitrary RW and arbitrary usermode code execution (affecting ?PS3?, PS4, not PS5)
* #5 UDF buffer overflow kernel exploit (affecting ?PS3?, PS4, PS5)


===== #1 - userprefs hijack (?PS3?, PS4, PS5) =====
This exploit chain alone does not allow one to run pirated games on PS4 or PS5 as there is not enough RAM allowed in the BD-J process and there are other constraints.
 
com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl userprefs hijack leads to classes instantiation under privileged context.
 
===== #2 - com.oracle.security.Service (?PS3?, PS4, not PS5) =====
 
com.oracle.security.Service leads to privileged constructor call.
 
===== #3 - com.sony.gemstack.org.dvb.io.ixc.IxcProxy leading to privileged method call (?PS3?, PS4, PS5) =====
 
com.sony.gemstack.org.dvb.io.ixc.IxcProxy leads to privileged method call.
 
===== #4 - JIT compiler hack (?PS3?, PS4, not PS5) =====
 
JIT compiler hack leads to usermode arbitrary RW and usermode arbitrary code execution.
 
===== #5 - UDF buffer overflow (?PS3?, PS4, PS5) =====
 
The UDF driver in kernel contains a buffer overflow. Note that no implementation of the UDF kernel exploit has ever been done even by TheFloW, only a kernel panic PoC.


==== Exploit Implementation ====
==== Exploit Implementation ====
Line 236: Line 221:
----
----


=== FW ?6.00-11.52? - Integer underflow in JSC genericTypedArrayViewProtoFuncCopyWithin (CVE-2023-38600) ===
=== FW ?10.00-11.52? - Immediate overflow/underflow in JSC SBFX (CVE-2024-27833) leading to arbitrary code execution ===


==== Credits ====
==== Credits ====
* anonymous researcher for discovering the vulnerability and reporting it to Zero Day Initiative (2023-05)
* Manfred Paul (@_manfp), working with Trend Micro Zero Day Initiative, for discovering the vulnerability on Apple Safari at pwn2own 2024 (2024-03-21) [https://twitter.com/thezdi/status/1770611705510293546 Zero Day Initiative's tweet]
* Yusuke Suzuki and Mark Lam for fixing the bug in WebKit (2023-07-31)
* Justin Michaud for fix commit, Yusuke Suzuki for fix commit review (2024-05-15)
* Hossein Lotfi for publishing a writeup (2023-10-18)
* Apple disclose that Safari update integrates the fix (2024-06-10)
* xvonfers and Bearseater (@JamesMa52390215) for discovering it affects PS4 and PS5 (2024-06-11) [https://twitter.com/xvonfers/status/1800426437486485635 xvonfer's tweet]


==== Analysis ====
==== Analysis ====
* [https://www.zerodayinitiative.com/blog/2023/10/17/cve-2023-38600-story-of-an-innocent-apple-safari-copywithin-gone-way-outside Writeup by Hossein Lotfi (2023-10-18)]
* [https://github.com/WebKit/WebKit/commit/1ea4ef8127276fd00ca43ffcb22bed162072abde WebKit fix commit by Justin Michaud (2024-05-15)]
* [https://github.com/WebKit/WebKit/commit/6e7e654417b61630d67f02b65798439cf3d6b0b5 WebKit fix commit by Yusuke Suzuki (2023-07-31)]
* [https://bugs.webkit.org/show_bug.cgi?id=271491 WebKit Bugzilla #271491 with restricted access]


==== Bug Description ====
==== Bug Description ====
It is required to recompute length properly when resize happens during TypedArray copyWithin.
There is an integer underflow in WebKit renderer. It was addressed with improved input validation.


copyWithin's side effectful operation can resize resizable ArrayBuffer. WebKit has a code catching this and recompute the appropriate copy count again, but it can overflow if `to` or `from` are larger than the newly updated `length`. The patch handles this case correctly: returning since there is no copying content in this case.
The JavaScriptCore Isel SBFX patterns in JavaScriptCore/b3/B3LowerToAir.cpp allowed immediate overflow as 'lsb' and 'width' are not properly checked.
 
The issue was patched by aborting the copy if either of the two variables to or from is larger than the updated length.


The values used during the exploit were sane as they went through a sanitizer function. However, in the final stage, the values were updated without checking if there are inside the buffer length bounds.
SBFX stands for Signed Bitfield Extract. See [https://www.scs.stanford.edu/~zyedidia/arm64/sbfx_sbfm.html] and [https://developer.arm.com/documentation/101273/0001/The-Cortex-M55-Instruction-Set--Reference-Material/Bit-field-instructions/SBFX-and-UBFX]. SBFX is an alias for SBFM (Signed Bitfield Move). See [https://www.scs.stanford.edu/~zyedidia/arm64/sbfm.html]. SBFM is a bitfield extraction opcode.


According to PS4 WebKit source code for System Software version 11.00, not only it is not patched but it uses code from 2021! Looking at [https://github.com/WebKit/WebKit/blob/cccb58deac3c56a831678458ce95ea5b7c837614/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h#L177 a version close to one in the PS4 source code for System Software version 11.00], it should be exploitable.
Isel is a short name for Instruction SELect. This pass transforms generic machine instructions into equivalent target-specific instructions. It traverses the MachineFunction bottom-up, selecting uses before definitions, enabling trivial dead code elimination.


==== Exploit Implementation ====
==== Exploit Implementation ====
* [https://gist.github.com/zdi-team/ad320bdc6ad095cc210c7031e0f0ecda/raw/746ce622fe73344ccb9cd51bc03ad97950f4ea3b/CVE-2023-38600-0.js Minimal PoC by Hossein Lotfi (2023-10-18)]
* [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/sbfx-offset-overflow.js Vulnerability test by Justin Michaud]
* [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/resizable-array-buffer-copy-within-length-update.js Vulnerability test code by Yusuke Suzuki (2023-07-31)]
 
==== Patched ====
'''Yes''' on PS4 FW 12.00 and PS5 FW ?10.00?.
 
==== Tested ====
Tested working on PS4 FWs 11.50 and PS5 FWs ?6.00-9.60?. Not working on PS4 <= 9.00 and PS5 >= 10.01.
----
 
=== FW ?10.00?-11.52 - Unknown heap and string overflow (no CVE) leading to crash ===
 
==== Credits ====
* Debty for PoC public disclose (2024-08-29)
 
==== Analysis ====
* [https://github.com/Debvt/Wm/tree/Root0 PoC and analysis by Debty (2024-08-29)]
 
==== Bug Description ====
* TODO
 
Implementation description by Debty:<br />
String exploit is not actually an exploit but just a memory exhauster. It is not actually viable so instead there is a feature called "latest iteration".
 
==== Exploit Implementation ====
* [https://github.com/Debvt/Wm/tree/Root0 PoC by Debty (2024-08-29)]


==== Patched ====
==== Patched ====
'''Maybe''' in FW 11.50.
'''Yes''' on PS4 FW 12.00 and PS5 FW 10.00.


==== Tested ====
==== Tested ====
Not tested yet on PS4 nor PS5. To test on PS4 11.00.
Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60.
----
----


=== FW ?6.00-11.00? - CloneDeserializer::deserialize() UaF (CVE-2023-28205) leading to arbitrary RW ===
=== FW ?6.00-11.52? - Integer underflow in JSC genericTypedArrayViewProtoFuncCopyWithin (CVE-2023-38600) ===


==== Credits ====
==== Credits ====
* Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab for discovering the vulnerability and reporting it to Apple (2023-04-10)
* anonymous researcher for discovering the vulnerability and reporting it to Zero Day Initiative (2023-05)
* Justin Michaud, Mark Lam and JonWBedard for fixing the bug in WebKit (2023-04-17)
* Yusuke Suzuki and Mark Lam for fixing the bug in WebKit (2023-07-31)
* abc (anonymous) for making an OOM PoC for PS4 and PS5 (2024-12-01)
* Hossein Lotfi for publishing a writeup (2023-10-18)


==== Analysis ====
==== Analysis ====
* [https://github.com/WebKit/WebKit/commit/c9880de4a28b9a64a5e1d0513dc245d61a2e6ddb WebKit fix commit (2023-04-17)]
* [https://www.zerodayinitiative.com/blog/2023/10/17/cve-2023-38600-story-of-an-innocent-apple-safari-copywithin-gone-way-outside Writeup by Hossein Lotfi (2023-10-18)]
* [https://github.com/WebKit/WebKit/commit/6e7e654417b61630d67f02b65798439cf3d6b0b5 WebKit fix commit by Yusuke Suzuki (2023-07-31)]
 
==== Bug Description ====
It is required to recompute length properly when resize happens during TypedArray copyWithin.
 
copyWithin's side effectful operation can resize resizable ArrayBuffer. WebKit has a code catching this and recompute the appropriate copy count again, but it can overflow if `to` or `from` are larger than the newly updated `length`. The patch handles this case correctly: returning since there is no copying content in this case.
 
The issue was patched by aborting the copy if either of the two variables to or from is larger than the updated length.
 
The values used during the exploit were sane as they went through a sanitizer function. However, in the final stage, the values were updated without checking if there are inside the buffer length bounds.
 
According to PS4 WebKit source code for System Software version 11.00, not only it is not patched but it uses code from 2021! Looking at [https://github.com/WebKit/WebKit/blob/cccb58deac3c56a831678458ce95ea5b7c837614/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h#L177 a version close to one in the PS4 source code for System Software version 11.00], it should be exploitable.
 
==== Exploit Implementation ====
* [https://gist.github.com/zdi-team/ad320bdc6ad095cc210c7031e0f0ecda/raw/746ce622fe73344ccb9cd51bc03ad97950f4ea3b/CVE-2023-38600-0.js Minimal PoC by Hossein Lotfi (2023-10-18)]
* [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/resizable-array-buffer-copy-within-length-update.js Vulnerability test code by Yusuke Suzuki (2023-07-31)]
 
==== Patched ====
'''Maybe''' in FW 11.50.
 
==== Tested ====
Not tested yet on PS4 nor PS5. To test on PS4 11.00.
----
 
=== FW ?10.00-11.02? - JSC::DFG::clobberize() needs to be more precise with the *ByOffset nodes (CVE-2023-41993) leading to arbitrary RW ===
 
==== Credits ====
* Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group for discoverting the vulnerability and reporting it (2023-09-21)
* Keith Miller for the WebKit fix commit (2023-10-09)
* po6ix for his writeup (2023-10-15)
 
==== Analysis ====
* [https://github.com/WebKit/WebKit/commit/08d5d17c766ffc7ca6a7c833c5720eb71b427784 WebKit fix commit by Keith Miller (2023-10-09)]
* [https://github.com/po6ix/POC-for-CVE-2023-41993 Writeup by po6ix (2023-10-15)]
 
==== Bug Description ====
clobberize needs to be more precise with the *ByOffset nodes. CSE phase uses clobberize to figure out if it's safe to merge two operations that def the same HeapLocation. Since HeapLocation does not currently have a way to track the offset used by the various *ByOffset nodes it can get confused and think that two ByOffset instructions produce the same value even if they do not use the same offset. This patch solves this by adding a new field to HeapLocation, which takes the metadata associated with the corresponding *ByOffset node. If two *ByOffset operations don't share the same metadata then they cannot be CSEed.
 
This vulnerability is ranked 7.5 (HIGH) on CVSS:3.1.
 
This vulnerability should provide r/w primitive to the webcontent process, but currently the PoC is written only up to addrof/fakeobj.
 
==== Exploit Implementation ====
* [https://github.com/po6ix/POC-for-CVE-2023-41993 PoC written only up to addrof/fakeobj by po6ix (2023-10-15)]
 
==== Patched ====
'''Maybe''' on PS4 FW 12.00 and PS5 ?10.00?
 
==== Tested ====
Not tested yet. According to open source code, PS4 FW 11.00 should be vulnerable.
----
 
=== FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to crash ===
 
==== Credits ====
* Alexey Shvayka for vulnerability discovery and fixes in WebKit (2023-05-01)
* ENKI for public disclose and writeup (2024-06-03)
* abc (anonymous) for tests and analysis (2024-10-01)
 
==== Analysis ====
* [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc Analysis by ENKI (2024-06-03)]
* [https://github.com/WebKit/WebKit/commit/1b0741f400ee2d31931ae30f2ddebe66e8fb0945 Patch commit #1 for vulnerability detection (2023-07-31)]
* [https://github.com/WebKit/WebKit/commit/39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f Patch commit #2 (2023-05-01)]
* [https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons Inverting Your Assumptions: A Guide to JIT Comparisons by Jasiel Spelman (2018-04-12)]
 
==== Bug Description ====
Note that the PS4 web browser JIT support has been removed since around PS4 System Software version 5.00 or lower so using the article directly is not applicable.


==== Bug Description ====
The clobber bug PoC turns out not to be a memory corruption. Just like the article said, you can access a `GetterSetter` directly. The crash came from triggering `GetterSetter`'s methods that will call `RELEASE_ASSERT()`.
Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects in a few Vectors, in a MarkedArgumentBufferBase. This is problematic because the GC is not aware of Vectors, and cannot scan them. Instead, CloneDeserializer::deserialize() should store cell pointers in a MarkedVector.


The PoC code triggers a use-after-free (UaF) vulnerability by delaying the addition of Map and Date objects, which allows the garbage collector (GC) to free them. This can potentially lead to accessing freed objects to corrupt memory. Then it cannot avoid executing a release assert that causes an Out-Of-Memory crash.
We actually have [[#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects|a bug that can leak `GetterSetter`s]].


The WebKit patch refactors the MarkedArgumentBuffer class into a MarkedVector template class.
In summary with tinkering with this bug, abc (anonymous) do not think that an attacker can do anything useful with accessing a `GetterSetter`. The clobberWorld bug however does allow setting properties in places where you usually cannot like `Function's prototype` as shown in the article. But without JIT, one probably cannot cause any memory corruption. The impact for both bugs (clobberWorld and ProxyObject) is probably just JavaScript execution, which we already have, which is a no go in some context (JS injection) but it does not help in gaining usermode ROP execution on PS4 or PS5.


==== Exploit Implementation ====
==== Exploit Implementation ====
* [https://github.com/ntfargo/uaf-2023-28205/blob/main/poc.js PoC by abc (2024-12-01)]
* [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc PoC by ENKI (2024-06-03)]


==== Patched ====
==== Patched ====
'''Yes''' on PS4 FW ?11.00? and PS5 FW ?8.00?.
'''Yes''' on PS4 FW 11.50 and PS5 FW 9.00.


==== Tested ====
==== Tested ====
Tested working on PS4 FWs ? and PS5 FWs 6.00-7.61.
Tested working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60. PS4 FWs <= ?9.60? and PS5 FWs <= ?5.50? are invulnerable.
----
----


Line 416: Line 489:


==== Tested ====
==== Tested ====
Tested working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.70 and >=5.00.
Tested working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.50 and >=5.00.
----
----


Line 892: Line 965:
=== Possible WebKit vulnerabilities ===
=== Possible WebKit vulnerabilities ===


<pre>
Affecting WebKitGTK: CVE-2023-41074, CVE-2023-42917.
CVE-2017-7064
https://project-zero.issues.chromium.org/issues/42450258
 
CVE-2018-4192
https://blog.ret2.io/2018/06/13/pwn2own-2018-vulnerability-discovery/
https://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analysis/#arrayreverse-considered-harmful
https://blog.ret2.io/2018/07/11/pwn2own-2018-jsc-exploit/
 
CVE-2018-4443
WebKit JSC - 'AbstractValue::set' Use-After-Free
lokihardt of Google Project Zero
2019-01-22
https://www.exploit-db.com/exploits/46071
 
Improper Restriction of Operations within the Bounds of a Memory Buffer
 
Unknown CVE
Luca Todesco (qwertyruiopz)
before 2019-08-15
https://gist.github.com/jakeajames/5ceb90ebaa34eabb3e170b5c7eb2c7d1/revisions
</pre>
 
=== Resources for WebKit exploitation ===
 
https://webkit.org/blog/12967/understanding-gc-in-jsc-from-scratch/
 
https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html


== Usermode securities ==
== Usermode securities ==
Line 957: Line 1,003:
* See the PS4 [[Syscalls]] list.
* See the PS4 [[Syscalls]] list.


=== Direct Syscall invocation disabled in PS4 Kernel ===
=== Syscall 0 disabled i.e Error Kernel: The application directly issues a syscall instruction (24) ===
 
Between 2.00 and 2.57, SCE has disabled direct system calls by usermode, by adding some checks in the PS4 kernel. An attacker can no longer call any syscall he wants by specifying the call number in the rax register and jump directly to the call instructions part of a syscall stub. Indeed, now the PS4 (but not PS5) implementation of <code>amd64_syscall</code> checks the following:
* The address in the Instruction Pointer (IP) of the call must be within the memory range of the associated libkernel module of the process,
* The code pointed by the Instruction Pointer (IP) must follow the syscall stub format,
* The syscall number passed in argument to <code>amd64_syscall</code> must corresponds to the stub's syscall number. <code>amd64_syscall</code> checks the stub's <code>mov rax, syscall_number</code> instruction.
 
Since PS4 version 3.00, issuing directly a syscall instruction crashes the application and gives error CE-34878-0, (<code>SCE_KERNEL_ABORT_REASON_SYSTEM_ILLEGAL_FUNCTION_CALL</code>), displaying the message "Kernel: The application directly issues a syscall instruction (24)".
 
An attacker is now forced to use wrappers provided from the libkernel / libkernel_web / libkernel_sys modules to trigger system calls.


The PS5 does not enforce the passed syscall number and thus any code can directly issue an arbitrary syscall even if the associated libkernel does not provide it.
* Between 2.00 and 2.57, SCE has removed system call 0, so we can no longer call any syscall we want by specifying the call number in the rax register.
* Doing so now crashes the app and gives error CE-34878-0, SCE_KERNEL_ABORT_REASON_SYSTEM_ILLEGAL_FUNCTION_CALL, with the message "Kernel: The application directly issues a syscall instruction (24)".
* We now have to use wrappers provided to us from the libkernel / libkernel_web / libkernel_sys modules to access system calls.


=== bpf_write function stripped out of the kernel ===
=== bpf_write function stripped out of the kernel ===
Line 989: Line 1,028:


* For select types implemented by WebKit (such as JSC::JSFunction), certain pointer fields are XOR'ed by a cryptographic key generated at runtime. The key is generated once every process launch, one must recover it to unpoison the pointers.
* For select types implemented by WebKit (such as JSC::JSFunction), certain pointer fields are XOR'ed by a cryptographic key generated at runtime. The key is generated once every process launch, one must recover it to unpoison the pointers.
=== Flush-to-Zero and Denormals-are-Zero Floating-Point environment ===
[https://en.wikipedia.org/wiki/Subnormal_number Subnormal numbers] (also called as denormal numbers in IEEE 754 documents before the 2008 version) are treated as 0 on the PlayStation runtime environment. This isn't technically a security technique but it does inhibit any exploit that uses floating-point numbers for read/write.
An example entrypoint is WebKit where exploits have commonly used double arrays with incorrect length to read/write certain memory areas to gain arbitrary read/write or even code execution. With FTZ/DAZ, the possible 64-bit values one can write have become even more limited. Reads using double arrays are also affected. Even if the bit pattern is nonzero but encodes a subnormal, it will be read by the JavaScript engine as 0.


== Kernel ==
== Kernel ==
Line 1,243: Line 1,276:


==== Patched ====
==== Patched ====
'''Yes''' in PS4 7.50 FW and in PS5 5.00 or 5.02 FW. Not working in PS5 FWs <= 2.70.
'''Yes''' in PS4 7.50 FW and in PS5 5.00 or 5.02 FW. Not working in PS5 FWs <= 2.50.
----
----


Line 1,537: Line 1,570:
* Discovered by yifan lu (2017-02-19), plutoo and Proxima (2018-08-09), Davee (2018-12-29) for PS Vita, by flatz (2021-12-18) for PlayStation 4.
* Discovered by yifan lu (2017-02-19), plutoo and Proxima (2018-08-09), Davee (2018-12-29) for PS Vita, by flatz (2021-12-18) for PlayStation 4.


==== Bug description ====
=== Bug description ===
 
The PS4 Crypto Coprocessor (CCP) interface in Secure Kernel has a bug that allows to dump (or better saying, bruteforce) key rings from SAMU. A crypto flaw was in the ability to issue HMAC operation with key length stricly lower than 16. For example, by setting it to 1 you can bruteforce key bytes one by one by comparing HMAC result with HMAC result with known partial key.
 
This trick may work on other crypto hardware as well if it does not restrict key lengths. Amazingly, Intel Secure Key Storage (SKS) of CSME subsystem also has a bug allowing to brute-force any key slot, but the issue exists at hardware level - insecure design of the keys distribution to crypto engines (AES, SHA, RC4). Intel did not recognize the bug arguing that to access SKS the CSME privileged arbitrary code execution is required, but SKS is exactly designed to protect the ROM generated keys from CSME firmware...
 
This exploit can be used to dump the PFS AES XTS and HMAC keys of a specific PS4 game PKG. Then one can use maxton's LibOrbisPkg or flatz's pkg_pfs_tool to unpack this PKG file.
 
It also lets one retrieve portability master keys. They decrypt blobs (stored in non-secure world, like in [[SceShellcore]]) that contain the portability keys.
 
Below is a sample code to dump some "raw" keys (as named by flatz).
<source lang="C">
unsigned int key_count = 0x160;
unsigned int max_key_size = 0x40;
unsigned int *key_ids = (unsigned int *) malloc (key_count * 4);
unsigned int key_id = 0;
while (key_id < 0x160) {
    key_ids[key_id] = key_id;
    key_id++;
}
uint8_t* key_data = NULL;
size_t key_data_size = 0;
dump_raw_keys(key_ids, key_count, max_key_size, &key_data, &key_data_size);
hexdump(&key_data, &key_data_size);
</source>
 
A sample code to dump portability keys is available on [https://github.com/SiSTR0/ps4-hen-vtx/compare/master...jocover:ps4-hen-vtx:samu_key_dump#diff-e44475b3203baef04439ee15f01629a5752685028fc9118e3d2087dab7379698R908 line 908 of kpayload/source/samu_dump.c]. Note that not all keys are used as some may be deprecated or added with System Software revisions.


Dumped savedata keys would be per-save, as the dumped key ring should only contain the derivated key (XTS) but not the one used to generate it.
The PS4 Crypto Coprocessor (CCP) interface in Secure Kernel has a bug that allows to dump (or better saying, bruteforce) key rings from SAMU.
That is how AES/HMAC keys from PFS, portability keys, VTRM keys, etc can be retrieved. A crypto flaw was in the ability to issue HMAC operation with key length stricly lower than 16. For example, by setting it to 1 you can bruteforce key bytes one by one by comparing HMAC result with HMAC result with known partial key.


Finally, one can retrieve its per-console VTRM keys (which are notably used for per-account securities like for act.dat and [[RIF]]).
This trick may work on other crypto hardware as well if it does not restrict key lengths. Amazingly, Intel Secure Key Storage (SKS) of CSME subsystem also has a bug allowing to brute-force any key slot, but the issue exists at hardware level - insecure design of  the keys distribution to crypto engines (AES, SHA, RC4). Intel did not recognize the bug arguing that to access SKS the CSME privileged arbitrary code execution is required, but SKS is exactly designed to protect the ROM generated keys from CSME firmware...


However, master keyrings are the 0, 1, and 2 ones and cannot be dump them with this trick because they get locked during the [[bootprocess]] and cannot be read nor written nor copied to other keyrings. See also [https://wiki.henkaku.xyz/vita/Cmep_Key_Ring_Base PS Vita keyrings].
This can be used to dump the AES XTS key and HMAC key of a specific PS4 game PKG. Then one can use maxton's LibOrbisPkg or flatz's pkg_pfs_tool to unpack this PKG file.


==== Analysis ====
==== Analysis ====
Line 1,576: Line 1,584:
* https://twitter.com/qlutoo/status/1027691272369262594
* https://twitter.com/qlutoo/status/1027691272369262594
* https://www.lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/
* https://www.lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/
* [https://twitter.com/flat_z/status/1472243592815169546 Short explanation by flatz (2021-12-18)]
* https://twitter.com/flat_z/status/1472243592815169546


==== Implementation ====
==== Implementation ====


* [https://github.com/jocover/ps4-hen-vtx/releases/tag/pfs_dump Compiled payload for PS4 5.05 by jogolden (2023-03-18)]
* [https://github.com/jocover/ps4-hen-vtx/releases/tag/pfs_dump Compiled payload for PS4 5.05 by jogolden]
* [https://github.com/jocover/ps4-hen-vtx/tree/samu_key_dump Implementation for PS4 5.05 by jogolden (2023-03-18)]
* [https://github.com/jocover/ps4-hen-vtx/tree/samu_key_dump Implementation for PS4 5.05 by jogolden]
* [https://github.com/SiSTR0/ps4-hen-vtx/compare/master...jocover:ps4-hen-vtx:samu_key_dump Minimal implementation for PS4 5.05 by jogolden (2023-03-18)]
* [https://gist.github.com/flatz/22215327864d7512e52268f9c9c51cd8 Exploit PoC for PS4 7.55 by flatz]
* [https://gist.github.com/flatz/22215327864d7512e52268f9c9c51cd8 Exploit PoC for PS4 7.55 by flatz (2021-12-18)]


==== Patched ====
==== Patched ====
Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)