Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 204: | Line 204: | ||
See the [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_%3C=_11.00_-_Remote_vulnerabilities_in_spp_(yielding_kernel_ASLR_defeat)_(CVE-2006-4304_and_no-CVE) PS4 wiki]. | See the [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_%3C=_11.00_-_Remote_vulnerabilities_in_spp_(yielding_kernel_ASLR_defeat)_(CVE-2006-4304_and_no-CVE) PS4 wiki]. | ||
Note that kernel ASLR defeat is currently not working on PS5 and there are protections remaining before being able to | Note that kernel ASLR defeat is currently not working on PS5 and there are protections remaining before being able to | ||
=== Patched === | === Patched === | ||
Line 259: | Line 259: | ||
== SMAP bypass (CVE-2021-29628) == | == SMAP bypass (CVE-2021-29628) == | ||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#Kernel_SMAP | See also [https://www.psdevwiki.com/ps4/Vulnerabilities#Kernel_SMAP]. | ||
=== Credits === | === Credits === | ||
Line 267: | Line 267: | ||
=== Analysis === | === Analysis === | ||
* [https:// | * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29628 CVE-2021-29628 (FreeBSD SMAP bypass) by m00nbsd] | ||
* [https://hackerone.com/reports/1048322 CVE-2021-29628 (PS5 SMAP bypass) by m00nbsd] | |||
* [https:// | |||
=== Bug Description === | === Bug Description === | ||
A SMAP bypass has been found by m00nbsd while working on FreeBSD 12. It is named CVE-2021-29628 and affects FreeBSD 12.2 and later (til it was patched). It does not work on PS4 because PS4 kernel is based on FreeBSD 9 which did not contain the vulnerability and because PS4 SMAP does not come from FreeBSD but is custom from Sony. It used to work on PS5 before it was disclosed and patched. | |||
=== Patched === | === Patched === | ||
Line 311: | Line 309: | ||
= Hypervisor = | = Hypervisor = | ||
== <=2.50 - Hypervisor integrated as part of the kernel binary == | == <=2.50 - Hypervisor integrated as part of the kernel binary == | ||
* Discovered by Specter (2023-07-01) and Flatz (before 2023-07-27). | * Discovered by Specter (2023-07-01) and Flatz (before 2023-07-27). | ||
* This makes Hypervisor exploitation easier as it can be triggered by usermode directly without the need of a kernel exploit. | * This makes Hypervisor exploitation easier as it can be triggered by usermode directly without the need of a kernel exploit. | ||
* See [[Hypervisor#In-Kernel_Hypervisor_.28.3C.3D_2.50.29]] and [https://wololo.net/2023/07/02/ps5-specterdev-shares-details-on-in-kernel-hypervisor-earlier-versions-of-the-ps5-hypervisor-found-in-firmwares/ wololo article (2023-07-02)]. | * See [[Hypervisor#In-Kernel_Hypervisor_.28.3C.3D_2.50.29]] and [https://wololo.net/2023/07/02/ps5-specterdev-shares-details-on-in-kernel-hypervisor-earlier-versions-of-the-ps5-hypervisor-found-in-firmwares/ wololo article (2023-07-02)]. | ||
* Patched since PS5 FW 3.00. | * Patched since PS5 FW 3.00. |