Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
=Usermode Exploits (Game Savedata) ==
= Usermode =


=== PS1 games savedata exploits ===
== BD-J exploits ==
 
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS1_games_savedata_exploits PS4 Dev Wiki].
 
=== PS2 games savedata exploits ===
 
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS2_games_savedata_exploits PS4 Dev Wiki].
 
=== PSP games savedata exploits ===
 
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PSP_games_savedata_exploits PS4 Dev Wiki].
 
=== PS4/PS5 PS2emu sandbox escape (mast1c0re) ===
 
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4.2FPS5_PS2emu_sandbox_escape_.28mast1c0re.29 PS4 Dev Wiki].
 
=== PS4/PS5 game savedata Lua exploit ===
 
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4/PS5_game_savedata_Lua_exploit PS4 Dev Wiki].
 
=== PS5 PS4emu sandbox escape ===
 
Nothing yet.
 
== Usermode Exploits (BD-J) ==


=== FW <= 7.61 - BD-JB2 - Path traversal sandbox escape by TheFloW ===
=== FW <= 7.61 - BD-JB2 - Path traversal sandbox escape by TheFloW ===


See [{{ps4wikiurl}}Vulnerabilities#FW_&#60;=_10.71_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW FW <= 10.71 - BD-JB2 - Path traversal sandbox escape by TheFloW].
See [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_%3C=10.71_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW].


==== Patched ====
==== Patched ====
Line 37: Line 13:
=== FW <= 4.51 - BD-JB - Five vulnerabilities chained by TheFloW ===
=== FW <= 4.51 - BD-JB - Five vulnerabilities chained by TheFloW ===


See [{{ps4wikiurl}}Vulnerabilities#FW_&#60;=_9.00_-_BD-JB_-_Five_vulnerabilities_chained_by_TheFloW FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW].
See [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_%3C=9.00_-_BD-JB_-_Five_vulnerabilities_chained_by_TheFloW].


==== Implementations ====
==== Implementations ====
Line 50: Line 26:
'''Yes''' partially on PS5 FWs > 4.50 (need to test). Probably unpatched on FW 4.51 and patched on FW 5.00.
'''Yes''' partially on PS5 FWs > 4.50 (need to test). Probably unpatched on FW 4.51 and patched on FW 5.00.


== Usermode Exploits (WebKit) ==
== WebKit exploits ==


Contrarily to PS4, on PS5, a WebKit exploit usually do not allow arbitrary read/write to usermode code sections because of PS5 memory protections (notably XOM). However thanks to leaks of usermode libraries .text section binaries, by other sort of vulnerabilities, and to RW access to WebKit .data section allowed by the WebKit exploit, it is possible to trigger usermode ROP code execution.
Contrarly to PS4, on PS5 WebKit exploit usually do not allow arbitrary RW to usermode code sections because of PS5 memory protections (notably XOM). However thanks to leaks of usermode libraries .text section binaries, by other sort of vulnerabilities, and to RW access to WebKit .data section allowed by the WebKit exploit, it is possible to trigger usermode ROP code execution.


=== Modal Browser HTTPS Bypass ===
=== Modal Browser HTTPS Bypass ===
Line 61: Line 37:


'''No''' as of PS5 FW 5.10.
'''No''' as of PS5 FW 5.10.
=== FW 6.00-9.60 - Unknown heap and string overflow (no CVE) leading to crash ===
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00?-11.52_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash].
==== Patched ====
'''Yes''' on PS4 FW 12.00 and PS5 FW 10.00.
==== Tested ====
Tested and working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60.
=== Untested - mmap issue involving pointer address misalignment leading to nothing for now ===
==== Credits ====
* Jasmine, working for Sony, for information through a WebKit commit (2022-10-19)
==== Analysis ====
* https://bugs.webkit.org/show_bug.cgi?id=246763
==== Bug Description ====
There is a mmap issue involving pointer address misalignment because of a failing assert [https://github.com/WebKit/WebKit/blob/main/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp#L94 here]. A workaround is to set HAVE_MAP_ALIGNED flag as OFF in OptionsPlayStation.cmake: [https://github.com/WebKit/WebKit/commit/626585db9857b7630cf34d82f9a0555720f15bca]. This workaround can be reverted after the mmap issue is resolved. Currently, the workaround is still enabled: [https://github.com/WebKit/WebKit/blob/ab2fff92b37e52d6c65e215b155e6b92f1646954/Source/cmake/OptionsPlayStation.cmake#L251]
OptionsPlayStation.cmake is present in the PS4 11.00 OSS WebKit source code but does not contain the HAVE_MAP_ALIGNED flag, and according to dates, this might concern only the PS5.
==== Exploit Implementation ====
==== Patched ====
'''Maybe'''
==== Tested ====
Not tested yet on PS4 nor PS5.
----


=== FW ?6.00-9.60? - get_by_id_with_this associated with ProxyObject can leak JSScope objects ===
=== FW ?6.00-9.60? - get_by_id_with_this associated with ProxyObject can leak JSScope objects ===


See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects].
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects].
=== FW ?6.00-9.60? - Immediate overflow/underflow in JSC SBFX (CVE-2024-27833) leading to arbitrary code execution ===
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00-11.52?_-_Immediate_overflow/underflow_in_JSC_SBFX_(CVE-2024-27833)_leading_to_arbitrary_code_execution].
=== FW ?6.00?-9.60 - Unknown heap and string overflow (no CVE) leading to crash ===
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00?-11.52_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash].


==== Patched ====
==== Patched ====
Line 78: Line 96:
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_Integer_underflow_in_JSC_genericTypedArrayViewProtoFuncCopyWithin_(CVE-2023-38600)].
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_Integer_underflow_in_JSC_genericTypedArrayViewProtoFuncCopyWithin_(CVE-2023-38600)].


==== Patched ====
=== FW ?6.00-8.60? - JSC::DFG::clobberize() needs to be more precise with the *ByOffset nodes (CVE-2023-41993) leading to arbitrary RW ===


'''Yes''' on PS4 FW 11.50 and PS5 FW 9.00.
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00-11.02?_-_JSC::DFG::clobberize()_needs_to_be_more_precise_with_the_*ByOffset_nodes_(CVE-2023-41993)_leading_to_arbitrary_RW].


==== Tested ====
=== FW 6.00-8.60 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to arbitrary RW ===


Tested and working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60.
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_10.00-11.02_-_JSC_DFG_Abstract_Intepreter_clobberWorld_Type_Confusion_(no_CVE)_leading_to_arbitrary_RW].
 
=== FW <= 7.61 - CloneDeserializer::deserialize() UaF (CVE-2023-28205) leading to arbitrary RW ===
 
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_%3F6.00-11.00%3F_-_CloneDeserializer%3A%3Adeserialize%28%29_UaF_%28CVE-2023-28205%29_leading_to_arbitrary_RW].


==== Patched ====
==== Patched ====


'''Yes''' on PS4 FW ?11.00? and PS5 FW ?8.00?.
'''Yes''' on PS4 FW 11.50 and PS5 FW 9.00.


==== Tested ====
==== Tested ====


Tested and working on PS4 FWs ? and PS5 FWs 6.00-7.61.
Tested and working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60.


=== FW <= 5.50 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW ===
=== FW <= 5.50 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW ===
Line 126: Line 140:


Tested and working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.70 and >=5.00.
Tested and working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.70 and >=5.00.
== Game savedata exploits ==
=== PS1 games savedata exploits ===
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS1_games_savedata_exploits PS4 Dev Wiki].
=== PS2 game savedata exploits ===
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS2_games_savedata_exploits PS4 Dev Wiki].
=== PSP games savedata exploits ===
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PSP_games_savedata_exploits PS4 Dev Wiki].
=== PS4/PS5 PS2emu sandbox escape (mast1c0re) ===
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4.2FPS5_PS2emu_sandbox_escape_.28mast1c0re.29 PS4 Dev Wiki].
=== PS4/PS5 game savedata LUA exploit ===
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4/PS5_game_savedata_LUA_exploit PS4 Dev Wiki].
== PS4 emulator exploits ==
Nothing yet.


== Usermode securities ==
== Usermode securities ==
Line 136: Line 176:


= Kernel =
= Kernel =
== Page Table Page UaF ==
A bug in the * syscalls allows freeing the Page Table (PT) of a user virtual address (VA). pmap_unuse_pt clears the PTE of a UVA and unwires the PT Page and the pages of the associated higher level PTs. If the wire count of a page drops to 0, it's freed. The function doesn't clear any entry in the higher levels. This is perfectly safe even when the PT page is freed since the entries got cleared so a PT walk will still fault.
A user may map a UVA, free its lowest level PT page, then spray kernel VAs whose indices match the UVA's. Since the PT page is freed, a PDE backing a KVA will eventually reuse it, we in turn have a UVA and a KVA pointing to the same physical memory. This can be used to gain a stable kernel R/W.
=== Credits ===
* anonymouse researcher (0-day, undisclosed).
=== Patched ===
'''Not yet.'''


== CR0.WP and XOM bypass ==
== CR0.WP and XOM bypass ==
Line 143: Line 195:
=== Credits ===
=== Credits ===


* sleirsgoevy for proposing it in a PS4 kernel exploit since System Software version 6.51.
* sleirsgoevy for proposing it in PS4 kernel exploit since System Software version 6.51.
* Specter for adapting it to PS5 and explaining it.
* Specter for adapting it to PS5 and explaining it.


Line 176: Line 228:


'''No''' in PS5 FW 4.51.
'''No''' in PS5 FW 4.51.
----
== Syscall Page Table UaF ==
=== Credits ===
* Discovered by an anonymous researcher (0-day, undisclosed)
=== Bug Description ===
A bug in the * syscalls allows a user to free the Page Table (PT) of a User Virtual Address (UVA). pmap_unuse_pt clears the PTE of a UVA and unwires the PT page and the pages of the associated higher level PTs. If the wire count of a page drops to 0, it gets freed. The function does not clear any entry in the higher levels. This is perfectly safe even when the PT page is freed since the entries got cleared so a PT walk will still fault.
A user may map a UVA, free its lowest level PT page, then spray kernel VAs whose indices match the UVA's. Since the PT page is freed, a PDE backing a KVA will eventually reuse it. We in turn have a UVA and a KVA pointing to the same physical memory. This can be used to gain stable kernel R/W access.
* which syscalls, mr zeco asks to random anonymous user?
=== Patched ===
'''Not yet'''
----
----


Please note that all contributions to PS5 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS5 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Template used on this page: