Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
= | = Usermode = | ||
== | == BD-J exploits == | ||
=== FW <= 7.61 - BD-JB2 - Path traversal sandbox escape by TheFloW === | === FW <= 7.61 - BD-JB2 - Path traversal sandbox escape by TheFloW === | ||
See [ | See [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_%3C=10.71_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW]. | ||
==== Patched ==== | ==== Patched ==== | ||
Line 37: | Line 13: | ||
=== FW <= 4.51 - BD-JB - Five vulnerabilities chained by TheFloW === | === FW <= 4.51 - BD-JB - Five vulnerabilities chained by TheFloW === | ||
See [ | See [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_%3C=9.00_-_BD-JB_-_Five_vulnerabilities_chained_by_TheFloW]. | ||
==== Implementations ==== | ==== Implementations ==== | ||
Line 50: | Line 26: | ||
'''Yes''' partially on PS5 FWs > 4.50 (need to test). Probably unpatched on FW 4.51 and patched on FW 5.00. | '''Yes''' partially on PS5 FWs > 4.50 (need to test). Probably unpatched on FW 4.51 and patched on FW 5.00. | ||
== | == WebKit exploits == | ||
Contrarly to PS4, on PS5 WebKit exploit usually do not allow arbitrary RW to usermode code sections because of PS5 memory protections (notably XOM). However thanks to leaks of usermode libraries .text section binaries, by other sort of vulnerabilities, and to RW access to WebKit .data section allowed by the WebKit exploit, it is possible to trigger usermode ROP code execution. | |||
=== Modal Browser HTTPS Bypass === | === Modal Browser HTTPS Bypass === | ||
Line 61: | Line 37: | ||
'''No''' as of PS5 FW 5.10. | '''No''' as of PS5 FW 5.10. | ||
=== FW 6.00-9.60 - Unknown heap and string overflow (no CVE) leading to crash === | |||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00?-11.52_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash]. | |||
==== Patched ==== | |||
'''Yes''' on PS4 FW 12.00 and PS5 FW 10.00. | |||
==== Tested ==== | |||
Tested and working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60. | |||
=== Untested - mmap issue involving pointer address misalignment leading to nothing for now === | |||
==== Credits ==== | |||
* Jasmine, working for Sony, for information through a WebKit commit (2022-10-19) | |||
==== Analysis ==== | |||
* https://bugs.webkit.org/show_bug.cgi?id=246763 | |||
==== Bug Description ==== | |||
There is a mmap issue involving pointer address misalignment because of a failing assert [https://github.com/WebKit/WebKit/blob/main/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp#L94 here]. A workaround is to set HAVE_MAP_ALIGNED flag as OFF in OptionsPlayStation.cmake: [https://github.com/WebKit/WebKit/commit/626585db9857b7630cf34d82f9a0555720f15bca]. This workaround can be reverted after the mmap issue is resolved. Currently, the workaround is still enabled: [https://github.com/WebKit/WebKit/blob/ab2fff92b37e52d6c65e215b155e6b92f1646954/Source/cmake/OptionsPlayStation.cmake#L251] | |||
OptionsPlayStation.cmake is present in the PS4 11.00 OSS WebKit source code but does not contain the HAVE_MAP_ALIGNED flag, and according to dates, this might concern only the PS5. | |||
==== Exploit Implementation ==== | |||
==== Patched ==== | |||
'''Maybe''' | |||
==== Tested ==== | |||
Not tested yet on PS4 nor PS5. | |||
---- | |||
=== FW ?6.00-9.60? - get_by_id_with_this associated with ProxyObject can leak JSScope objects === | === FW ?6.00-9.60? - get_by_id_with_this associated with ProxyObject can leak JSScope objects === | ||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects]. | See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects]. | ||
=== FW ?6.00-9.60? - Immediate overflow/underflow in JSC SBFX (CVE-2024-27833) leading to arbitrary code execution === | |||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00-11.52?_-_Immediate_overflow/underflow_in_JSC_SBFX_(CVE-2024-27833)_leading_to_arbitrary_code_execution]. | |||
=== FW ?6.00?-9.60 - Unknown heap and string overflow (no CVE) leading to crash === | |||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00?-11.52_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash]. | |||
==== Patched ==== | ==== Patched ==== | ||
Line 78: | Line 101: | ||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_Integer_underflow_in_JSC_genericTypedArrayViewProtoFuncCopyWithin_(CVE-2023-38600)]. | See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_Integer_underflow_in_JSC_genericTypedArrayViewProtoFuncCopyWithin_(CVE-2023-38600)]. | ||
=== | === FW ?6.00-8.60? - JSC::DFG::clobberize() needs to be more precise with the *ByOffset nodes (CVE-2023-41993) leading to arbitrary RW === | ||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00-11.02?_-_JSC::DFG::clobberize()_needs_to_be_more_precise_with_the_*ByOffset_nodes_(CVE-2023-41993)_leading_to_arbitrary_RW]. | |||
=== FW | === FW 6.00-8.60 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to arbitrary RW === | ||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities# | See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_10.00-11.02_-_JSC_DFG_Abstract_Intepreter_clobberWorld_Type_Confusion_(no_CVE)_leading_to_arbitrary_RW]. | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' on PS4 FW | '''Yes''' on PS4 FW 11.50 and PS5 FW 9.00. | ||
==== Tested ==== | ==== Tested ==== | ||
Tested and working on PS4 FWs | Tested and working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60. | ||
=== FW <= 5.50 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW === | === FW <= 5.50 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW === | ||
Line 126: | Line 145: | ||
Tested and working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.70 and >=5.00. | Tested and working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.70 and >=5.00. | ||
== Game savedata exploits == | |||
=== PS1 games savedata exploits === | |||
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS1_games_savedata_exploits PS4 Dev Wiki]. | |||
=== PS2 game savedata exploits === | |||
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS2_games_savedata_exploits PS4 Dev Wiki]. | |||
=== PSP games savedata exploits === | |||
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PSP_games_savedata_exploits PS4 Dev Wiki]. | |||
=== PS4/PS5 PS2emu sandbox escape (mast1c0re) === | |||
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4.2FPS5_PS2emu_sandbox_escape_.28mast1c0re.29 PS4 Dev Wiki]. | |||
=== PS4/PS5 game savedata LUA exploit === | |||
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4/PS5_game_savedata_LUA_exploit PS4 Dev Wiki]. | |||
== PS4 emulator exploits == | |||
Nothing yet. | |||
== Usermode securities == | == Usermode securities == | ||
Line 189: | Line 234: | ||
A user may map a UVA, free its lowest level PT page, then spray kernel VAs whose indices match the UVA's. Since the PT page is freed, a PDE backing a KVA will eventually reuse it. We in turn have a UVA and a KVA pointing to the same physical memory. This can be used to gain stable kernel R/W access. | A user may map a UVA, free its lowest level PT page, then spray kernel VAs whose indices match the UVA's. Since the PT page is freed, a PDE backing a KVA will eventually reuse it. We in turn have a UVA and a KVA pointing to the same physical memory. This can be used to gain stable kernel R/W access. | ||
=== Patched === | === Patched === |