Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 5: Line 5:
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS1_games_savedata_exploits PS4 Dev Wiki].
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS1_games_savedata_exploits PS4 Dev Wiki].


=== PS2 games savedata exploits ===
=== PS2 game savedata exploits ===


See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS2_games_savedata_exploits PS4 Dev Wiki].
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS2_games_savedata_exploits PS4 Dev Wiki].
Line 17: Line 17:
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4.2FPS5_PS2emu_sandbox_escape_.28mast1c0re.29 PS4 Dev Wiki].
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4.2FPS5_PS2emu_sandbox_escape_.28mast1c0re.29 PS4 Dev Wiki].


=== PS4/PS5 game savedata Lua exploit ===
=== PS4/PS5 game savedata LUA exploit ===


See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4/PS5_game_savedata_Lua_exploit PS4 Dev Wiki].
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4/PS5_game_savedata_LUA_exploit PS4 Dev Wiki].


=== PS5 PS4emu sandbox escape ===
=== PS5 PS4emu sandbox escape ===
Line 29: Line 29:
=== FW <= 7.61 - BD-JB2 - Path traversal sandbox escape by TheFloW ===
=== FW <= 7.61 - BD-JB2 - Path traversal sandbox escape by TheFloW ===


See [{{ps4wikiurl}}Vulnerabilities#FW_&#60;=_10.71_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW FW <= 10.71 - BD-JB2 - Path traversal sandbox escape by TheFloW].
See [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_%3C=10.71_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW].


==== Patched ====
==== Patched ====
Line 37: Line 37:
=== FW <= 4.51 - BD-JB - Five vulnerabilities chained by TheFloW ===
=== FW <= 4.51 - BD-JB - Five vulnerabilities chained by TheFloW ===


See [{{ps4wikiurl}}Vulnerabilities#FW_&#60;=_9.00_-_BD-JB_-_Five_vulnerabilities_chained_by_TheFloW FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW].
See [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_%3C=9.00_-_BD-JB_-_Five_vulnerabilities_chained_by_TheFloW].


==== Implementations ====
==== Implementations ====
Line 52: Line 52:
==  Usermode Exploits (WebKit) ==
==  Usermode Exploits (WebKit) ==


Contrarily to PS4, on PS5, a WebKit exploit usually do not allow arbitrary read/write to usermode code sections because of PS5 memory protections (notably XOM). However thanks to leaks of usermode libraries .text section binaries, by other sort of vulnerabilities, and to RW access to WebKit .data section allowed by the WebKit exploit, it is possible to trigger usermode ROP code execution.
Contrarly to PS4, on PS5, a WebKit exploit usually do not allow arbitrary read/write to usermode code sections because of PS5 memory protections (notably XOM). However thanks to leaks of usermode libraries .text section binaries, by other sort of vulnerabilities, and to RW access to WebKit .data section allowed by the WebKit exploit, it is possible to trigger usermode ROP code execution.


=== Modal Browser HTTPS Bypass ===
=== Modal Browser HTTPS Bypass ===
Line 61: Line 61:


'''No''' as of PS5 FW 5.10.
'''No''' as of PS5 FW 5.10.
=== FW 6.00-9.60 - Unknown heap and string overflow (no CVE) leading to crash ===
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00?-11.52_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash].
==== Patched ====
'''Yes''' on PS4 FW 12.00 and PS5 FW 10.00.
==== Tested ====
Tested and working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60.
=== Untested - mmap issue involving pointer address misalignment leading to nothing for now ===
==== Credits ====
* Jasmine, working for Sony, for information through a WebKit commit (2022-10-19)
==== Analysis ====
* https://bugs.webkit.org/show_bug.cgi?id=246763
==== Bug Description ====
There is a mmap issue involving pointer address misalignment because of a failing assert [https://github.com/WebKit/WebKit/blob/main/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp#L94 here]. A workaround is to set HAVE_MAP_ALIGNED flag as OFF in OptionsPlayStation.cmake: [https://github.com/WebKit/WebKit/commit/626585db9857b7630cf34d82f9a0555720f15bca]. This workaround can be reverted after the mmap issue is resolved. Currently, the workaround is still enabled: [https://github.com/WebKit/WebKit/blob/ab2fff92b37e52d6c65e215b155e6b92f1646954/Source/cmake/OptionsPlayStation.cmake#L251]
OptionsPlayStation.cmake is present in the PS4 11.00 OSS WebKit source code but does not contain the HAVE_MAP_ALIGNED flag, and according to dates, this might concern only the PS5.
==== Exploit Implementation ====
==== Patched ====
'''Maybe'''
==== Tested ====
Not tested yet on PS4 nor PS5.
----


=== FW ?6.00-9.60? - get_by_id_with_this associated with ProxyObject can leak JSScope objects ===
=== FW ?6.00-9.60? - get_by_id_with_this associated with ProxyObject can leak JSScope objects ===


See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects].
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects].
=== FW ?6.00-9.60? - Immediate overflow/underflow in JSC SBFX (CVE-2024-27833) leading to arbitrary code execution ===
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00-11.52?_-_Immediate_overflow/underflow_in_JSC_SBFX_(CVE-2024-27833)_leading_to_arbitrary_code_execution].
=== FW ?6.00?-9.60 - Unknown heap and string overflow (no CVE) leading to crash ===
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00?-11.52_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash].


==== Patched ====
==== Patched ====
Line 78: Line 125:
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_Integer_underflow_in_JSC_genericTypedArrayViewProtoFuncCopyWithin_(CVE-2023-38600)].
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_Integer_underflow_in_JSC_genericTypedArrayViewProtoFuncCopyWithin_(CVE-2023-38600)].


==== Patched ====
=== FW ?6.00-8.60? - JSC::DFG::clobberize() needs to be more precise with the *ByOffset nodes (CVE-2023-41993) leading to arbitrary RW ===


'''Yes''' on PS4 FW 11.50 and PS5 FW 9.00.
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00-11.02?_-_JSC::DFG::clobberize()_needs_to_be_more_precise_with_the_*ByOffset_nodes_(CVE-2023-41993)_leading_to_arbitrary_RW].


==== Tested ====
=== FW 6.00-8.60 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to arbitrary RW ===


Tested and working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60.
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_10.00-11.02_-_JSC_DFG_Abstract_Intepreter_clobberWorld_Type_Confusion_(no_CVE)_leading_to_arbitrary_RW].
 
=== FW <= 7.61 - CloneDeserializer::deserialize() UaF (CVE-2023-28205) leading to arbitrary RW ===
 
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_%3F6.00-11.00%3F_-_CloneDeserializer%3A%3Adeserialize%28%29_UaF_%28CVE-2023-28205%29_leading_to_arbitrary_RW].


==== Patched ====
==== Patched ====


'''Yes''' on PS4 FW ?11.00? and PS5 FW ?8.00?.
'''Yes''' on PS4 FW 11.50 and PS5 FW 9.00.


==== Tested ====
==== Tested ====


Tested and working on PS4 FWs ? and PS5 FWs 6.00-7.61.
Tested and working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60.


=== FW <= 5.50 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW ===
=== FW <= 5.50 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW ===
Line 189: Line 232:


A user may map a UVA, free its lowest level PT page, then spray kernel VAs whose indices match the UVA's. Since the PT page is freed, a PDE backing a KVA will eventually reuse it. We in turn have a UVA and a KVA pointing to the same physical memory. This can be used to gain stable kernel R/W access.
A user may map a UVA, free its lowest level PT page, then spray kernel VAs whose indices match the UVA's. Since the PT page is freed, a PDE backing a KVA will eventually reuse it. We in turn have a UVA and a KVA pointing to the same physical memory. This can be used to gain stable kernel R/W access.
* which syscalls, mr zeco asks to random anonymous user?


=== Patched ===
=== Patched ===
Please note that all contributions to PS5 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS5 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Template used on this page: