Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 5: | Line 5: | ||
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS1_games_savedata_exploits PS4 Dev Wiki]. | See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS1_games_savedata_exploits PS4 Dev Wiki]. | ||
=== PS2 | === PS2 game savedata exploits === | ||
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS2_games_savedata_exploits PS4 Dev Wiki]. | See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS2_games_savedata_exploits PS4 Dev Wiki]. | ||
Line 17: | Line 17: | ||
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4.2FPS5_PS2emu_sandbox_escape_.28mast1c0re.29 PS4 Dev Wiki]. | See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4.2FPS5_PS2emu_sandbox_escape_.28mast1c0re.29 PS4 Dev Wiki]. | ||
=== PS4/PS5 game savedata | === PS4/PS5 game savedata LUA exploit === | ||
See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4/ | See [https://www.psdevwiki.com/ps4/Vulnerabilities#PS4/PS5_game_savedata_LUA_exploit PS4 Dev Wiki]. | ||
=== PS5 PS4emu sandbox escape === | === PS5 PS4emu sandbox escape === | ||
Line 29: | Line 29: | ||
=== FW <= 7.61 - BD-JB2 - Path traversal sandbox escape by TheFloW === | === FW <= 7.61 - BD-JB2 - Path traversal sandbox escape by TheFloW === | ||
See [ | See [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_%3C=10.71_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW]. | ||
==== Patched ==== | ==== Patched ==== | ||
Line 37: | Line 37: | ||
=== FW <= 4.51 - BD-JB - Five vulnerabilities chained by TheFloW === | === FW <= 4.51 - BD-JB - Five vulnerabilities chained by TheFloW === | ||
See [ | See [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_%3C=9.00_-_BD-JB_-_Five_vulnerabilities_chained_by_TheFloW]. | ||
==== Implementations ==== | ==== Implementations ==== | ||
Line 52: | Line 52: | ||
== Usermode Exploits (WebKit) == | == Usermode Exploits (WebKit) == | ||
Contrarly to PS4, on PS5, a WebKit exploit usually do not allow arbitrary read/write to usermode code sections because of PS5 memory protections (notably XOM). However thanks to leaks of usermode libraries .text section binaries, by other sort of vulnerabilities, and to RW access to WebKit .data section allowed by the WebKit exploit, it is possible to trigger usermode ROP code execution. | |||
=== Modal Browser HTTPS Bypass === | === Modal Browser HTTPS Bypass === | ||
Line 61: | Line 61: | ||
'''No''' as of PS5 FW 5.10. | '''No''' as of PS5 FW 5.10. | ||
=== FW 6.00-9.60 - Unknown heap and string overflow (no CVE) leading to crash === | |||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00?-11.52_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash]. | |||
==== Patched ==== | |||
'''Yes''' on PS4 FW 12.00 and PS5 FW 10.00. | |||
==== Tested ==== | |||
Tested and working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60. | |||
=== Untested - mmap issue involving pointer address misalignment leading to nothing for now === | |||
==== Credits ==== | |||
* Jasmine, working for Sony, for information through a WebKit commit (2022-10-19) | |||
==== Analysis ==== | |||
* https://bugs.webkit.org/show_bug.cgi?id=246763 | |||
==== Bug Description ==== | |||
There is a mmap issue involving pointer address misalignment because of a failing assert [https://github.com/WebKit/WebKit/blob/main/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp#L94 here]. A workaround is to set HAVE_MAP_ALIGNED flag as OFF in OptionsPlayStation.cmake: [https://github.com/WebKit/WebKit/commit/626585db9857b7630cf34d82f9a0555720f15bca]. This workaround can be reverted after the mmap issue is resolved. Currently, the workaround is still enabled: [https://github.com/WebKit/WebKit/blob/ab2fff92b37e52d6c65e215b155e6b92f1646954/Source/cmake/OptionsPlayStation.cmake#L251] | |||
OptionsPlayStation.cmake is present in the PS4 11.00 OSS WebKit source code but does not contain the HAVE_MAP_ALIGNED flag, and according to dates, this might concern only the PS5. | |||
==== Exploit Implementation ==== | |||
==== Patched ==== | |||
'''Maybe''' | |||
==== Tested ==== | |||
Not tested yet on PS4 nor PS5. | |||
---- | |||
=== FW ?6.00-9.60? - get_by_id_with_this associated with ProxyObject can leak JSScope objects === | === FW ?6.00-9.60? - get_by_id_with_this associated with ProxyObject can leak JSScope objects === | ||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects]. | See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects]. | ||
=== FW ?6.00-9.60? - Immediate overflow/underflow in JSC SBFX (CVE-2024-27833) leading to arbitrary code execution === | |||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00-11.52?_-_Immediate_overflow/underflow_in_JSC_SBFX_(CVE-2024-27833)_leading_to_arbitrary_code_execution]. | |||
=== FW ?6.00?-9.60 - Unknown heap and string overflow (no CVE) leading to crash === | |||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00?-11.52_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash]. | |||
==== Patched ==== | ==== Patched ==== | ||
Line 78: | Line 125: | ||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_Integer_underflow_in_JSC_genericTypedArrayViewProtoFuncCopyWithin_(CVE-2023-38600)]. | See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?6.00-11.52?_-_Integer_underflow_in_JSC_genericTypedArrayViewProtoFuncCopyWithin_(CVE-2023-38600)]. | ||
=== | === FW ?6.00-8.60? - JSC::DFG::clobberize() needs to be more precise with the *ByOffset nodes (CVE-2023-41993) leading to arbitrary RW === | ||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_?10.00-11.02?_-_JSC::DFG::clobberize()_needs_to_be_more_precise_with_the_*ByOffset_nodes_(CVE-2023-41993)_leading_to_arbitrary_RW]. | |||
=== | === FW 6.00-8.60 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to arbitrary RW === | ||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities#FW_10.00-11.02_-_JSC_DFG_Abstract_Intepreter_clobberWorld_Type_Confusion_(no_CVE)_leading_to_arbitrary_RW]. | |||
See also [https://www.psdevwiki.com/ps4/Vulnerabilities# | |||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' on PS4 FW | '''Yes''' on PS4 FW 11.50 and PS5 FW 9.00. | ||
==== Tested ==== | ==== Tested ==== | ||
Tested and working on PS4 FWs | Tested and working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60. | ||
=== FW <= 5.50 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW === | === FW <= 5.50 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW === | ||
Line 189: | Line 232: | ||
A user may map a UVA, free its lowest level PT page, then spray kernel VAs whose indices match the UVA's. Since the PT page is freed, a PDE backing a KVA will eventually reuse it. We in turn have a UVA and a KVA pointing to the same physical memory. This can be used to gain stable kernel R/W access. | A user may map a UVA, free its lowest level PT page, then spray kernel VAs whose indices match the UVA's. Since the PT page is freed, a PDE backing a KVA will eventually reuse it. We in turn have a UVA and a KVA pointing to the same physical memory. This can be used to gain stable kernel R/W access. | ||
=== Patched === | === Patched === |