Exploit Chains: Difference between revisions

From PS5 Developer wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 57: Line 57:
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]]
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]]
|N/A (PsFree must be ported based on ChendoChap's implementation of the 4.51 CSSFontFaceSet exploit)
| [https://github.com/PS5Dev/PS5-UMTX-Jailbreak WebKit implementation for PS5 1.00-2.70 chained with PS Free by Specter (2024-09-21)]
|Elf Loader
|Elf Loader
|-
|-
Line 65: Line 65:
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|WebKit [[Vulnerabilities#FW_6.00-8.60_-_JSC_DFG_Abstract_Intepreter_clobberWorld_Type_Confusion_(no_CVE)_leading_to_arbitrary_RW|clobberWorld]] or [[Vulnerabilities#FW_6.00-9.60_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash|unknown heap and string overflow]]
|WebKit [[Vulnerabilities#FW_6.00-8.60_-_JSC_DFG_Abstract_Intepreter_clobberWorld_Type_Confusion_(no_CVE)_leading_to_arbitrary_RW|clobberWorld]] or [[Vulnerabilities#FW_6.00-9.60_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash|unknown heap and string overflow]]
|N/A (WebKit exploit only giving OOM as of now)
|N/A (WebKit vulnerabilities only lead to OOM as of now)
|Elf Loader
|Elf Loader
|-
|-
Line 73: Line 73:
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|[[Vulnerabilities#FW_%3C=_7.61_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW|BD-JB2]]
|[[Vulnerabilities#FW_%3C=_7.61_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW|BD-JB2]]
|PoC by flatz
|JAVA PoC by flatz
|Native code execution within Blu-ray context
|Native code execution within Blu-ray context
|-
|-

Revision as of 22:06, 22 September 2024

This page presents a compilation of exploit chains that utilize various Vulnerabilities identified on the PS5. It outlines the current functionalities of different potential and complete exploit chains for specific firmware versions.

System Software Version Hardware requirement Hypervisor Exploit Kernel Exploit Usermode Exploit Exploit Chain Implementation Capability
<=2.50 none Rumored [1] No need for a kernel exploit any usermode exploit. Flatz uses a PS4 disc-based game save data exploit that hijacks the LUA interpreter. Unreleased by Flatz Full Access to the system, Platform Secure Processor dump
<=4.03 USB storage media N/A exFAT Driver Heap Exploit There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute. any usermode exploit N/A (PS4 uses pOOBs4 by ChendoChap) N/A
3.00-4.51 none N/A IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) WebKit loadInSameDocument need to mix Cryptogenic's Implementation and PsFree implementation by abc Elf Loader
3.00-4.51 none N/A IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) WebKit CSSFontFaceSet Cryptogenic's Implementation Elf Loader
3.00-4.51 BD reader for PS5 + BD writer + BD-RE N/A IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) BD-JB ps5-invoke-native by john-tornblom, bd-jb by TheFloW Native code execution within Blu-ray context

Here are some functions by john-tornblom

1.00-5.50 none N/A umtx UaF WebKit loadInSameDocument WebKit implementation for PS5 1.00-2.70 chained with PS Free by Specter (2024-09-21) Elf Loader
6.00-7.61 none N/A umtx UaF WebKit clobberWorld or unknown heap and string overflow N/A (WebKit vulnerabilities only lead to OOM as of now) Elf Loader
1.00-7.61 BD reader for PS5 + BD writer + BD-RE N/A umtx UaF BD-JB2 JAVA PoC by flatz Native code execution within Blu-ray context
1.00-7.61 vulnerable game in disc or PS Store version + exploit game save data on the SSD N/A umtx UaF PS4 disc-based game save data exploit that hijacks the LUA interpreter LUA PoC by flatz but the exploit game save data is missing Elf Loader