CTurt publishes new PS4 Kernel exploit details (sys_dynlib_prepare_dlclose PS4 kernel heap overflow)
Hacker CTurt, known for sharing lots of his work on PS4 vulnerabilities and in particular a PS4 Kernel exploit, has published today explanations on a new PS4 Kernel vulnerability, involving a heap overflow.
The exploit has been patched around firmware 2.00, so it will not be useful for people expecting a PS4 hack on the latest firmware 3.15. Cturt also announced that he will not release a fully weaponized exploit, and is just sharing the knowledge on how the vulnerability was exploited.
But this new article from CTurt brings some interesting information to the “end user”:
First, CTurt hasn’t fully stopped working on the PS4 it seems, unlike what he announced a few weeks ago. He’s apparently actively working on the PS4 with other hackers such as Qwertyoruiop (a well know hacker famous for his work on iOS, among other things).
Second, it seems there are lots of potential exploits on the PS4. As Qwertyoruiop stated later in the day: there’s a “ton of attack surface..”
Sony is *** ***. Why would anyone do a kernel-mode dynamic linker? That’s literally a *** ton of attack surface..
— Luca Todesco (@qwertyoruiop) January 18, 2016
This seems to confirm what Fail0verflow stated a few weeks ago: “We also have no doubt that vulnerabilities in the latest firmware can be found without too much trouble”
The exploit itself lies in function sys_dynlib_prepare_dlclose and some of its internal calls such as copyin. Full details can be found in CTurt’s article.
What I find particularly interesting here is how FreeBSD is pretty much used as the experiment and debugging tool for Cturt’s work. Hacking a console is often done through running a debugger directly on the console, on a formerly exploited version of the firmware, with the “first exploit” being the hard one (and sometimes, throughout the history of hacking, involving illegally acquired dev units or SDKs). Here the work is done on a FreeBSD image that’s been compiled to be “as close as possible” to the version running on the PS4. This lets CTurt work on proof of concepts with all the comfort of his computer, and then tweak them on the real device. Although I know security through obscurity is not great, it seems here that using an open source OS as the base for the PS4 System is not in favor of Sony from the hacking perspective.
A Kernel exploit released on the latest PS4 firmware 3.15 would be invaluable for the PS4 scene right now, as it is the key component missing to running the linux port on the PS4 from Fail0verflow.
We keep up to date details on the latest status of PS4 hacking on our PS4 Jailbreak page.
Source: CTurt on twitter, thanks to everyone who tipped me on this, including CTurt himself!
I hope this gets released soon, I have a brand new old PS4 on firmware 1.52. Getting itchy fingers.
This is at least a step in the right direction on Cturt’s part and again it is much appreciated. I believe we’ll get something big eventually but this is much better than just holding it back for themselves, I’m just curious if any of the other exploits are yet to be patched, which I have my doubts, but one can dream.
How is this a step into any direction? Some pretentious guy publishing media and no exploit. Same news as ever, drama queening: “Found,… no release,… gonna go,… new stuff,… no release, …”. Hope a cool guy gets an exploit soon … this annoying.
I would agree. The information on the page look juicy. But in reality, there are problems to use whats there without kernel access. It’s basically like saying: “There is the best ice cream shop here up north. When you enter the city just go left then right, right” -> Which city is it though?
– “100 allocs so that the next two are next to each other” => depends on their (relatively exact) environment + no way to verify without kernel access
– “will be almost 4 times as large” => additional uncertainty + no way to verify without kernel access (despite what they say)
– everything is written a bit vague, flamboyant (and chaotic). He tells a long caotic story that has nothing to do with the end, and you have to filter it. I feel like watching LoTR … You can figure it out, but yet again another stone and definitely not for somebody new to try (though with the right information it could be).
I am sure somebody can make it work (*sigh*), but yet again hes holding back artificially (but wants the fame) and meanwhile Sony is auditing their code and enabling a ***load of security they missed out on for the next firmware.
Pretty nice to know that, unlike what once seemed to be the case, Cturt is still continuing his work on the ps4.
Sure would be nice however if one could access the exploits without having to be on ancient firmwares.
Ah well, patience is a virtue.
Nice to see that cturt it still working on the ps4. Hopefully we’re able to play backups one day.
Any chance of this being exploitable on the Vita?
No, the Vita is even known to have better security than PS4
Slim chance but I wouldn’t say no chance at all. Both systems are heavily based off of freeBSD so there may come a time where a vulnerability found on PS4 could be ported to the Vita. Very slim chance, but one can dream I guess..
As i predicted soon we will get a cfw then a downgrader but at the end of the day it was well worth the holding back of updating the ps4 entirely!
I need PS2 and Dreamcast Emulator on PS4…for heavens sake release it already!
Same here, thanx to wololo’s advices I managed to get new PS4 with 1.75 WF,now just waiting for something to come up 😀
anyone knows how to run the webkit exploit on a 1.75 without signing on psn to access the url ?
Under options there is a lifebelt icon which is used to visit a support page. Redirect the page from your router to your PC.
or access the file browser
soon, PS4 running PS2 Native, and maybe PS3 ISO too.
yeaaah ho hot hot and f1ng coooooooooool
Wololo should i wait to update my console?? because i am waiting, i did not update to the 3.15 version, there is a chance that any exploit will be release in next weeks ??
Is this guy for real. Does he work for SONY ?????? Detailing the exploits before releasing them for Sony to patch. What ***. Someone release CFW so this Idiot stops posting all his C R A P
Surely you’ve missed the part at the *very top* of the article that explains the exploit was already patched a very long time ago, in firmware 2.xx?
Im talking about CFW1.76. Anyone above 1.76 will be waiting forever to run CFW
Be cool to have everything under the ps4 hood. Steam Os, remix os and of course all the retro emulators including dolphin. A bit of a wish list but needs the experts help.