CTurt publishes new PS4 Kernel exploit details (sys_dynlib_prepare_dlclose PS4 kernel heap overflow)
Hacker CTurt, known for sharing lots of his work on PS4 vulnerabilities and in particular a PS4 Kernel exploit, has published today explanations on a new PS4 Kernel vulnerability, involving a heap overflow.
The exploit has been patched around firmware 2.00, so it will not be useful for people expecting a PS4 hack on the latest firmware 3.15. Cturt also announced that he will not release a fully weaponized exploit, and is just sharing the knowledge on how the vulnerability was exploited.
But this new article from CTurt brings some interesting information to the “end user”:
First, CTurt hasn’t fully stopped working on the PS4 it seems, unlike what he announced a few weeks ago. He’s apparently actively working on the PS4 with other hackers such as Qwertyoruiop (a well know hacker famous for his work on iOS, among other things).
Second, it seems there are lots of potential exploits on the PS4. As Qwertyoruiop stated later in the day: there’s a “ton of attack surface..”
Sony is *** ***. Why would anyone do a kernel-mode dynamic linker? That’s literally a *** ton of attack surface..
— Luca Todesco (@qwertyoruiop) January 18, 2016
This seems to confirm what Fail0verflow stated a few weeks ago: “We also have no doubt that vulnerabilities in the latest firmware can be found without too much trouble”
The exploit itself lies in function sys_dynlib_prepare_dlclose and some of its internal calls such as copyin. Full details can be found in CTurt’s article.
What I find particularly interesting here is how FreeBSD is pretty much used as the experiment and debugging tool for Cturt’s work. Hacking a console is often done through running a debugger directly on the console, on a formerly exploited version of the firmware, with the “first exploit” being the hard one (and sometimes, throughout the history of hacking, involving illegally acquired dev units or SDKs). Here the work is done on a FreeBSD image that’s been compiled to be “as close as possible” to the version running on the PS4. This lets CTurt work on proof of concepts with all the comfort of his computer, and then tweak them on the real device. Although I know security through obscurity is not great, it seems here that using an open source OS as the base for the PS4 System is not in favor of Sony from the hacking perspective.
A Kernel exploit released on the latest PS4 firmware 3.15 would be invaluable for the PS4 scene right now, as it is the key component missing to running the linux port on the PS4 from Fail0verflow.
We keep up to date details on the latest status of PS4 hacking on our PS4 Jailbreak page.
Source: CTurt on twitter, thanks to everyone who tipped me on this, including CTurt himself!