Did PS4 Hacker CTurt just drop a big hint to the scene?
CTurt is the hacker behind the badIRET and dlclose exploits, the only two publicly known kernel exploits on the PS4 so far. These exploits, in particular dlclose, are currently being used by owners of 1.76 PS4 consoles to run Linux and other cool stuff.
CTurt has been a bit distant from PS4 exploitation after releasing these vulnerabilities, but he’s been actively working on finding bugs in FreeBSD, the Operating system running on the PS4. Although he’s not directly talking about the PS4 anymore on his blog, one can’t help but be intrigued whenever he mentions his work on FreeBSD.
Yesterday, the famous hacker blogged about new vulnerabilities he’s found in the FreeBSD compatibility layers. These are stack disclosure vulnerabilities, namely they let an attacker access potentially sensitive information from the RAM. Although these do not represent an exploit in themselves, they can be used in a sequence of vulnerabilities to grant further access for an attacker. Those interested in the whole technical explanation can read CTurt’s article on his blog.
Specifically, CTurt mentions that these can be used to leak information from the stack guard, potentially allowing to bypass it. Those of you who’ve been following the scene closely will probably remember a libxml2 vulnerability revealed recently, that was deemed useless because of stack protection. Specifically, we wrote:
FreeBSD has had Stack Protector baked in since FreeBSD 8.0, meaning that this vulnerability (if confirmed on PS4) would be useless on its own (Unless some other exploit could help bypass stack protection?).
Doesn’t this look like an interesting coincidence to you? Or is it likely that CTurt is sending a red blinking signal to the PS4 scene?
There’s of course a long shot between a security article on FreeBSD and claiming victory for a hack on the PS4 3.50. Hackers would need to confirm that the FreeBSD implementation on the PS4 actually uses the compatibility layers, then port CTurt’s proof of concept to the PS4, and then couple that with an actual stack overflow… Easy as pie?
Update from Wololo: unfortunately CTurt has confirmed on Twitter that Compatibility layers are *not* available on the PS4’S FreeBSD implementation:
@frwololo Nope. The compatibility layers aren’t enabled in PS4 kernel…
— CTurt (@CTurtE) June 1, 2016