PS4 File Browser released – CTurt updates his PS4 Playground tools
Hacker CTurt updated his PS4-Playground tools for PS4, and just added a PS4 File Browser to it.
You might remember the PS4 Webkit exploit on firmware 1.76 (which was leveraging the same Webkit vulnerability as a similar PS Vita exploit). Hackers have been digging into this vulnerability over the past 10 months, and the PS4 File Browser is one of the tools resulting from the research.
PS4 File Browser
The PS4 File Browser released by CTurt lets user on PS4 1.76 Browse the PS4’s filesystem. although this will not be useful to most, and not all directories/files can actually be accessed, he mentions this lets you read save files and trophies, among other things.
The filesystem, and known directories/files on the PS4 have been documented on psdevwiki almost a year ago, but this is a useful tool to get visual confirmation directly from the PS4 browser.
CTurt has a live Demo of the PS4 File Browser (and the whole set of tools, PS4-Playground) up and running, that you can try and run directly from your own PS4’s Browser (this will let you browse your own console’s files). Keep in mind, this is for firmwares 1.76 and lower. Trying on any other device, or an older firmware, will most likely give you an error on the page.
CTurt credits SKFU, droogie, Xerpi, Hunger, Takezo, nas, and Proxima for the work involved in PS4 Playground.
What does this mean for the future of PS4 hacks?
For those of you who equate every new release with a hack: PS4 File Browser is a nice tool, but is not a new hack whatsoever.
Most people on PS4 have moved on to more recent firmwares. The upcoming PS4 Firmware 3.00 has a lot of juicy features and I doubt many people are still on 1.76 today. But this is not the goal of the ongoing research: anything that get founds through reverse engineering on 1.76 could be used on future firmwares, assuming new entry points for attacks are found. CTurt has actually an in-depth article about his findings on the PS4. It’s a great read.
Those of you who can’t read a lengthy piece of tech will want to scroll down to the “Kernel exploits” section, which provides some cool details on what could be coming to us:
It makes little sense trying to look for new vulnerabilities in the FreeBSD 9.0 kernel source code because since its release in 2012, several kernel exploits have already been found, which the PS4 could potentially be vulnerable to.
One vulnerability which looks easy to try is using the getlogin system call to leak a small amount of kernel memory.
getloginsystem call is intended to copy the login name of the current session to userland memory, however, due to a bug, the whole buffer is always copied, and not just the size of the name string. This means that we can read some uninitialised data from the kernel, which might be of some use.
So the browser is executed as root! That was unexpected.
But more interestingly, the memory leaked looks like a pointer to something in the kernel, which is always the same each time the chain is run; this is evidence to support Yifanlu’s claims that the PS4 has no Kernel ASLR!
Download PS4 File Browser
If the Live Demo above is not enough for you, you can download PS4 File Browser to your own local server directly and play with them locally.
source: @CTurtE (thanks to cfwprophet)