More Details surface on the PS4 4.01 Jailbreak, potentially enough for a public release “soon”
The PS4 scene has been doing a bit of detective work to understand the exploits behind the 4.01 Jailbreak that was demonstrated yesterday in Shanghai. After the hackers of Taichin Tech announced they would disclose the exploits to Sony, people were able to find data about the exploit on the FreeBSD mailing list and bug tracker.
Of course, not everyone can do much with this information, but in theory the details of how the bug was fixed should be enough information for people with the right set of skills to cause a kernel panic on the PS4. How that is later used to gain control of the PS4 will be let as an exercise to the people who know what they’re doing. Oh, and naturally, you’d also need a user entry point, some sort of Webkit exploit or something, in order to be able to execute the code in the first place.
The Kernel exploit itself apparently relies on a CVE (CVE-2016-1885) that was revealed back in April. It seems that this was not properly patched and this is one of the flaws the security researchers at Taichin Tech used to gain access to the PS4 system.
The argument validation in r296956 was not enough to close all possible overflows in sysarch(2)
Modified: stable/9/sys/amd64/amd64/sys_machdep.c Directory Properties: stable/9/ (props changed) stable/9/sys/ (props changed) Modified: stable/9/sys/amd64/amd64/sys_machdep.c ============================================================================== --- stable/9/sys/amd64/amd64/sys_machdep.c Tue Oct 25 17:16:08 2016 (r307940) +++ stable/9/sys/amd64/amd64/sys_machdep.c Tue Oct 25 17:16:58 2016 (r307941) @@ -612,6 +612,8 @@ amd64_set_ldt(td, uap, descs) largest_ld = uap->start + uap->num; if (largest_ld > max_ldt_segment) largest_ld = max_ldt_segment; + if (largest_ld < uap->start) + return (EINVAL); i = largest_ld - uap->start; mtx_lock(&dt_lock); bzero(&((struct user_segment_descriptor *)(pldt->ldt_base)) @@ -624,7 +626,8 @@ amd64_set_ldt(td, uap, descs) /* verify range of descriptors to modify */ largest_ld = uap->start + uap->num; if (uap->start >= max_ldt_segment || - largest_ld > max_ldt_segment) + largest_ld > max_ldt_segment || + largest_ld < uap->start) return (EINVAL); }
There are lots of “ifs” here, but with the kernel exploit pretty much in the open, it sounds like a public release is now in the realm of the possible, assuming the right people decide to work on a release.
As far as I’m concerned, I’m already wondering if I should get a second PS4. Any PS4 you buy new today is guaranteed to ship with a firmware 4.01 or less.
Source: via psxhax, thanks to everyone who pointed me to the article.