Famed Vita hacker TheFlow has now apparently turned to investigating the PS4. He tweeted yesterday about a Kernel vulnerability on the PS4, that he said has been patched somewhere between firmwares 5.05 and 6.20.

Even if you’re on one of the firmwares that could benefit from this bug though, the hacker almost instantly confirmed it is not exploitable.

Unfortunately fixed somewhere between 5.05 and 6.20.

— Andy Nguyen (@theflow0) June 3, 2019

Nvm this bug is not exploitable, as copyout will simply abort if it dst+len wraps around or is higher than 0x8000000000000000. However, Sony did actually fix it by adding a max_len > 0 check, so I thought it could be abused.

— Andy Nguyen (@theflow0) June 3, 2019

No doubt that other hackers will look into it to confirm whether or not something can be done with this bug, but between TheFlow’s statement that it can’t lead to an exploit, and the fact that it does not affect recent firmwares, there’s close to no chance at this point that this will turn into anything useful for the scene.

For those interested to play with this, CelesteBlue has shared a proof of concept on pastebin.

// <6.00 bug (not exploitable) found by TheFloW, JS adaptation by CelesteBlue only useful for when we find an actual vulnerable syscall

    var try_sys_randomized_path_leak = function() {

        var mem = p.malloc(0x1000000); // allocate buffer

        alert(p.hexdump(mem, 0x500)); // display zeroed buffer

       

        var len_pointer = p.malloc(0x08); // allocate length

        p.write8(len_pointer, new int64(0, 2147483648)); // write length: 0x8000000000000000

        alert(p.hexdump(len_pointer, 8)); // display length

       

        alert(p.syscall("sys_randomized_path", 0, mem, len_pointer)); // trigger bug

        alert(p.hexdump(mem, 0x500)); // display buffer, should have been modified if success

    };

The interesting part, however, is that one of the best hackers of the Vita scene is now onto the PS4’s case.

Source: TheFlow