PS5: SMAP bypass vulnerability disclosed
Security researcher m00nbsd, who specializes in BSD vulnerabilities, has disclosed a SMAP bypass vulnerability through PlayStation’s bug bounty program. The vulnerability could very likely impact the PS5.
Bypassing SMAP in itself is not enough to exploit a console, but it removes a lot of securities of the OS, and makes progress to the next steps of an exploit that much easier.
What is SMAP?
SMAP is a security feature available on some CPUs. From Wikipedia:
Without Supervisor Mode Access Prevention, supervisor code usually has full read and write access to user-space memory mappings (or has the ability to obtain full access). This has led to the development of several security exploits, including privilege escalation exploits, which operate by causing the kernel to access user-space memory when it did not intend to. Operating systems can block these exploits by using SMAP to force unintended user-space memory accesses to trigger page faults. Additionally, SMAP can expose flawed kernel code which does not follow the intended procedures for accessing user-space memory.
How is a SMAP vulnerability relevant to the PS5?
If SMAP can be entirely bypassed through an initial exploit, this means a class of kernel exploits, that would allow the malicious code to access user space memory, could work. This potentially means that a large amount of exploits that are believed to be “hard to achieve” or “fixed” are actually a possibility on the PS5. From the disclosure:
SMAP is a security feature on x86 CPUs, that forbids ring0 from reading/writing to ring3 pages, making it harder to exploit entire classes of vulnerabilities.There is a vulnerability in FreeBSD 12 that allows SMAP to be bypassed by userland. There is a very high probability that it affects the PS5 but I was unable to access a PS5 firmware to confirm it.This vuln downgrades the security properties of the OS, and is a building block for exploitation chains.[…]ImpactUserland can open large windows where the kernel executes with SMAP disabled.Lack of SMAP makes exploitation of common vulnerabilities easy/trivial.
For details on the actual bug/vulnerability, check the disclosure page on HackerOne.
Another early adoptive 1.72 firmware exploit as it was for the PS4? Same thing basically, if you had way earlier access to a PS5, time to stop updating and start scalping as normal greed mongers do and jacking the prices of their pre-ordered untouched PS5’s.
Our PS5 is on FW 2.30. Yes, can’t wait!
Sorry, doesn’t this mean it’s not available? Mine is on FW 2.30 also, but this mentions firmwares above 20.06-02.26.00 (AKA, 2.26) being likely patched. This means we’re probably SOL for this exploit, right?
That second PS5 I have sitting there new in box is looking like a pretty good investment.
the hackerone log says it got fixed march 10th
Won’t matter once the PS5 slim or pro is released.
If the ps4 is any indication of how the PS5 will be. The storage issue alone makes anyone who buys a PS5 now less than intelligent
You make absolutely no sense. Why wouldn’t it matter if the PS5 Slim or Pro Is released.
Literally nobody was talking about the PS5 Slim or Pro….
Even if those systems came out it wouldn’t affect the future exploit.
Just sounds like you can’t get your hands on a PS5.
Isn’t there storage upgrades in the near future.
Yes, through the unlocked PCIe slot apparently. Guessing it’ll be for higher firmwares only, but I mean we’ve seen expandable storage techniques for PSP and Vita so I wouldn’t be surprised if eventually it’d also be available through CFW