PS5: Kernel Heap Overflow disclosed
Security researcher m00nbsd has disclosed a PS5 Kernel vulnerability, via the HackerOne bug bounty platform, in what is possibly the biggest PS5 hacking news in a long time.
The vulnerability, impacting the LAN PPoE interface driver, also triggers on the PS4. The bug was apparently patched in PS4 9.03, and in PS5 4.50, which were both released late last year. In other words, PS5 consoles up to firmware 4.03 (and PS4s up to 9.00, but that is less interesting considering we already have a 9.00 Jailbreak) are impacted.
M00nbsd had already disclosed a SMAP bypass vulnerability on PS5 last year.
Kernel Heap Overflow on the PS5. What does it mean for the scene?
The disclosure, which can be found over at HackerOne, gives a lot of details on how to trigger the vulnerability. But the developer emphasizes that he hasn’t tested the issue on PS5 yet, only confirmed it on a PS4.
He also clarifies that he hasn’t exploited the vulnerability due to lack of a debugger, only checked that it exists. In other words, this might not be exploitable at all, but there’s a distinct possibility here.
What about the PS4? Is it impacted too?
SpecterDev has already confirmed the vulnerability impacts the PS4, by showcasing a diff of the impacted code between firmwares 9.00 and 9.03. However, as he points out, a new kernel exploit on 9.03 is not needed, considering how stable the latest Jailbreak is.
PPPoE bug patch in PS4. As can be seen, patched in 9.03 on the right. Probably not worth attempting to exploit this on PS4 as it won’t move firmware forward. Also probably would end up less stable than exFAT exploit because mbuf zone corruption kinda sucks. pic.twitter.com/j60H5OVOfU
— Specter (@SpecterDev) May 11, 2022
PS5 Kernel exploit – Who’s looking?
It’s very likely now that a few people on the scene will be hard at at work to try and turn this vulnerability into an actual exploit for the PS5. With access to a Webkit exploit on PS5 up to firmware 04.03, it’s possible all the tools are available now to dig further into the PS5’s internals.
This won’t be a walk in the park though, as, except for a few teams or individuals, nobody has any backdoor access to the PS5 system, meaning that triggering an exploit could be like stumbling in the dark. I’d personally be interested to see what folks like ZNullPtr or ChendoChap have to say on this topic, and whether it helps their own investigations or not.
In the meantime, people with the right skills could try to trigger the vulnerability on their own PS5, by following the steps outlined in the hackerOne disclosure, and recreating the prof of concept code (which is unfortunately not included in the disclosure). I’m hoping a recreation of the poc file will be widely shared if/when someone achieves to make it happen.
Source: m00nbsd
First
whe want a 9.03 for PIRACY* better to back up or fcking games and play newser games and mod the games like ER.
*see as a joke
9.03 Bad luck again
Ждём взлома ps5
Haha nice but you’ll never break our sandbox
luckly I dont have ps5 or xsx or switch
So in conclusion: I must update my ps4 since I’m still on 9.03 and haven’t touch it when I bought my PS5(idc about the jailbreak on it). And just forget about it.
It sucks that new PS5 ships with 4.50 (or newer soon) but nothing to do but let it wait until a good jailbreak emerges. I don’t envy the hackers, poor guys who mostly get *** from the ones demanding newer hacks. I believe they will come through in the end though.
Abstract
======
A vulnerability has been discovered in the processing of PPPoE
discovery phase packets. A malicious host on the same network
(within the same broadcast domain) could cause a NetBSD machine
trying to initiate a PPPoE session to overwrite memory outside
of the allocated bounds.
Technical Details
============
During establishment of a new PPPoE session the client broadcasts
discovery packets on the local network and awaits offer packets from
potential PPPoE servers. If the client receives multiple offers,
it picks one and continues session establishement only with that
server.
Due to bugs in the processing of the offer packets, a malicious
server could send multiple offers and details from the offer would
be accumulated into a single answer packet. Due to this accumulation
it was possible to overrun some size limits inherently asserted
by the PPPoE standard. This bug triggered a second bug that caused an
mbuf cluster to be allocated even for sizes that do not fit into
a fixed size cluster. When creating an answer packet the bounds
of the allocated mbuf cluster then were not honored and data written
outside the allocated memory area. This would cause memory corruption
in the mbuf cluster pool, with unclear consequences. The content of
the overwritten data areas was under control of the attacker.
Solutions and Workarounds
===================
The attack can only happen while a PPPoE session is being established.
During session lifetime or when no pppoe(4) interface is active, the
malicious packets are ignored by the kernel.