PS5: Kernel Heap Overflow disclosed
The vulnerability, impacting the LAN PPoE interface driver, also triggers on the PS4. The bug was apparently patched in PS4 9.03, and in PS5 4.50, which were both released late last year. In other words, PS5 consoles up to firmware 4.03 (and PS4s up to 9.00, but that is less interesting considering we already have a 9.00 Jailbreak) are impacted.
M00nbsd had already disclosed a SMAP bypass vulnerability on PS5 last year.
Kernel Heap Overflow on the PS5. What does it mean for the scene?
The disclosure, which can be found over at HackerOne, gives a lot of details on how to trigger the vulnerability. But the developer emphasizes that he hasn’t tested the issue on PS5 yet, only confirmed it on a PS4.
He also clarifies that he hasn’t exploited the vulnerability due to lack of a debugger, only checked that it exists. In other words, this might not be exploitable at all, but there’s a distinct possibility here.
What about the PS4? Is it impacted too?
SpecterDev has already confirmed the vulnerability impacts the PS4, by showcasing a diff of the impacted code between firmwares 9.00 and 9.03. However, as he points out, a new kernel exploit on 9.03 is not needed, considering how stable the latest Jailbreak is.
PPPoE bug patch in PS4. As can be seen, patched in 9.03 on the right. Probably not worth attempting to exploit this on PS4 as it won’t move firmware forward. Also probably would end up less stable than exFAT exploit because mbuf zone corruption kinda sucks. pic.twitter.com/j60H5OVOfU
— Specter (@SpecterDev) May 11, 2022
PS5 Kernel exploit – Who’s looking?
It’s very likely now that a few people on the scene will be hard at at work to try and turn this vulnerability into an actual exploit for the PS5. With access to a Webkit exploit on PS5 up to firmware 04.03, it’s possible all the tools are available now to dig further into the PS5’s internals.
This won’t be a walk in the park though, as, except for a few teams or individuals, nobody has any backdoor access to the PS5 system, meaning that triggering an exploit could be like stumbling in the dark. I’d personally be interested to see what folks like ZNullPtr or ChendoChap have to say on this topic, and whether it helps their own investigations or not.
In the meantime, people with the right skills could try to trigger the vulnerability on their own PS5, by following the steps outlined in the hackerOne disclosure, and recreating the prof of concept code (which is unfortunately not included in the disclosure). I’m hoping a recreation of the poc file will be widely shared if/when someone achieves to make it happen.