TheFloW strikes again: PS5 confirmed vulnerable to Kernel exploit in “new” disclosure (IPV6 Socket UAF)
Another day, another potential exploit for the PS5. After the Blu-Ray exploit chain earlier this year by TheFloW, and the PS2 exploit by CTurt a few days ago, a “new” disclosure was made on HackerOne a few hours ago.
Here is TheFloW again, with a new vulnerability impacting the PS5, which could very well lead to Kernel access on the system. Specifically, TheFloW says: “I was able to use this vulnerability in conjunction with the bd-j exploit chain to gain kernel access.”
PS5 IPv6 socket Exploit: Everything Old is New again
The exploit (Use-after-free in setsockopt IPV6_2292PKTOPTIONS) is actually not technically “new” (hence the quotes), but the same exploit that led to the 7.02 PS4 Jailbreak back in 2020. As TheFloW mentions in his report to PlayStation on the HackerOne platform: “This vulnerability had been reported by me for the PS4 2 years ago when the PS5 did not yet exist, thus this should be considered as a new report and not a duplicate“.
This specific vulnerability, an IPv6 socket option race condition and use after free, impacted FreeBSD in general, and the PS4 in particular. I’m having a hard time wrapping my mind around the fact that this was fixed for the PS4 back in 2020, but somehow made it to the PS5 Firmware.
The vulnerability is well documented (here in particular, and CVE-2020-7457, also TheFloW’s report for the PS4, and source code of the jailbreak here), but there’s of course the question of how much more work would be required to actually piece all the elements together (namely, the bd-jb exploit chain and this kernel exploit) before a PS5 hack is actually possible. Some hackers have mentioned the PS5 is significantly harder than the PS4 to hack fully.
PS5 IPv6 socket Exploit – which firmware is impacted?
It’s unclear which Firmware is impacted by this exploit, as those details haven’t surfaced yet, however the BD-J exploit have been said to impact firmware up to 4.51 included. So it’s possible this exploit could also work up to that Firmware.
However, TheFloW reported this PS5 vulnerability to Sony on January 5, 2022. Firmware 4.50 had been released in December 2021, then 4.51 in March 2022, quickly followed by 5.00 shortly after that. It’s therefore possible 4.51 patched the vulnerability, but most likely 4.50 would be vulnerable.