HackerOne disclosure gives fresh details on the PS4 9.00 Jailbreak
You can’t escape TheFloW in scene news this week. After a PS5 Kernel exploit disclosure, the hacker confirmed what we already knew, that he was originally behind the USB/exFAT PS4 vulnerability which led to the PS4 9.00 Jailbreak late last year.
At the time, hackers had worked on a diff between firmware 9.03 and 9.00 to figure out what had been patched, and reverse engineer the bug from its fix.
The fix, it turns out, had been implemented by Sony engineers on 9.03 after a vulnerability report by TheFloW. It was pretty clear he was originally behind this discovery, and this is probably why he is being credited in the 9.00 Jailbreak, even though he did not directly participate in its release.
This vulnerability was reported in September last year to Sony, and they have agreed to disclose it now. Although the Jailbreak was technically released a while ago, it’s always interesting to see more technical details on how it works.
The vulnerability is in Sony’s exFAT implementation where there is an integer truncation from 64bit to 32bit on a size variable that is used to allocate the up-case table
sizeare both 64bit wide, however the
sceFatfsCreateHeapVl()is 32bit wide
When using a big size for
dataLength, this function will therefore only allocate a small buffer, and as a result overflow and corrupt subsequent objects on the heap when calling
ExploitationThis vulnerability allows us to allocate any buffer on the heap with size >= 512 and multiple of 512, and allows us to overflow by a multiple of 512. There are interesting objects that one could spray on the heap such as
struct usb_endpointwhich contain interesting pointers that one could corrupt.
ImpactJailbreak the PS4/PS5 by plugging in the USB and directly getting kernel code execution.
You can head over to the HackerOne report to read the full writeup on the vulnerability, by TheFloW