You can’t escape TheFloW in scene news this week. After a PS5 Kernel exploit disclosure, the hacker confirmed what we already knew, that he was originally behind the USB/exFAT PS4 vulnerability which led to the PS4 9.00 Jailbreak late last year.

At the time, hackers had worked on a diff between firmware 9.03 and 9.00 to figure out what had been patched, and reverse engineer the bug from its fix.

The fix, it turns out, had been implemented by Sony engineers on 9.03 after a vulnerability report by TheFloW. It was pretty clear he was originally behind this discovery, and this is probably why he is being credited in the 9.00 Jailbreak, even though he did not directly participate in its release.

This vulnerability was reported in September last year to Sony, and they have agreed to disclose it now. Although the Jailbreak was technically released a while ago, it’s always interesting to see more technical details on how it works.

The vulnerability is in Sony’s exFAT implementation where there is an integer truncation from 64bit to 32bit on a size variable that is used to allocate the up-case table

Namely, dataLength and size are both 64bit wide, however the size argument of sceFatfsCreateHeapVl() is 32bit wide

When using a big size for dataLength, this function will therefore only allocate a small buffer, and as a result overflow and corrupt subsequent objects on the heap when calling UVFAT_ReadDevice().

Exploitation

This vulnerability allows us to allocate any buffer on the heap with size >= 512 and multiple of 512, and allows us to overflow by a multiple of 512. There are interesting objects that one could spray on the heap such as struct usb_endpoint which contain interesting pointers that one could corrupt.

Impact

Jailbreak the PS4/PS5 by plugging in the USB and directly getting kernel code execution.

You can head over to the HackerOne report to read the full writeup on the vulnerability, by TheFloW

Source: TheFloW