A semi-fresh vulnerability impacting at least FreeBSD 11 to 13, could potentially be used to target PS5, and possibly PS4 as well, as reported by Zecoxao.

FreeBSD aio_aqueue Kernel Refcount Bug

The vulnerability isn’t exactly new, it was disclosed back in August by Security researcher Chris J-D over at accessvector. What was initially simply seen as a memory leak in the aio_aqueue function, turned out to enable a use-after-free under certain conditions.

It’s not even “fresh” for the scene, as it had been spotted back in October by 0x8ff on the PS5 hack R&D discord:

The vulnerability has been reported from FreeBSD 11 to 13 (meaning the PS5 could be vulnerable), but could also impact FreeBSD 9, which could set the PS4 as a potential target as well.

Unfortunately, the bug was deemed as “hard to do practically” by hackers back in October, and it seems things haven’t evolved in the right direction:

Zecoxao initially raised our hopes yesterday, by stating that an anonymous, but trusted source of his, had confirmed the bug impacted at least PS5 2.50 (more firmwares could definitely be impacted, it just happens to be the firmware that source’s been running). Unfortunately, at a closer look, it seems on both PS4 and PS5, the impacted syscalls are protected by priv_check, meaning the firmware does run those within a Kernel/Admin context.

     The priv interfaces check to see if specific system privileges are
     granted to	the passed thread, td, or credential, cred.  This interface
     replaces the now removed suser(9) privilege checking interface.  Privi-
     leges typically represent rights in one of	two categories:	the right to
     manage a particular component of the system, or an	exemption to a spe-
     cific policy or access control list.  The caller identifies the desired
     privilege via the priv argument.

Hard to get a privilege escalation if you need to be admin in the first place to run the vulnerable code.

https://t.co/8RrdgODaMk

— Control_eXecute (@notzecoxao) November 28, 2022

anon double checked and aio syscalls, in ps4 and also ps5, are protected by priv_check

— Control_eXecute (@notzecoxao) November 28, 2022

Verdict?

Although it would be great to have more pairs of eyes on this vulnerability, it looks like the people who have looked into it have concluded it’s not an easy target for PS4/PS5 exploits. Again, we’ve seen vulnerabilities incorrectly ruled out in the past, and this one looks like it could deserve additional scrutiny.

The original disclosure contains a Proof of concept for those who would want to give it a try: https://accessvector.net/2022/freebsd-aio-lpe.tar.gz