More FreeBSD vulnerabilities are being reported today, including one where the patch for the fix is coming from no other than CTurt himself.

Because the Operating systems of PS4 and PS5 are based on FreeBSD, it is possible that FreeBSD exploits also impact Sony consoles. It is however difficult to confirm in general, given that they are black boxes.

Two FreeBSD vulnerabilities that might impact the PS4 and PS5

The vulnerabilities are as follows:

CVE-2022-23093 – FreeBSD Stack-Based Overflow

Ping reads raw IP packets from the network to process responses in the pr_pack() function.  As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a “quoted packet,” which represents the packet that generated an ICMP error.  The quoted packet again has an IP header and an ICMP header.

The pr_pack() copies received IP and ICMP headers into stack buffers for further processing.  In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet.  When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.

My hot take on this one is that it is unlikely to lead to anything useful on PS4/PS5. “ping” tends to run in a very constrained mode so I don’t see how it could lead to any kind of privilege escalation. Then again, I know nothing, Jon Snow.

• Advisory
• Proof of concept

(Thanks to @nomadic20000 for the report)

reference count leak in fdescfs

This one doesn’t have a CVE attached to it, so it might be minor, but, as pointed out by Zecoxao, the patch was submitted by CTurt himself. Now of course, we all know CTurt has been digging a lot into FreeBSD vulnerabilities for many years now, so the most probable thing here is that this is a minor issue he just reported directly to FreeBSD. I’m assuming that if this wasn’t the case there would be a CVE attached to it. Nonetheless, it might be worth looking into:

• The patch by CTurt
• More details

What is the impact for PS4/PS5?

These vulnerabilities are not useful to end users, but might be of interest to hackers with the right set of tools, in order to make additional progress on a potential Jailbreak, for either the PS4/PS5. Only time will tell us if these turned out to be useful or not. In these two cases however, I have limited expectations.

One of them doesn’t have a CVE attached to it (and I feel Cturt would have gone to the HackerOne bounty program if there was any relevance to PlayStation consoles), and the other seems to have limited impact. Of course, as always lets wait for people with the right skills have a look into it before entirely dismissing it 🙂

Other vulnerabilities were reported late last year, but to my knowledge haven’t been leveraged on PS4 or PS5: here and here.