PS4/PS5: TheFloW discloses Kernel vulnerability relying on old bug from 2006, impacts PS4 up to 11.00 & PS5 up to 8.20, more details in May

A few months ago, I wrote about a rumor that TheFloW‘s yet-to-be-disclosed PS4/PS5 Kernel exploit was relying on an 18 year old vulnerability. What sounded like an obvious troll initially, then looked more and more like an actual crash, has turned out to be the real deal. TheFloW has confirmed a few hours ago that the Kernel exploit does indeed rely on a 2006 CVE. He has linked to a HackerOne report that contains details on the vulnerability (disclosure), but not on full exploitation.

TL,DR: if you’re on PS4 11.00 or below, and/or on PS5 8.20 or below, you’ll want to stay put, a kernel exploit is most likely coming.

PS4 11.00 / PS5 8.20 Kernel exploit incoming

Hacker TheFloW has just confirmed that he leveraged a critical vulnerability from 2006 (CVE-2006-4304) in order to gain kernel access to both the PS4 and PS5. He will present the exploit at the TyphoonCon security conference, in a few weeks. But he’s already given some details of the vulnerability in a lengthy report on Sony’s bug bounty program on HackerOne.

TheFloW has been an insane source of exploits and vulnerability disclosures for PlayStation devices, dating back to his early days on the PSP (when he was known as Total_Noob). Back then, the scene as a whole, Total_Noob included, was a bit reckless, and hack releases felt a bit more simple. Nowadays, a lot of hackers keep things under wraps, and the rare ones like TheFloW who do release their work, go through a more “responsible” route, leveraging Sony’s bug bounty program.

What the CVE is about:

Buffer overflow in the sppp driver in FreeBSD 4.11 through 6.1, NetBSD 2.0 through 4.0 beta before 20060823, and OpenBSD 3.8 and 3.9 before 20060902 allows remote attackers to cause a denial of service (panic), obtain sensitive information, and possibly execute arbitrary code via crafted Link Control Protocol (LCP) packets with an option length that exceeds the overall length, which triggers the overflow in (1) pppoe and (2) ippp.

From TheFloW’s report:

A malicious PPPoE server can cause denial-of-service or potentially remote code execution in kernel context on the PS4/PS5.

At [1], it is possible to set len to a length between 0 and 5. Thus, at [2] len – 6 can have a negative length between -6 and -1. As such, the checks for name_len and passwd_len can be bypassed, and it is possible to have lengths up to 255 bytes. As a consequence, at [3] it is possible to read out-of-bounds from the mbuf when comparing the name and password with memcmp(). Since different responses are returned back based on the comparison, an attacker might be able to use this as a an oracle to leak the out-of-bounds data (by setting the name and secret beforehand). This could be used to leak pointers and defeat KASLR remotely.

PS4 11.00 and PS5 8.20 Jailbreak – ETA WEN?

Long story short, we’re generally getting the exploits ultimately, but not before PlayStation have had some time to look into them and patch them on their consoles. Hence, we already know the exploits have been patched in PS4 11.02 and PS5 8.40.

The fact that we’re getting this disclosure doesn’t mean a Jailbreak is right around the corner. In recent history, the hacker has not done a full release himself for his exploits, but instead has given the scene enough details to create a working Jailbreak, which can sometimes take months. I would expect things to be similar this time. In this case, the details on the hackerOne bounty seem to be enough to trigger a denial-of-service (aka a crash or kernel panic), but do not give the specific on how to craft the attack in a way to actually do more than a crash. With that being said, there are lots of details in there already (and explicit “this part could leak data” sections), so I would expect other hackers to actively be looking into TheFloW’s report already.

Since the scene has basically known about this exploit collectively for a few months now, some Proof of Concept code has been circulating already (example here from D-Link turtle). How easily those examples can be adapted based on new information from the report, is something we still have to see.

TheFloW has stated he will demonstrate successful exploitation  during his presentation at TyphoonCon in May, but not whether he will give more technical details on the actual exploitation.

In other words, if you’re on PS4 11.00 (or below) and/or on PS5 8.20 (or below), stay put. Now we play the waiting game, and hope that either TheFloW discloses more information, or that other hackers figure it out based on what he’s revealed already.

Source: TheFloW

Note: as always with this type of article, I’ve done my best to be as accurate as possible, but information on the topic is complex and evolves very rapidly. If you spot a mistake or inaccuracy, let me know in the comments below. Thanks!