Microsoft’s PlayStation has 5 vulnerabilities that can be exploited by hackers or techies that love to hack.
The following vulnerabilities are exposed for educational purposes only. Any offense should be credited in case of any misconduct.
Below are 5 vulnerabilities chained together that allow an attacker to gain JIT capabilities and execute arbitrary payloads. The provided payload triggers a buffer overflow that causes a kernel panic. Please consider each of the vulnerabilities individually. AFAIK, this is the first exploit chain that is being submitted to you 🙂
1. unsecured Userprefs – [MEDIUM][PS4] [PS5] Vulnerability 1
The class com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl deserializes the userprefs file under privileged context using readObject() which is insecure:
private void initPreferences() {
try {
UserPreferenceManagerImpl.preferences = AccessController.doPrivileged((PrivilegedExceptionAction)new ReadPreferenceAction());
}
catch (PrivilegedActionException ex) {}
if (UserPreferenceManagerImpl.preferences == null) {
UserPreferenceManagerImpl.preferences = new String[UserPreferenceManagerImpl.PREFERENCES.length][];
}
if (UserPreferenceManagerImpl.preferences[3] == null) {
UserPreferenceManagerImpl.preferences[3] = new String[] { "26" };
this.savePreferences();
}
}
private static class ReadPreferenceAction implements PrivilegedExceptionAction
{
public Object run() throws Exception {
String[][] array = null;
ObjectInputStream objectInputStream = null;
try {
objectInputStream = new ObjectInputStream(new BufferedInputStream(new FileInputStream(RootCertManager.getOriginalPersistentRoot() + "/userprefs")));
array = (String[][])objectInputStream.readObject();
}
finally {
if (objectInputStream != null) {
objectInputStream.close();
}
}
return array;
}
}
An attacker can replace the userprefs file with a malicious serialized object to instantiate classes under privileged context. On older firmwares such as 5.05, where the commit https://github.com/openjdk/jdk/commit/020204a972d9be8a3b2b9e75c2e8abea36d787e9#diff-2c19943dd71743c3de69aa065025e753ca2e1f3b7ebc798e0d954de75d995de5 is not present, exploitation of this vulnerability is easy: An attacker can instantiate a ClassLoader subclass to call defineClass with all permissions and finally bypass the security manager.
2. Vulnerability 2 (Medium, PS4 Only)
The class com.oracle.security.Service contains a method newInstance which calls Class.forName on an arbitrary class name. This allows arbitrary classes, even restricted ones (for example in sun.), to be instantiated. This works for all classes with public constructors that have single arguments. The check-in newInstance can be bypassed by calling com.oracle.ProviderAdapter.setProviderAccessor on a custom ProviderAccessor implementation.
if (!this.registered) {
if (ProviderAdapter.getService(this.provider, this.type, this.algorithm) != this) {
throw new NoSuchAlgorithmException("Service not registered with Provider " + this.provider.getName() + ": " + this);
}
this.registered = true;
}
3. Vulnerability 3 (PS4, PS5, Medium)
The class com.sony.gemstack.org.dvb.io.ixc.IxcProxy contains the protected method invokeMethod which can call methods under privileged context. Permission checks in methods can be bypassed if the following conditions are met:
- The method is public and non-static.
- The method's class is public, non-final and can be instantiated.
In such a scenario, an attacker can write a subclass of the target class which implements an interface where the desired method throws RemoteException.
For example, there are permission checks in File.list(). An attacker can bypass them with the following classes:
class FileImpl extends File implements FileInterface {
FileImpl(String pathname) {
super(pathname);
}
}
interface FileInterface extends Remote {
public String[] list() throws RemoteException;
}
This vulnerability can be used to leak the file system structure as well as dumping files (for example from /app0/).
4. Vulnerability 4 (PS4, HIGH)
The "compiler receiver thread" receives a structure of size 0x58 bytes from the runtime process:
typedef struct {
uint8_t cmd; // 0x00
uint64_t arg0; // 0x08
uint64_t arg1; // 0x10
uint64_t arg2; // 0x18
uint64_t arg3; // 0x20
uint64_t arg4; // 0x28
uintptr_t runtime_data; // 0x30
uintptr_t compiler_data; // 0x38
uint64_t data1; // 0x40
uint64_t data2; // 0x48
uint64_t unk; // 0x50
} CompilerAgentRequest; // 0x58
CompilerAgentRequest req;
while (CompilerAgent::readn(s, &req, sizeof(req)) > 0) {
uint8_t ack = 0xAA;
CompilerAgent::writen(s, &ack, sizeof(ack));
if (req.compiler_data != 0) {
memcpy(req.compiler_data + 0x28, &req, sizeof(req));
...
}
...
}
This struct contains a pointer at offset 0x38 (we call it compiler_data) from the compiler process which is used to make a backup of the request structure. An attacker can simply send an untrusted pointer and the compiler receiver thread will copy data from the request into its memory. In other words, we have a write-what-where primitive. An attacker can exploit this vulnerability by supplying a pointer to JIT memory and store the content to be written in the request. The compiler will write this data into JIT memory and therefore give us the opportunity to execute arbitrary payloads. This has severe implications:
- An ELF loader can be written to load and execute pirated games.
- Kernel exploitation becomes trivial as there is no SMEP and one can simply jump to user with a corrupted function pointer.
5. [HIGH][PS4] [PS5] Vulnerability 5
The UDF driver https://github.com/williamdevries/UDF is used on the PS4 and PS5 which contains a buffer overflow. An attacker can make the size inf_len larger than sector_size (the assumption of internal allocation is that the data is smaller than the sector size) and cause an overflow with memcpy().
int
udf_read_internal(struct udf_node *node, uint8_t *blob)
{
struct file_entry *fe = node->fe;
struct extfile_entry *efe = node->efe;
struct udf_mount *ump;
uint64_t inflen;
int addr_type, icbflags;
uint32_t sector_size;
uint8_t *pos;
/* get extent and do some paranoia checks */
ump = node->ump;
sector_size = ump->sector_size;
if (fe != NULL) {
inflen = le64toh(fe->inf_len);
pos = &fe->data[0] + le32toh(fe->l_ea);
icbflags = le16toh(fe->icbtag.flags);
} else {
inflen = le64toh(efe->inf_len);
pos = &efe->data[0] + le32toh(efe->l_ea);
icbflags = le16toh(efe->icbtag.flags);
}
addr_type = icbflags & UDF_ICB_TAG_FLAGS_ALLOC_MASK;
/* copy out info */
memset(blob, 0, sector_size);
memcpy(blob, pos, inflen);
return (0);
}
Proof-of-concept
Attached is the exploit chain bd-jb as a .iso file which demonstrates the exploitation of vulnerabilities 1-4 that demonstrates the ability to run arbitrary payloads. Burn the iso image with UDF 2.5 file system. You can send the payload using nc $PS4IP 1337 < payload.bin. The provided payload causes a kernel panic by triggering vulnerability 5 (the file /PWN/0 has been modified to use internal allocation and has a size of 4MB filled with A). Tested on latest firmware 9.00.
- With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.
The vulnerability disclosed was awarded $20,000 and was in review since October 2021. The time zone of suggests that the disclosed was probably from India.
