Hacker TheFloW has disclosed a series of Blu-ray exploits that impact PS4 and PS5. (PS3 likely too). When chained together, the exploits can lead to loading pirated discs on PS5, and a full Jailbreak on PS4, the disclosure says. What’s more, the exploit is “100% reliable”, which could be a huge difference from recent Webkit-based exploit chains on PS4 which require a lot of retries.
Important update: The hacker has taken to Twitter to clarify that PS5 pirated discs are not what was meant. We try to shed some light on the latest info here.
Sony have patched the issues in PS4 9.50 and PS5 5.00, following disclosure by the hacker through their HackerOne bounty program. In other words, PS4 is impacted up to Firmware 9.03 included, and PS5 up to 4.51 included. The PS5 Digital edition is, of course, not impacted by the issue, since the exploit requires inserting a malicious disc in the console.
PS5 and PS4 Blu-Ray exploits
The security researcher has disclosed a series of 5 exploits which impact both PS4 and PS5 (except for one that is PS4 specific and could lead to a Jailbreak), at security conference hardwear.io. Although his slides and the video of his presentation are not up at the time of this writing, we are being told these will make it online eventually.
PlayStation have accepted the request for disclosure by TheFlow, and as such the details of the exploits can be found on HackerOne (no proof of concept file).
The 5 exploits are described as follows:
- The class
com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl
deserializes theuserprefs
file under privileged context usingreadObject()
which is insecure - The class
com.oracle.security.Service
contains a methodnewInstance
which callsClass.forName
on an arbitrary class name. This allows arbitrary classes, even restricted ones (for example insun.
), to be instantiated. - The class
com.sony.gemstack.org.dvb.io.ixc.IxcProxy
contains the protected methodinvokeMethod
which can call methods under privileged context. Permission checks in methods can be bypassed - (PS4 only) The “compiler receiver thread” receives a structure of size 0x58 bytes from the runtime process. An attacker can simply send an untrusted pointer and the compiler receiver thread will copy data from the request into its memory. In other words, we have a write-what-where primitive
- The UDF driver https://github.com/williamdevries/UDF is used on the PS4 and PS5 which contains a buffer overflow.
PS5 Piracy incoming?
Although this is technically not a kernel exploit, this series of exploits is enough to do significant damage: TheFloW concludes his report stating that shipping pirated discs on the PS5 becomes a possibility. The discs would include the vulnerability and load a pirated copy of the game. On PS4, he states that kernel exploitation (therefore a jailbreak) becomes trivial with this series of exploit.
PS4:
- An ELF loader can be written to load and execute pirated games.
- Kernel exploitation becomes trivial as there is no SMEP and one can simply jump to user with a corrupted function pointer.
PS5/PS4:
- With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.
The report in itself does not include proof-of-concept code, but probably enough details for other hackers to look into the issue and reproduce the exploit chain. From there, I’m guessing creating elf loaders to load pirated games becomes a possibility, although possibly not as “trivial” for everyone as someone with the mileage of TheFloW.
You can find Blu Ray burners for reasonably cheap on Amazon and other retailers (make sure they support BD-RE and Dual Layer DL). TheFloW has specified he used Rewritable Verbatim discs (BD-RE) in his experiments. (affiliate links). As far as I’m concerned, I’ll go cry in a corner with my PS5 Digital Edition.
Source: TheFloW
Pictures from the hardwear.io conference organizers and/or attendants: @ministraitor, @hardwear_io