PS5/PS4: Hacker TheFloW discloses Blu-ray Disc exploit toolchain. PS5 piracy not a matter of "if", but "when" - Wololo.net

PS5/PS4: Hacker TheFloW discloses Blu-ray Disc exploit toolchain. PS5 piracy not a matter of “if”, but “when” – Wololo.net

Hacker TheFloW has disclosed a series of Blu-ray exploits that impact PS4 and PS5. (PS3 likely too). When chained together, the exploits can lead to loading pirated discs on PS5, and a full Jailbreak on PS4, the disclosure says. What’s more, the exploit is “100% reliable”, which could be a huge difference from recent Webkit-based exploit chains on PS4 which require a lot of retries.

Sony have patched the issues in PS4 9.50 and PS5 5.00, following disclosure by the hacker through their HackerOne bounty program. In other words, PS4 is impacted up to Firmware 9.03 included, and PS5 up to 4.51 included. The PS5 Digital edition is, of course, not impacted by the issue, since the exploit requires inserting a malicious disc in the console.

PS5 and PS4 Blu-Ray exploits

The security researcher has disclosed a series of 5 exploits which impact both PS4 and PS5 (except for one that is PS4 specific and could lead to a Jailbreak), at security conference hardwear.io. Although his slides and the video of his presentation are not up at the time of this writing, we are being told these will make it online eventually.

PlayStation have accepted the request for disclosure by TheFlow, and as such the details of the exploits can be found on HackerOne (no proof of concept file).

The 5 exploits are described as follows:

  1. The class com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl deserializes the userprefs file under privileged context using readObject() which is insecure
  2. The class com.oracle.security.Service contains a method newInstance which calls Class.forName on an arbitrary class name. This allows arbitrary classes, even restricted ones (for example in sun.), to be instantiated.
  3. The class com.sony.gemstack.org.dvb.io.ixc.IxcProxy contains the protected method invokeMethod which can call methods under privileged context. Permission checks in methods can be bypassed
  4. (PS4 only) The “compiler receiver thread” receives a structure of size 0x58 bytes from the runtime process. An attacker can simply send an untrusted pointer and the compiler receiver thread will copy data from the request into its memory. In other words, we have a write-what-where primitive
  5. The UDF driver https://github.com/williamdevries/UDF is used on the PS4 and PS5 which contains a buffer overflow.

PS5 Piracy incoming?

Although this is technically not a kernel exploit, this series of exploits is enough to do significant damage: TheFloW concludes his report stating that shipping pirated discs on the PS5 becomes a possibility. The discs would include the vulnerability and load a pirated copy of the game. On PS4, he states that kernel exploitation (therefore a jailbreak) becomes trivial with this series of exploit.

PS4:

  • An ELF loader can be written to load and execute pirated games.
  • Kernel exploitation becomes trivial as there is no SMEP and one can simply jump to user with a corrupted function pointer.

PS5/PS4:

  • With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.

The report in itself does not include proof-of-concept code, but probably enough details for other hackers to look into the issue and reproduce the exploit chain. From there, I’m guessing creating elf loaders to load pirated games becomes a possibility, although possibly not as “trivial” for everyone as someone with the mileage of TheFloW.

You can find Blu Ray burners for reasonably cheap on Amazon and other retailers (make sure they support BD-RE and Dual Layer DL). TheFloW has specified he used Rewritable Verbatim discs (BD-RE) in his experiments. (affiliate links). As far as I’m concerned, I’ll go cry in a corner with my PS5 Digital Edition.

Source: TheFloW

Pictures from the hardwear.io conference organizers and/or attendants: @ministraitor, @hardwear_io


#PS5PS4 #Hacker #TheFloW #discloses #Bluray #Disc #exploit #toolchain #PS5 #piracy #matter #Wololonet

Leave a Comment

Your email address will not be published.