You can’t escape TheFloW in scene news this week. After a PS5 Kernel exploit disclosure, the hacker confirmed what we already knew, that he was originally behind the USB/exFAT PS4 vulnerability which led to the PS4 9.00 Jailbreak late last year.
At the time, hackers had worked on a diff between firmware 9.03 and 9.00 to figure out what had been patched, and reverse engineer the bug from its fix.
The fix, it turns out, had been implemented by Sony engineers on 9.03 after a vulnerability report by TheFloW. It was pretty clear he was originally behind this discovery, and this is probably why he is being credited in the 9.00 Jailbreak, even though he did not directly participate in its release.
This vulnerability was reported in September last year to Sony, and they have agreed to disclose it now. Although the Jailbreak was technically released a while ago, it’s always interesting to see more technical details on how it works.
The vulnerability is in Sony’s exFAT implementation where there is an integer truncation from 64bit to 32bit on a size variable that is used to allocate the up-case table
Namely,
dataLengthandsizeare both 64bit wide, however thesizeargument ofsceFatfsCreateHeapVl()is 32bit wideWhen using a big size for
dataLength, this function will therefore only allocate a small buffer, and as a result overflow and corrupt subsequent objects on the heap when callingUVFAT_ReadDevice().Exploitation
This vulnerability allows us to allocate any buffer on the heap with size >= 512 and multiple of 512, and allows us to overflow by a multiple of 512. There are interesting objects that one could spray on the heap such as
struct usb_endpointwhich contain interesting pointers that one could corrupt.Impact
Jailbreak the PS4/PS5 by plugging in the USB and directly getting kernel code execution.
You can head over to the HackerOne report to read the full writeup on the vulnerability, by TheFloW
Source: TheFloW
Be the first to comment