Update (See Tabs Below PS3 / PS4): Since the disclosure several developer's have went on the hunt and we have seen PoC releases and TEST payload pushed, We have confirmation the PoC is working on 9.00, other have been testing impact on 9.03/.04. See all the details from developer's like sleirsgoevy / @zecoxao / psxdev (aka bigboss) in the PS4 Tab. Some preliminary discussions about the PS3 impact have been discussed in this thread from various developer's like @bguerville and @zecoxao
.Original Article: Developer TheFl0w who is well known in the Homebrew and Hacking in the PlayStation Community, via the hackerone program the hacker has yet again disclosed details on vulnerabilities (5) "bd-jb Blu-ray Disc Java Sandbox Escape" is affecting PS3, PS4, PS5. Sony has patched these vulnerabilities in recent firmware updates for the PS5 / PS4 with firmware update's of 5.00 FW for the PS5 and 9.50 FW for the PS4. These methods are also likely to work on the PS3 according to thefl0w (likely on the latest firmware).
thefl0w has detailed some advantages this concept provides over a webkit exploit, you can see that information and various details in the "additional info" tab below, along with some clarification due to over hyping some aspects of this exploit..:
.Original Article: Developer TheFl0w who is well known in the Homebrew and Hacking in the PlayStation Community, via the hackerone program the hacker has yet again disclosed details on vulnerabilities (5) "bd-jb Blu-ray Disc Java Sandbox Escape" is affecting PS3, PS4, PS5. Sony has patched these vulnerabilities in recent firmware updates for the PS5 / PS4 with firmware update's of 5.00 FW for the PS5 and 9.50 FW for the PS4. These methods are also likely to work on the PS3 according to thefl0w (likely on the latest firmware).
thefl0w has detailed some advantages this concept provides over a webkit exploit, you can see that information and various details in the "additional info" tab below, along with some clarification due to over hyping some aspects of this exploit..:
-STLcardsWS
-
Hey PlayStation!
Below are 5 vulnerabilities chained together that allows an attacker to gain JIT capabilities and execute arbitrary payloads. The provided payload triggers a buffer overflow that causes a kernel panic. Please consider each of the vulnerabilities individually. AFAIK, this is the first exploit chain that is being submitted to you
Proof-of-concept
Attached is the exploit chain bd-jb as a .iso file which demonstrates the exploitation of vulnerabilities 1-4 that demonstrates the ability to run arbitrary payloads. Burn the iso image with UDF 2.5 file system. You can send the payload using nc $PS4IP 1337 < payload.bin. The provided payload causes a kernel panic by triggering vulnerability 5 (the file /PWN/0 has been modified to use internal allocation and has a size of 4MB filled with A). Tested on latest firmware 9.00.
Impact
- With these vulnerabilities, it is possible to ship games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.
Update (Slides from presentation):
Hardwear.io USA 2022 - bd-jb: Blu-ray Disc Java Sandbox Escape:Update June 22, 2022: Video Presentation posted online
https://github.com/TheOfficialFloW/Presentations/blob/master/2022-hardwear-io-bd-jb.pdf
(Thanks to @Roxanne for the tip)
-
Vulnerabilities
d[MEDIUM][PS4] [PS5] Vulnerability 1
The class com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl deserializes the userprefs file under privileged context using readObject() which is insecure:
An attacker can replace the userprefs file with a malicious serialized object to instantiate classes under privileged context. On older firmwares such as 5.05, where the commit https://github.com/openjdk/jdk/comm...9aa065025e753ca2e1f3b7ebc798e0d954de75d995de5 is not present, exploitation of this vulnerability is easy: An attacker can instantiate a ClassLoader subclass to call defineClass with all permissions and finally bypass the security manager.
[MEDIUM][PS4] Vulnerability 2
The class com.oracle.security.Service contains a method newInstance which calls Class.forName on an arbitrary class name. This allows arbitrary classes, even restricted ones (for example in sun.), to be instantiated. This works for all classes with public constructors that have single arguments. The check in newInstance can be bypassed by calling com.oracle.ProviderAdapter.setProviderAccessor on a custom ProviderAccessor implementation.
[MEDIUM][PS4] [PS5] Vulnerability 3
The class com.sony.gemstack.org.dvb.io.ixc.IxcProxy contains the protected method invokeMethod which can call methods under privileged context. Permission checks in methods can be bypassed if the following conditions are met:
- The method is public and non-static.
- The method's class is public, non-final and can be instantiated.
For example, there are permission checks in File.list(). An attacker can bypass them with the following classes:
[HIGH][PS4] Vulnerability 4
The "compiler receiver thread" receives a structure of size 0x58 bytes from the runtime process:
This struct contains a pointer at offset 0x38 (we call it compiler_data) from the compiler process which is used to make a backup of the request structure. An attacker can simply send an untrusted pointer and the compiler receiver thread will copy data from the request into its memory. In other words, we have a write-what-where primitive. An attacker can exploit this vulnerability by supplying a pointer to JIT memory and store the content to be written in the request. The compiler will write this data into JIT memory and therefore give us the opportunity to execute arbitrary payloads. This has severe implications:
- An ELF loader can be written to load and execute games.
- Kernel exploitation becomes trivial as there is no SMEP and one can simply jump to user with a corrupted function pointer.
[HIGH][PS4] [PS5] Vulnerability 5
The UDF driver https://github.com/williamdevries/UDF is used on the PS4 and PS5 which contains a buffer overflow. An attacker can make the size inf_len larger than sector_size (the assumption of internal allocation is that the data is smaller than the sector size) and cause an overflow with memcpy().
-
via TheFlow's Official Twitter:
- bd-jb: Blu-ray Disc Java Sandbox Escape affecting PS3, PS4, PS5. My talk at
@hardwear_io will be uploaded in a few weeks. #hardwear_io via
- Fixed on PS4 FW 9.50 and PS5 FW 5.00 via
- I wanted to clarify: Without a kernel exploit, you won't be able to run any games (which would have worked on the PS4 only anyways), because we don't have enough RAM in the bd-j process and there are some other constraints. It was only a theoretical impact via .
-
Advantages of bd-jb compared to WebKit exploit:
- Works on both PS4/PS5
- 100% reliable -
- Firmware-agnostic (ROP-less code execution)
- Bigger kernel attack surface
- JIT for executing payloads, so you can write a kernel exploit in C (on PS4 only) via.
- bd-jb: Blu-ray Disc Java Sandbox Escape affecting PS3, PS4, PS5. My talk at
-
Since there has not been as much details about the PS3 Impact other then we know it could affect the PS3, There has been some discussion about the PS3 impact and these findings here in the psx-place forum's as PS3 Hacker / Developer @bguerville shares some of his opinion and thoughts throughout several post with fellow developer @zecoxao. That discussion starts at this post and goes throughout the thread:
.Update June 20
via Roxanne : "It's an very early POC so far tho thanks to psxdev (bigboss)"
-
For Advanced User's Only A Proof of Concept of the TheFlow's discoveries where released to the public via @sleirsgoevy using published vulnerabiltes from TheFlow #2 (privileged constructor call / #3 (privileged method call / #4 (jit hack
via @sleirsgoevy
Partial reimplementation of BD-JB (without kernel part): https://github.com/sleirsgoevy/bd-jb
ISO image: https://mega.nz/file/p99hHaYT#i4XxImp4I_ou-dWO5vk6GMX3xn4EqcoIV41jFWZdXdQ
Built with "PS3 BD-J DevKit": https://mega.nz/folder/A4IFGYg
via ReadME @ github:
BD-JB reimplementation based on TheFlow's report and presentation. Implements loading arbitrary .bin payloads using vulnerabilities #2 (privileged constructor call), #3 (privileged method call), #4 (jit hack) from the report. Listens for payloads on port 9019.
The first (and only) argument to the payload is the address of sceKernelDlsym, which can be used to resolve other symbols. It seems that libkernel_sys.sprx always has id 0x2001, and you can look up other libraries by getting the full list of handles and looking up name of each handle. You can't directly call syscalls due to missing kernel patches.
https://twitter.com/sleirsgoevy/status/1537230108338970624
https://github.com/sleirsgoevy/bd-jb
.UPDATE June - 18
bd-jb (from psxdev aka bigboss)
bd-jb is a BD-JB reimplementation for prospero based on TheFlow's report and sleirsgoevy base code
By now only implemented:
- Vulnerability #2 to list /app0 content
- Added udp logs you can get it in your pc change host variable on MyXlet.java and use something like this on your pc/mac:
See more info @ github: https://github.com/psxdev/bd-jb
https://twitter.com/psxdev/status/1537947200713412609
.UPDATE June - 18
TESTING PURPOSE ONLY (use at your risk)
@zecoxao via twitter:
those of you with already created bd-jb bluray and that are in 9.03 or 9.04, please test this payload
https://www17.zippyshare.com/v/awY1gGiJ/file.html
-
https://www.psx-place.com/threads/u...box-escape-vulnerabilities-ps3-ps4-ps5.37554/
Information above via: https://hackerone.com/reports/1379975
via https://twitter.com/theflow0/status/1535361317535506432
Images via: https://twitter.com/Ministraitor/with_replies
via https://twitter.com/theflow0/status/1535361317535506432
Images via: https://twitter.com/Ministraitor/with_replies
Last edited by a moderator:
