Exploits

Firmware 5.05

/dev/bpf

The Berkeley Packet Filter device, in short for BPF, is a filter that provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received.

Hacker qwertyoruiopz found a Double Free vulnerability in this FreeBSD device which allows us to exploit the PlayStation 4 firmware up to 5.05. Hacker SpecterDev later released a detailed writeup for it. The vulnerability got "patched" (read: blocked off) in later firmwares for unprivileged processes - WebKit can no longer open it. The vulnerability in the BPF device remains unpatched.

Read Full Writeup
Firmware 4.55

bpf_filter

The Berkeley Packet Filter device, in short for BPF, is a filter that provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received.

In February 2018, hacker SpecterDev released an implementation of the 4.55 kernel exploit which was originally discovered by hacker qwertyoruiopz. This exploit leverages a race condition in the BPF implementation on FreeBSD.

The bug is not PS4 specific, and could be leveraged on other systems running FreeBSD. It seems it was deadlier on the PlayStation 4 however, due to how permissions of the dev/bpf device driver are set up in the PlayStation 4. In this exploit, part of the data is being replaced by malicious code, after it has been validated in a different thread (and function) without a mutex lock.

Read Full Writeup
Firmware 4.05

namedobj

Following a write up from fail0verflow, released in October 2017, fail0verflow managed to obtain a dump of the firmware 1.01 kernel, which not only included export symbols but also included full ELF symbols, an oversight that proved very beneficial through the method of reverse engineering. This vulnerability was also found and exploited by (at least) Chaitin Tech. This exploit was then patched in 4.06 after Chaitin Tech reported the bugs to Sony.

On 27th December 2017, SpecterDev implemented an exploit for 4.05 utilsing fail0verflow’s write up and qwertyoruiopz WebKit exploit as the entry point as the previously WebKit exploit no longer had RWX memory mapping positions due to the fact that JIT is now handled by a completely separate method, rendering this entry point useless.

Read Full Writeup
Firmware 1.76

sys_dynlib_prepare_dlclose

The web browser in PlayStation 4's 1.76 firmware utilises a revision of WebKit that turns out to be vulnerable to CVE-2012-3748. This was originally written for the Safari web browser but was ported over by nas and Proxima in 2014. This consequently allowed read and write access, arbitrarily, to the WebKit via the use of JIT (Just-in-time compilation).

Kernel access was obtained via the use of a kernel vulnerability known as BADIRET CVE-2014-9322 known to affect Linux and later also FreeBSD. This was fixed back in 2014 however the PlayStation 4's 1.76 firmware was found to still be vulnerable to BADIRET; this allowed firmware 1.76 to be fully exploited.

CTurt’s write up did not include a release of source code and only provided the necessary information which invited developers to put the pieces together. On March 24th 2016, Zer0xFF, with the help of bigboss and Twisted, completed the puzzle and released the source code for a proof of concept for the dlclose kernel exploit available for the public to download.

CTurt also provided a writeup, with qwertyuiop, detailing the analysis of exploit.

Read Full Writeup