{"id":85268,"date":"2022-10-03T03:30:12","date_gmt":"2022-10-03T03:30:12","guid":{"rendered":"https:\/\/harchi90.com\/released-ps5-kernel-exploit-webkit-vulnerability-for-firmware-4-03\/"},"modified":"2022-10-03T03:30:12","modified_gmt":"2022-10-03T03:30:12","slug":"released-ps5-kernel-exploit-webkit-vulnerability-for-firmware-4-03","status":"publish","type":"post","link":"https:\/\/harchi90.com\/released-ps5-kernel-exploit-webkit-vulnerability-for-firmware-4-03\/","title":{"rendered":"Released!  PS5 Kernel exploit + Webkit vulnerability for Firmware 4.03"},"content":{"rendered":"<div>\n<p><!--nok--><\/p>\n<p><\/p>\n<p>Oh, wow, only a few hours after tweeting that this needed to be \u201cironed out\u201d, SpecterDev has now published his implementation of the PS5 IPV6 Kernel exploit!<\/p>\n<p>This release relies on the Webkit vulnerability as an entry point, meaning it will work on any PS5 (including PS5 Digital edition) running firmware 4.03.  Lower firmwares might work (although the exploit might need tweaking).  Higher firmwares will not work at the moment (they are not vulnerable to the Webkit exploit)<\/p>\n<h2>PS5 4.03 Kernel exploit is here!<\/h2>\n<p>SpecterDev warns about <strong>significant limitations<\/strong> of this exploit.  Notably:<span id=\"ezoic-pub-ad-placeholder-127\" class=\"ezoic-adpicker-ad\"\/><\/p>\n<ol>\n<li>The exploit is fairly unstable, and in his experience will work about 30% of the time.  If you are trying to run it, don&#8217;t give up, it might require several attempts before the exploit gets through<\/li>\n<li>Possibly more important, this exploit gives us read\/write access, but no execute!  This means no possibility to load and run binaries at the moment, everything is constrained within the scope of the ROP chain.  The current implementation does however enable debug settings.<\/li>\n<\/ol>\n<p>More precisely, from the exploit&#8217;s readme:<\/p>\n<h3 dir=\"auto\">Currently Included<\/h3>\n<ul dir=\"auto\">\n<li>Obtains arbitrary read\/write and can run a basic RPC server for reads\/writes (or a dump server for large reads) (must edit your own address\/port into the exploit file on lines 673-677)<\/li>\n<li>Enables debug settings menu (note: you will have to fully exit settings and go back in to see it).<\/li>\n<li>Gets root privileges<span id=\"ezoic-pub-ad-placeholder-118\" class=\"ezoic-adpicker-ad\"\/><span class=\"ezoic-ad ezoic-at-0 medrectangle-4 medrectangle-4118 adtester-container adtester-container-118\" data-ez-name=\"wololo_net-medrectangle-4\"><span id=\"div-gpt-ad-wololo_net-medrectangle-4-0\" ezaw=\"300\" ezah=\"250\" style=\"position:relative;z-index:0;display:inline-block;padding:0;min-height:250px;min-width:300px;\" class=\"ezoic-ad\"\/><\/span><\/li>\n<\/ul>\n<h3 dir=\"auto\"><a rel=\"nofollow noopener\" id=\"user-content-limitations\" class=\"anchor\" href=\"https:\/\/github.com\/Cryptogenic\/PS5-4.03-Kernel-Exploit#limitations\" aria-hidden=\"true\" target=\"_blank\">Limitations<\/h3>\n<ul dir=\"auto\">\n<li>This exploit achieves read\/write, <strong>but not code execution<\/strong>.  This is because we cannot currently dump kernel code for gadgets, as kernel .text pages are marked as eXecute Only Memory (XOM).  Attempting to read kernel .text pointers will panic!<\/li>\n<li>As per the above + the hypervisor (HV) enforcing kernel write protection, this exploit also <strong>cannot install any patches or hooks into kernel space<\/strong>which means no homebrew-related code for the time being.<\/li>\n<li>Clang-based fine-grained Control Flow Integrity (CFI) is present and enforced.<\/li>\n<li>Supervisor Mode Access Prevention\/Execution (SMAP\/SMEP) cannot be disabled, due to the HV.<\/li>\n<li>The write primitive is somewhat constrained, as bytes 0x10-0x14 must be zero (or a valid network interface).<\/li>\n<li>The exploit&#8217;s stability is currently poor.  More on this below.<\/li>\n<li>On successful run, <strong>exit the browser with circle button, PS button panics for a currently unknown reason<\/strong>.<\/li>\n<\/ul>\n<h3 dir=\"auto\">Stability Notes<\/h3>\n<p dir=\"auto\">Stability for this exploit is at about 30%, and has multiple potential points of failure.  In order of observed descending liklihood:<\/p>\n<ol dir=\"auto\">\n<li><em>Stage 1<\/em> causes more than one UAF due to failing to catch one or more in the reclaim, causing latent corruption that causes a panic some time later on.<\/li>\n<li><em>Stage 4<\/em> finds the overlap\/victim socket, but the pktopts is the same as the master socket&#8217;s, causing the \u201cread\u201d primitive to just read back the pointer you attempt to read instead of that pointer&#8217;s contents.  This needs some improvement and to be fixed if possible because it&#8217;s really annoying.<\/li>\n<li><em>Stage 1<\/em>&#8216;s attempt to reclaim the UAF fails and something else steals the pointer, causing immediate panic.<\/li>\n<li>The kqueue leak fails and it fails to find a recognized kernel .data pointer.<\/li>\n<\/ol>\n<p>In other words, this release is useful for hackers only, or people who are curious to dig into the inside of the PS5.  Note however that despite its limitations, this is the first ever public release of such a powerful hack for the PS5, which means fresh discoveries are bound to happen!<\/p>\n<h2>PS5 IPV6 Exploit showcase video<\/h2>\n<p>Scene member Echo Stretch managed to run the exploit and get us a video of it in action, as can be seen below.  In the video, you can see Debug menu and package installer being unlocked on the PS5<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"ca\">Testing PS5 4.03 Kernel Exploit For Disc Or Digital PS5<a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/frwololo?ref_src=twsrc%5Etfw\" target=\"_blank\">@frwololo<\/a> <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/ps4_hacking?ref_src=twsrc%5Etfw\" target=\"_blank\">@ps4_hacking<\/a> <a rel=\"nofollow\" href=\"https:\/\/t.co\/K8p8j0owoq\" target=\"_blank\">pic.twitter.com\/K8p8j0owoq<\/a><\/p>\n<p>\u2014 Echo Stretch (@StretchEcho) <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/StretchEcho\/status\/1576724107487764484?ref_src=twsrc%5Etfw\" target=\"_blank\">October 3, 2022<\/a><\/p>\n<\/blockquote>\n<h2>Download and run<\/h2>\n<p><span id=\"ezoic-pub-ad-placeholder-128\" class=\"ezoic-adpicker-ad\"\/>You can download the hack here.<\/p>\n<p>You will need Python to run SpecterDev&#8217;s implementation, and you will be running a webserver on your local PC for your PS5 to access.<\/p>\n<ol dir=\"auto\">\n<li>Configure fakedns via <code>dns.conf<\/code> to point <code>manuals.playstation.net<\/code> to your PCs IP address<\/li>\n<li>Run fake dns: <code>python fakedns.py -c dns.conf<\/code><\/li>\n<li>Run HTTPS server: <code>python host.py<\/code><\/li>\n<li>Go into PS5 advanced network settings and set primary DNS to your PCs IP address and leave secondary at <code>0.0.0.0<\/code>\n<ol dir=\"auto\">\n<li>Sometimes the manual still won&#8217;t load and a restart is needed, unsure why it&#8217;s really weird<\/li>\n<\/ol>\n<\/li>\n<li>Go to user manual in settings and accept untrusted certificate prompt, run<\/li>\n<li>Optional: Run rpc\/dump server scripts (note: address\/port must be substituted in binary form into exploit.js)<\/li>\n<\/ol>\n<p>This is a developing story, as more people will test and report on this hack in the days to come, so stay tuned!<\/p>\n<p>Source: <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/SpecterDev\/status\/1576714840650883074\" target=\"_blank\">SpecterDev<\/a><span id=\"ezoic-pub-ad-placeholder-129\" class=\"ezoic-adpicker-ad\"\/><span class=\"ezoic-ad ezoic-at-0 box-4 box-4129 adtester-container adtester-container-129\" data-ez-name=\"wololo_net-box-4\"><span id=\"div-gpt-ad-wololo_net-box-4-0\" ezaw=\"250\" ezah=\"250\" style=\"position:relative;z-index:0;display:inline-block;padding:0;width:100%;max-width:1200px;margin-left:auto !important;margin-right:auto !important;min-height:250px;min-width:250px;\" class=\"ezoic-ad\"\/><\/span><\/p>\n<\/p><\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Oh, wow, only a few hours after tweeting that this needed to be \u201cironed out\u201d, SpecterDev has now published his implementation of the PS5 IPV6 Kernel exploit! This release relies on the Webkit vulnerability as an entry point, meaning it will work on any PS5 (including PS5 Digital edition) running firmware 4.03. Lower firmwares might &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/harchi90.com\/released-ps5-kernel-exploit-webkit-vulnerability-for-firmware-4-03\/\"> <span class=\"screen-reader-text\">Released!  PS5 Kernel exploit + Webkit vulnerability for Firmware 4.03<\/span> Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[4],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":85848,"url":"https:\/\/harchi90.com\/new-ps5-kernel-exploit-seemingly-lets-someone-run-kojimas-pt\/","url_meta":{"origin":85268,"position":0},"title":"New PS5 Kernel Exploit Seemingly Lets Someone Run Kojima&#8217;s PT","date":"October 3, 2022","format":false,"excerpt":"Image: Sony \/ KotakuHackers have been circling the PS5 for almost a year nowand it appears they may have finally managed to jailbreak the 2020 hardware with a new kernel-level exploit first discovered on the PS4. While it doesn't allow access to execute certain types of code, the exploit has\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":86085,"url":"https:\/\/harchi90.com\/new-ps5-exploit-unlocks-root-privileges-read-write-memory-access\/","url_meta":{"origin":85268,"position":1},"title":"New PS5 exploit unlocks root privileges, read\/write memory access","date":"October 3, 2022","format":false,"excerpt":"enlarge \/ Hackers are getting closer to fully unlocking user control of the PS5 hardware.Sony Long-time console hacker and exploit developer SpecterDev has released a PS5 exploit that can give users root privileges and read\/write access to large chunks of system memory. While this exploit can't be used to actually\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":85744,"url":"https:\/\/harchi90.com\/ps5-has-seemingly-been-jailbroken-and-people-are-already-installing-pt-on-it\/","url_meta":{"origin":85268,"position":2},"title":"PS5 Has Seemingly Been Jailbroken, and People are Already Installing PT on It","date":"October 3, 2022","format":false,"excerpt":"Sony's PlayStation 5 seems to have been jailbroken \u2013 so of course, people are installing PTPlayStation modders SpecterDev unveiled the new jailbreak earlier today \u2013 an experimental IPV6 kernel exploit for the PS5. This jailbreak relies on a WebKit vulnerability as an entry point, so it will only work on\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6480,"url":"https:\/\/harchi90.com\/pixel-6-and-galaxy-s22-affected-by-major-new-linux-kernel-vulnerability\/","url_meta":{"origin":85268,"position":3},"title":"Pixel 6 and Galaxy S22 affected by major new Linux kernel vulnerability","date":"July 6, 2022","format":false,"excerpt":"Read update More information from the researcher A seemingly major vulnerability has been discovered by security researcher and Northwestern PhD student Zhenpeng Lin, affecting the kernel on the Pixel 6 and 6 Pro and other Android devices running Linux kernel versions based on 5.10 like the Galaxy S22 series. Precise\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"fifu_image_url":"https:\/\/wololo.net\/wagic\/wp-content\/uploads\/2022\/10\/PS5_debug_settings_specterdev-1-scaled.jpg","_links":{"self":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/85268"}],"collection":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/comments?post=85268"}],"version-history":[{"count":0,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/85268\/revisions"}],"wp:attachment":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/media?parent=85268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/categories?post=85268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/tags?post=85268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}