PS4 News from #35C3 - @m0rph3us1987 presents his Talk about "Exploiting PS4 Video Apps"

Discussion in 'PS4 News' started by Roxanne, Dec 28, 2018.

By Roxanne on Dec 28, 2018 at 11:52 AM
  1. 205
    654
    172
    Roxanne

    Roxanne Moderator

    Joined:
    Mar 3, 2018
    Messages:
    205
    Likes Received:
    654
    Trophy Points:
    172
    Gender:
    Female
    Location:
    Germany
    Home Page:
    Following up with his announcement back on December 9th, Developer @m0rph3us1987 today presented his Talk at the #35C3-Stage: "Exploiting PS4 Video Apps". Since his talk was held in German Language, you will find every important detail translated in this Article, so everyone can follow what he was presented for each Chart.

    For an overview about the #35C3 Congress in General or where you can find all Livestreams from this Talk as well from other important ones, please click here.

    Editor's Note: It seems that there are many users who have misunderstood both the Announcement of this Presentation as the Presentation itself, leading to the Question if we speak here about a true "Kernel Exploit" or about a "Web-Exploit" only. This Question won't be answered here in this Thread but when you read both this Article and the Presentation from the beginning, then you will understand that this Talk was not intended to answer that question as well. In fact if you will follow up his Talk completely, then you will understand that his Achievement was developed "in different ways" as previous Hackers and Developers tried to do like for the 1.76 and 5.05 Kernel Exploit. So I let you decide in which kind of Exploit we are speaking about here. In my eyes, this is neither a "Kernel", nor a "Web"-Exploit since his work is different, but still interesting. You will also understand that his Goal was to get "Code Execution" on the PS4 in Advance and not to "Exploit the Newest System Firmware" at first etc. Thanks for Understanding.

    Exploiting PS4 Video Apps.jpg
    Screenshot from the Beginning of the Talk showing the Introduction of "Exploting PS4 Video Apps"


    • Following up after his warm welcome to the audience, he presents himself by describing both his occupation and his Hobbies as a "Software Engineer" in "Enterprise Resource Planning" (ERP) and that he was always interested in both "Reverse Engineering" and in "Low-Level Coding Languages" (he kinda describes it as a fetish :) ). Since he was following the Scene and recognizing that there was a Kernel Exploit for System Firmware 1.76 already available, he searched for a Bundle on Amazon to find a PS4 with that exact Firmware or below to have a good Basic on his further work. But instead of getting a Bundle, the Seller sent him a PS4 with two Games "bundled" separately and even worse, it was running on System Firmware 3.15. :( But instead of sending it back to get his money back, he decided to make his own work how to get access to his PS4. With this motivation, his Goal was already to show to the audience that his Achievements will be different to others in the Past (as described in the Editor's Note).

      So to understand how his PS4 works, he decided to create a "Network Packet" at his home, where he can see every Task on the PS4 - no matter if you play a Game or watching a Movie - and what the Task is actually doing. He did this with the "tcpdump"-Function to analyze it later on "Wireshark". What he immediately noticed will be now explained in the next Tab, called "Analyse", which is German for "Analysis" or "Breakdown".

      01 - Agenda.jpg
      Basic Overview about what will be presented in this Talk.

    • On the next Chart he describes that after his "Network Packet" is working, he immediately noticed that those "Video Applications" like "Netflix", "Amazon Prime", "IGN", "Vevo" etc. still uses an older Version from the "AppleWebkit" even while his PS4 is still way above System Firmware 1.76 (unlike the internal Web-Browser which got updated by Sony with a newer System Update after the Exploit was released). So he thought this could be a good "entry-point" for further investigating (which was also his Goal in General from his whole Talk so that other People like you can discover it by their own on their own Hardware with newer Firmware installed), since he thought that when those "Video Apps" are still using an older "Webkit" (even without SSL enabled, so he was allowed to see every Detail what each "Video-App" is doing), then the "1.76 Webkit Exploit" should still work theoretically. So he decided to create his own "Webserver" at home running with the "1.76 Webkit Exploit" and he redirected the "DNS-Query" from those "Video Apps" to his own "Webserver". And his output was (which can be found down below on one of his slides), that the Web-Exploit for System Firmware 1.76 is indeed still functional and running. He also quickly understood that with each "Query" he started, those "Video Apps" doesn't use any kind of "Address space layout randomization" - or "ASLR" in short. This made his Investigations even more easier to tinker with those "Video Apps", as he explains.

      On the following Chart, he explains in short Details how the "1.76 Web-Exploit" works in General and how he used it with the "Video-Apps" which allowed him to gain access to the "Memory" of each "Video App" (Memory Dumping - it will be detailed in the slides down below). I think this is already known by the most so we can jump directly to the next tab, which is "Wie geht es weiter?" which stands in German for: "How we go further?"

      02 - Analysis.jpg
      A simple Sketch in one of the Slides shows why he choosed to investigate several "Video Applications" running on the PS4.

    • Now on this Chart he ask himself as the Title suggests "How we can go further after he dumped and read the Memory from a Video Application?" Since his goal was to get "Code Execution", he saw that with the old Web-Exploit, he is only allowed to read and to write on a limited "Memory Area", which was a problem. To get his own Code running, he needs to get access to the "Control Flow" from each App. But his answer was simple, by using "Virtual Method Tables" (or "vtable" in short). While he explains how "vtables" works in General, he also explains that the "vtable" inside each App still "doesn't let you want to do whatever you want." So he decided to replace them by his own created "vtables", which would allow him to put tasks to this "vtable" he needs so he can control and manipulate them. How this methods works is better described in his Slides which will be added down below and his Slides explains it better instead of describing each one since it shows many examples of Code. So without any further waiting, we will go to the next Tab, which is called "Der Masterplan", which can be simply translated into "The Master Plan".

      03 - VTABLE.jpg
      This Slides explains how he gains access to each Task of an Application, so he can control them and doing whatever a User want to.

    • On the following Slides, he explains how each of the previous mentioned functions worked for his PS4. Even when it's not in English, it is easy to understand since as mentioned in the previous Tab before, his Slides explains his work very good. Please click on one of the Pictures to Open the Diashow, where you can watch each Slide in a Higher Resolution.

      15 - The Master Plan.jpg 04 - Object Spraying.jpg 05 - Identify Object Instance.jpg 06 - Identify Object Instance.jpg 07 - Find VTABLES.jpg 08 - Triggering ROP execution.jpg 09 - GDB and PCBSD.jpg 10 - GDB and PCBSD.jpg 11 - Triggering ROP execution.jpg 12 - The ROP Chain.jpg 13 - Trigger ROP Chain.jpg 14 - ROP Chain.jpg

    • Coming near End of his Talk, he describes in his last Slide some disadvantages of his work compared to older Achievements from other Developers, but they don't mean that his work is bad. Firstly, as you probably already know from the PS3, those "Video-Apps" needs a permanent access to the PlayStation Network, which means that Sony could fix those Problems he found very easily with an updated Version from each Application. So this means that you need to stay always online and you have to run the latest System Firmware provided by Sony. Another disadvantage is that "Video Applications" has no access to the "Just-in-Time-Compiler", but which is not such a "bummer" since this Function was removed for every Application since System Firmware 2.00, as he explains. There is also no "Threading" supported which means that not every Task is exploitable, which needs higher "Threads" unlike for the internal "Web-Browser". But he admits that if you want to exploit a Task where no such higher "Threads" are needed, then his method will work the same like used for the "Web-Browser". Both "Video Applications" and the "Web-Browser" works inside a Sandbox but he explains that inside the "Sandbox", the Actions are limited compared to the "Web-Browser". Not shown on his Slide, but mentioned is that "Video Applications" doesn't support "Dynamic Compilation" which means that you can't load additional modules to trigger additional functions who aren't programmed within the App (for example, loading Linux through the "Web-Browser" won't work with "Video Apps").

      At the end, he replays that Sony could fix those "loopholes" very easily with an updated Version from each Application while the "Web-Browser" always needed a whole new System Firmware as a Release. But nevertheless, he explains that you still get a complete "Userland Code Execution", which means that it is still possible to trigger a "Kernel Exploit". He also explains again that his work is just a "entry-point" of what could be possible for the future and he welcomes everyone to test his work on your own Hardware with newer System Firmwares installed.

      After the applause from the audience, he answered their questions like why he chose to tinker with the "Video Apps" explicitly. He just admitted that he tested everything including running Games and he was just surprised that the "Video-Apps" are using such an old Webkit. The moderator from the Talk asked him how his wife reacted to his work since she planned to gift him a PS4 as a Birthday Present. Everyone in the audience laughed when he explained that his wife wasn't amused with his work, especially when he first opened his Console instead of actually playing some Games with the PS4. :) Then he thanked to everyone in the audience and to the viewers in the Livestream and said good bye.

      16 - Conclusion.jpg
      At the End of his Talk, he sums up his Work compared to other Exploits through the internal "Web-Browser"



    We hope that you enjoyed our coverage of the first important Talk at 35C3. Feel free to discuss your opinions about today's Talk in the Comments Section down below. Maybe this Talk will be the "initial spark" the PS4 needed to get more Homebrew Releases.

    The whole Talk can be found here: media.ccc.de
    Twitter: @m0rph3us1987
    Slides: MEGA
     
    Last edited: Dec 28, 2018
    T.A.U, gercapo, esc0rtd3w and 8 others like this.

Comments

Discussion in 'PS4 News' started by Roxanne, Dec 28, 2018.

    1. STLcardsWS
      STLcardsWS
      Well done @Roxanne !!!!! You have been all over this and covered it very welll. Thank You !!!!

      Seems like we need some NoPSN versions of those apps :) which surely is easier said then done. the thing that kind of sucks is these will get patched/updated before it will even be a ready to use exploit (so if it does progress it will be back dated like other exploits, but with an app instead of firmware, so perhaps that could help). Personally would of liked to see this progressed a bit before it went public, but again its nice progress and a well done job by m0rph3us1987 and not up to him to progress it all (nor share any of this). So we can only be thankful...

      Him trying to get a 1.76 console and got one that was 3.15. does show how the PS4 has been different from how other scene got kickstarted (and why we see less devs). Shows the frustrations that some go through to obtain the right PS4 to get on the scene (only not to get in to the scene after that). Lucky for us its motivated him to research an area that may not of been researched, Of course people getting in the scenes late have this path but the kickstarting of a scene as a whole has never had to go through this.
      Last edited: Dec 28, 2018
      esc0rtd3w, Zazenora and SoJustMe like this.
    2. neo88
      neo88
      great work roxanne was very interesting, unfortunately there are some people who believe that it is an easy task to get an exploit, and do not value the time and dedication of the developers.
      SoJustMe and STLcardsWS like this.
    3. Roxanne
      Roxanne
      Exactly, but this also shows how his attempt was different to others, which is important to understand from this talk.

      There is also now the Talk uploaded on YouTube, I added the Video at the End.

      STLcardsWS likes this.
    4. STLcardsWS
      STLcardsWS
      A reminder for English users (or any language), You can use CC on YouTube and then goto settings and choose a language for translated subtitles.
      Last edited: Dec 28, 2018
      SoJustMe and pink1 like this.
    5. justin_credible
      justin_credible
      Which video apps should I download? (I know there's no kernal but just to have them in case it's necessary in the future)
    6. Zazenora
      Zazenora
      Great reporting @Roxanne I've been waiting on this all month!!! :)
      STLcardsWS likes this.
    7. fdm
      fdm
      Thank you for the translations. It's unfortunate that it's release basically kills it as an entry point, but it's very nice to read how it was done.
    8. STLcardsWS
      STLcardsWS
      I think currently all or most are vulnerable, but the incoming updates to those will be what to look out for. The info has been provided so either he or other will extend from it.

      The good news (maybe?) if patched it may not matter (or it may) because with an app we can theoretically do more then a firmware restriction. For example on the PS3 those video apps have been cracked to take away the PSN requirement (NoPSN) and also they can be spoofed to different versions as well. This is not currently figured out on the PS4 and may and likely is a different beast in those terms but point is its not exactly the classic firmware issue (perhaps?) i think it will take some time to play out. A firmware update could also impact it as well, but we will see how it all shakes out
      Last edited: Dec 28, 2018
    9. Kratos TMT
      Kratos TMT
      Hello,

      So, is it good if I update my PS4 5.55 to the latest 6.20.

      To be able to access PSN for downloading video apps, we will need to do this.

      Thanks,
      Scorpion355 likes this.
    10. SoJustMe
      SoJustMe
      LOL he should have waited till last games on ps4 released < Sony will definitely patch these Apps, ;

      so in conclusion : video Apps use web-kit 1.7 if sony patch it to last version we are done for newer system update , using this to have a kernel exploit is the goal now. in another word, there are lot works to do but with sharing this information, he has opened up a new door for other developers to dig in deeper and we will have new ideas.

      Thank you m0rph3us1987
      Thank you Roxanne for the perfect translation , it is easy to read and easy to understand
    11. Berion
      Berion
      Needs stay always online for what exactly? What network functionalities have Videos app?

      BTW: I feel so disappointed. I was hope for offline solution, ready to deploy. And again, all hope just perished.

      Thanks @Roxanne for the translation.
    12. Scorpion355
      Scorpion355
      I'm currently on 5.55, should i update to the latest 6.20 firmware to update the video apps?
    13. fdm
      fdm
      You must be connected to PSN to launch any of the video apps and that same mechanism will force updates. Additionally, if an old version is modified to keep the old webkit and remove the PSN requirement, you won't be able to launch it before running a kernel exploit so it can't be used as an entry point.
    14. slimica
      slimica

      Removed by Admin
      (Since this has no legitimate uses and also Violates Site Rules)


      Last edited by a moderator: Dec 29, 2018
      DeViL303 likes this.
    15. Zazenora
      Zazenora
      I'll remain hopeful for now, that we might see something from this before it gets patched.
      If there were a way to at least edit these video apps to where they didn't require being online to start them, that could at least stave off the inevitable patches until some sort of exploit gets produced.
      That may be too much to hope for though, and may be a paradox all on its own.
    16. Bloodmoons366466
      Bloodmoons366466
      So this will get patched pretty soon after its released,due to it requiring the latest firmware,and the current version of the following ps4 aplications to work.Mabe the dev will find a better way and hold on to it a little longer.

      Probably if we could use it for a downgrade,it would be worth releasing.
      Last edited: Dec 29, 2018
    17. Berion
      Berion
      @fdm Oh... so we don't talking about i.e Media Player app but i.e YouTube app? Which means that "exploit" was released without any ready solution, and even without kernel hack? Jesus... :(
    18. pinky
      pinky
      I didn't watch the video, but maybe crunchy roll is useful? there was talk of it being an alternative to haxchi on the wii u. ;)

Share This Page