PS5 (UPDATE 2 ) Thefl0w discloses"Blu-ray Disc Java Sandbox Escape" vulnerabilities (PS3, PS4, PS5)

Update (See Tabs Below PS3 / PS4): Since the disclosure several developer's have went on the hunt and we have seen PoC releases and TEST payload pushed, We have confirmation the PoC is working on 9.00, other have been testing impact on 9.03/.04. See all the details from developer's like sleirsgoevy / @zecoxao / psxdev (aka bigboss) in the PS4 Tab. Some preliminary discussions about the PS3 impact have been discussed in this thread from various developer's like @bguerville and @zecoxao

.Original Article: Developer TheFl0w who is well known in the Homebrew and Hacking in the PlayStation Community, via the hackerone program the hacker has yet again disclosed details on vulnerabilities (5) "bd-jb Blu-ray Disc Java Sandbox Escape" is affecting PS3, PS4, PS5. Sony has patched these vulnerabilities in recent firmware updates for the PS5 / PS4 with firmware update's of 5.00 FW for the PS5 and 9.50 FW for the PS4. These methods are also likely to work on the PS3 according to thefl0w (likely on the latest firmware).

thefl0w has detailed some advantages this concept provides over a webkit exploit, you can see that information and various details in the "additional info" tab below, along with some clarification due to over hyping some aspects of this exploit..:
-STLcardsWS​

FU6TB0UVUAAjYaL-1536x1157.jpg
About Vulnerabilities Additional Notes About PS3 (Update) About PS4 (Update) Update PS5 (oct-22)

  • Hey PlayStation!
    Below are 5 vulnerabilities chained together that allows an attacker to gain JIT capabilities and execute arbitrary payloads. The provided payload triggers a buffer overflow that causes a kernel panic. Please consider each of the vulnerabilities individually. AFAIK, this is the first exploit chain that is being submitted to you :)

    Proof-of-concept
    Attached is the exploit chain bd-jb as a .iso file which demonstrates the exploitation of vulnerabilities 1-4 that demonstrates the ability to run arbitrary payloads. Burn the iso image with UDF 2.5 file system. You can send the payload using nc $PS4IP 1337 < payload.bin. The provided payload causes a kernel panic by triggering vulnerability 5 (the file /PWN/0 has been modified to use internal allocation and has a size of 4MB filled with A). Tested on latest firmware 9.00.

    Impact
    • With these vulnerabilities, it is possible to ship games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.


    Update (Slides from presentation):
    Hardwear.io USA 2022 - bd-jb: Blu-ray Disc Java Sandbox Escape:
    https://github.com/TheOfficialFloW/Presentations/blob/master/2022-hardwear-io-bd-jb.pdf
    (Thanks to @Roxanne for the tip)
    Update June 22, 2022: Video Presentation posted online


  • Vulnerabilities
    d    [MEDIUM][PS4] [PS5] Vulnerability 1
    The class com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl deserializes the userprefs file under privileged context using readObject() which is insecure:
    Code 635 Bytes
    private void initPreferences() { try { UserPreferenceManagerImpl.preferences = AccessController.doPrivileged((PrivilegedExceptionAction<String[][]>)new ReadPreferenceAction()); } catch (PrivilegedActionException ex) {} if (UserPreferenceManagerImpl.preferences == null) { UserPreferenceManagerImpl.preferences = new String[UserPreferenceManagerImpl.PREFERENCES.length][]; } if (UserPreferenceManagerImpl.preferences[3] == null) { UserPreferenceManagerImpl.preferences[3] = new String[] { "26" }; this.savePreferences(); }
    }
    Click to expand...
    Code 685 Bytes
    private static class ReadPreferenceAction implements PrivilegedExceptionAction { public Object run() throws Exception { String[][] array = null; ObjectInputStream objectInputStream = null; try { objectInputStream = new ObjectInputStream(new BufferedInputStream(new FileInputStream(RootCertManager.getOriginalPersistentRoot() + "/userprefs"))); array = (String[][])objectInputStream.readObject(); } finally { if (objectInputStream != null) { objectInputStream.close(); } } return array; }
    }
    Click to expand...

    An attacker can replace the userprefs file with a malicious serialized object to instantiate classes under privileged context. On older firmwares such as 5.05, where the commit https://github.com/openjdk/jdk/comm...9aa065025e753ca2e1f3b7ebc798e0d954de75d995de5 is not present, exploitation of this vulnerability is easy: An attacker can instantiate a ClassLoader subclass to call defineClass with all permissions and finally bypass the security manager.


    [MEDIUM][PS4] Vulnerability 2
    The class com.oracle.security.Service contains a method newInstance which calls Class.forName on an arbitrary class name. This allows arbitrary classes, even restricted ones (for example in sun.), to be instantiated. This works for all classes with public constructors that have single arguments. The check in newInstance can be bypassed by calling com.oracle.ProviderAdapter.setProviderAccessor on a custom ProviderAccessor implementation.
    Code 320 Bytes
    if (!this.registered) { if (ProviderAdapter.getService(this.provider, this.type, this.algorithm) != this) { throw new NoSuchAlgorithmException("Service not registered with Provider " + this.provider.getName() + ": " + this); } this.registered = true;
    }
    Click to expand...

    [MEDIUM][PS4] [PS5] Vulnerability 3
    The class com.sony.gemstack.org.dvb.io.ixc.IxcProxy contains the protected method invokeMethod which can call methods under privileged context. Permission checks in methods can be bypassed if the following conditions are met:
    • The method is public and non-static.
    • The method's class is public, non-final and can be instantiated.
    In such a scenario, an attacker can write a subclass of the target class which implements an interface where the desired method throws RemoteException.
    For example, there are permission checks in File.list(). An attacker can bypass them with the following classes:
    Code 111 Bytes
    class FileImpl extends File implements FileInterface { FileImpl(String pathname) { super(pathname); }
    }
    Click to expand...
    Code 91 Bytes
    interface FileInterface extends Remote { public String[] list() throws RemoteException;
    }
    This vulnerability can be used to leak the file system structure as well as dumping files (for example from /app0/).
    Click to expand...

    [HIGH][PS4] Vulnerability 4
    The "compiler receiver thread" receives a structure of size 0x58 bytes from the runtime process:
    Code 603 Bytes
    typedef struct { uint8_t cmd; // 0x00 uint64_t arg0; // 0x08 uint64_t arg1; // 0x10 uint64_t arg2; // 0x18 uint64_t arg3; // 0x20 uint64_t arg4; // 0x28 uintptr_t runtime_data; // 0x30 uintptr_t compiler_data; // 0x38 uint64_t data1; // 0x40 uint64_t data2; // 0x48 uint64_t unk; // 0x50 } CompilerAgentRequest; // 0x58 CompilerAgentRequest req; while (CompilerAgent::readn(s, &req, sizeof(req)) > 0) { uint8_t ack = 0xAA; CompilerAgent::writen(s, &ack, sizeof(ack)); if (req.compiler_data != 0) { memcpy(req.compiler_data + 0x28, &req, sizeof(req)); ... } ...
    }
    Click to expand...
    This struct contains a pointer at offset 0x38 (we call it compiler_data) from the compiler process which is used to make a backup of the request structure. An attacker can simply send an untrusted pointer and the compiler receiver thread will copy data from the request into its memory. In other words, we have a write-what-where primitive. An attacker can exploit this vulnerability by supplying a pointer to JIT memory and store the content to be written in the request. The compiler will write this data into JIT memory and therefore give us the opportunity to execute arbitrary payloads. This has severe implications:
    • An ELF loader can be written to load and execute games.
    • Kernel exploitation becomes trivial as there is no SMEP and one can simply jump to user with a corrupted function pointer.

    [HIGH][PS4] [PS5] Vulnerability 5
    The UDF driver https://github.com/williamdevries/UDF is used on the PS4 and PS5 which contains a buffer overflow. An attacker can make the size inf_len larger than sector_size (the assumption of internal allocation is that the data is smaller than the sector size) and cause an overflow with memcpy().
    Code 758 Bytes
    int udf_read_internal(struct udf_node *node, uint8_t *blob) { struct file_entry *fe = node->fe; struct extfile_entry *efe = node->efe; struct udf_mount *ump; uint64_t inflen; int addr_type, icbflags; uint32_t sector_size; uint8_t *pos; /* get extent and do some paranoia checks */ ump = node->ump; sector_size = ump->sector_size; if (fe != NULL) { inflen = le64toh(fe->inf_len); pos = &fe->data[0] + le32toh(fe->l_ea); icbflags = le16toh(fe->icbtag.flags); } else { inflen = le64toh(efe->inf_len); pos = &efe->data[0] + le32toh(efe->l_ea); icbflags = le16toh(efe->icbtag.flags); } addr_type = icbflags & UDF_ICB_TAG_FLAGS_ALLOC_MASK; /* copy out info */ memset(blob, 0, sector_size); memcpy(blob, pos, inflen); return (0);
    }
    Click to expand...



  • via TheFlow's Official Twitter:
    • bd-jb: Blu-ray Disc Java Sandbox Escape affecting PS3, PS4, PS5. My talk at
      @hardwear_io will be uploaded in a few weeks. #hardwear_io via

    • Fixed on PS4 FW 9.50 and PS5 FW 5.00 via

    • I wanted to clarify: Without a kernel exploit, you won't be able to run any games (which would have worked on the PS4 only anyways), because we don't have enough RAM in the bd-j process and there are some other constraints. It was only a theoretical impact via .

    • Advantages of bd-jb compared to WebKit exploit:
      • Works on both PS4/PS5
      • 100% reliable -
      • Firmware-agnostic (ROP-less code execution)
      • Bigger kernel attack surface
      • JIT for executing payloads, so you can write a kernel exploit in C (on PS4 only) via.

    FU6Yru1VUAAoOk4-1536x1157.jpg

    FU6Yr_cUcAAA6bz-1536x1157.jpg

    FU6bzTWVEAA5sHO-1536x1157.jpg



  • Since there has not been as much details about the PS3 Impact other then we know it could affect the PS3, There has been some discussion about the PS3 impact and these findings here in the psx-place forum's as PS3 Hacker / Developer @bguerville shares some of his opinion and thoughts throughout several post with fellow developer @zecoxao. That discussion starts at this post and goes throughout the thread:
    .Update June 20
    via Roxanne : "    It's an very early POC so far tho thanks to psxdev (bigboss)"

    IMG_0206.JPEG IMG_0205.JPEG



  • For Advanced User's Only A Proof of Concept of the TheFlow's discoveries where released to the public via @sleirsgoevy using published vulnerabiltes from TheFlow #2 (privileged constructor call / #3 (privileged method call / #4 (jit hack​

    via @sleirsgoevy
    Partial reimplementation of BD-JB (without kernel part): https://github.com/sleirsgoevy/bd-jb
    ISO image: https://mega.nz/file/p99hHaYT#i4XxImp4I_ou-dWO5vk6GMX3xn4EqcoIV41jFWZdXdQ
    Built with "PS3 BD-J DevKit": https://mega.nz/folder/A4IFGYg

    via ReadME @ github:
    BD-JB reimplementation based on TheFlow's report and presentation. Implements loading arbitrary .bin payloads using vulnerabilities #2 (privileged constructor call), #3 (privileged method call), #4 (jit hack) from the report. Listens for payloads on port 9019.

    The first (and only) argument to the payload is the address of sceKernelDlsym, which can be used to resolve other symbols. It seems that libkernel_sys.sprx always has id 0x2001, and you can look up other libraries by getting the full list of handles and looking up name of each handle. You can't directly call syscalls due to missing kernel patches.


    https://twitter.com/sleirsgoevy/status/1537230108338970624
    https://github.com/sleirsgoevy/bd-jb
    .UPDATE June - 18

    bd-jb     (from psxdev aka bigboss)

    bd-jb is a BD-JB reimplementation for prospero based on TheFlow's report and sleirsgoevy base code
    By now only implemented:
    • Vulnerability #2 to list /app0 content
    • Added udp logs you can get it in your pc change host variable on MyXlet.java and use something like this on your pc/mac:
    socat udp-recv:18194 stdout

    See more info @ github: https://github.com/psxdev/bd-jb
    https://twitter.com/psxdev/status/1537947200713412609
    .UPDATE June - 18

    TESTING PURPOSE ONLY     (use at your risk)
    @zecoxao via twitter:
    those of you with already created bd-jb bluray and that are in 9.03 or 9.04, please test this payload
    https://www17.zippyshare.com/v/awY1gGiJ/file.html


  • https://www.psx-place.com/threads/u...box-escape-vulnerabilities-ps3-ps4-ps5.37554/

 
Last edited by a moderator:
Click to expand...
bguerville
zecoxao said:
Here is the decompiled code:
Click to expand...
Yes, it looks like the Java vulnerability is there.

Regarding the precise exploitation mentioned by theFlow though, I cannot say for the time being, I would assume from what I read that it hangs on JIT memory to run code without ROPing, I have not looked at the bdj binaries yet, I dunno what it uses. The cprm SPU file could be either an interpreter or a compiler?
 
Last edited:
  • Like
Reactions: XiC
zecoxao
bguerville said:
Yes, it looks like the Java vulnerability is there.

Regarding the precise exploitation mentioned by theFlow though, I cannot say for the time being, I would assume from what I read that it hangs on JIT memory to run code without ROPing, I have not looked at the bdj binaries yet, I dunno what it uses. The cprm SPU file could be either an interpreter or a compiler?
Click to expand...

remember that vulnerabilities 2 and 4 only exist on ps4! only 1,3 and possibly 5 are ps3, ps4 and ps5
 
bguerville
zecoxao said:
remember that vulnerabilities 2 and 4 only exist on ps4! only 1,3 and possibly 5 are ps3, ps4 and ps5
Click to expand...
Ok.
Everything is interesting anyway however there is only one thing that I might consider worth pursuing at this stage, it's vulnerability 1 but ONLY at the condition that BD-J runs on JIT like on PS4, the same bug to exploit on interpreter would bring nothing to the table, other than a local disc based rop launcher, which is cool already but I don't think I would want to work on it.
The 100% exploit reliability is great but it's nothing we don't already have with all userland exploits luckily, as to the kernel it is exploited already and there is a backup exploit. If one day it was needed we will know where to look.
No, the cool thing would be the ability to have ROP less code execution, that would be a great asset and I could be tempted to look into it. I never looked into BD-j because I assumed it used an interpreter like everything else I know about that S#ny implemented on PS3.
 
Last edited:
barelynotlegal
so i was reading up on PS5 and saw that the kernal was patched on 4.50, with these new vulnerabilities, is there still hope for 4.50 consoles? kernal access could still be a possibility thru these methods correct?
not that it matters but the webkit still works on my PS5 with certain dns settings)
 
bguerville
zecoxao said:
pdfs are now available @bguerville https://github.com/TheOfficialFloW/Presentations/blob/master/2022-hardwear-io-bd-jb.pdf

edit: nvm, Roxanne already shared
Click to expand...
I said earlier that s#ny could always have worked around their self imposed limitations.
theFlow describes a workaround s#ny apparently used on PS4 which is to launch 2 separate processes, one mapping the JIT memory as RX in userland and the other as RW, both processes communicating via socket.

He also mentions the possibility of allowing the write/exec flag combo in mmap syscall only for specific processes, afaik that's not the case on PS3 but then again I haven't reversed the mmap kernel code myself so I cannot confirm whether such exceptional mem alloc behaviour arrangements may exist.

Honestly I would find it somewhat surprising that s#ny would do for BD-J what they would not do for the browser and any other system app that would otherwise use JIT, but I could be wrong.
 
STLcardsWS
Roxanne said:
Thanks bguerville <3 Also nice to see you guys all around as well. :)


Btw TheFlow released his presentation slides earlier than people thought. Maybe the best News writer @STLcardsWS can add them to the Main Article :P


GitHub - TheOfficialFloW/Presentations
Click to expand...

Yes, always good to see you @Roxanne

Thanks for the compliment, you were not a bad writer yourself.. :)

Link to slides added will extract the images later tonight and add them from the pdf,
Thanks for the assist :)
 
N
Izofeu said:
What's BD-J? Could you explain or send me a link to a resource where I can learn about types of bluray discs?
Click to expand...

Berion said:
Just like e.g BD-Video, BD-J is just ordinary BD disc (BD-ROM, BD-R LTH/HTL or BD-RE). The names are related to their content, not the physical structure. It is Java signed executable (archives to be precise, *.jar files are ZIP64) AFAIK and the problem is (was?) the signing process to make disc be accepted by consoles and bd players. So it means that on firmware side must exist kind of JRE to understand BD-J and it means keys and the algos are known (?).

Unfortunately it is al what I know. Not much as You can see. :)
Click to expand...

BD-J is the way menus (and some interactive content) are implemented in Bluray movie discs, it's not a special disc format, virtually every Bluray movie that has menus use it, and therefore it has to be supported by every Bluray player, PS5 (/PS4/PS3) included. Indeed menus on Bluray movies are actually Java programs!
The problem isn't really with the signing process because the signing process never really guarded anything. BD-J signature is more or less like Android APK signature. There needs to be a signature but since the root key authenticating the signature is also read from the disc it means close to nothing since you can generate your own keypair and use it to sign your JARs. This actually seems intentional, otherwise you wouldn't be able to author your own Bluray movies, and it seems that the Bluray association never wanted to prevent people from doing that. Anyway mind that Bluray movies (and DVD movies) are the only possible user-created content an unmodified PS5 would accept.
The problem here is a classic VM-escape - A BD-J program is a Java program that runs inside a virtual machine and should only be able to interact with the virtual environment in which the Bluray movie runs, however this group managed to break out of the JVM and run native binary code on the host system. Note that the shellcode runs in the context of the Bluray player process, which apparently runs with very low permissions (as it should), which means you need a kernel exploit to elevate your permissions or you won't be able to do very much.

And since someone was asking - Playstation does not support the so-called "BD9" format (i.e. Bluray movie content on a DVD disc); once the player determines that the physical media in the drive is a DVD it will no longer look for Bluray content on it, so you have to use BD-R or BD-RE. You can get a BD-R/E drive for $60 on Amazon, it's really not a huge issue.
 
You must log in or register to reply here.

Similar threads

Featured content

Trending content

Latest posts

Back
Top