PS4 (Update) A New PS4 Kernel Exploit (7.02) Released by TheFl0w (PS4 6.72 Jailbreak next canidate)

The PlayStation 4 Hacking/Homebrew Scene has been a unique journey in comparison to other PlayStation platforms even those in the firmware era (psp/vita/ps3). The PS4 itself has been a bit unique, while development has always been there it has came at a slower pace and for a limited audience on back dated firmware releases. We have seen several exploited firmware on the PlayStation 4 (PS4) we started the show off with 1.76 and then through a few exploits we eventually climbed the ladder and moved onto 5.05 firmware and currently that has been the latest firmware exploited when the console has aged to 7.5x era . So a new exploit is in the desire list for many.

Recently (back in March) well known developer theflow0 most notably for his work recently in the PS Vita scene. His works included various exploits and also some great homebrew projects like VitaShell. So when the developer decided to turned his attention to the PS4 (see our coverage here) and announced that he had a 6.20 kernel exploit and advised the public not to update your PS4 console's firmware past 6.20, it excited many, At the time many would have updated already (v7.x), its did become a much bigger window then the current 5.05 and upgrades existing exploited console's with a new exploit. So this was eager news for many waiting patiently and sadly also fuel for the twitter trolls out there in social media land.

Then, several weeks ago you may of heard of a new bug bounty program for PlayStation (via https://hackerone.com/playstation). When this program was announced just recently there was alot of opinions shared and various disagreements in ideology arose and that became the focus of arguments it seemed. Following some of those disputes hacker thefl0w went to twitter on June 25 with the following:

"PS4 scene, you're starting such a drama over nothing. I was actually planning to disclose something in a few weeks/months (which I will still do...) and after that, I'd like to announce my retirement, even if I was never part of that toxic and entitled "scene".

Then today thefl0w and hackerone.com (via PlayStation Bug Bounty) announced the ps4/vita hacker has claimed a $10,000 bounty for a kernel exploit on the PS4 for firmware 7.02 (patched in 7.50) (however for 7.02 support there will need to be a webkit exploit found and released to the public, but there is one released in the public that support 6.72.) Here is what theflow0 has to say about the exploit released on July 6:​

via twitter (July 6)

Here you are, https://hackerone.com/reports/826026, PS4 kernel exploit for FW 7.02 and below. Vulnerability discovered on 2019-06-09. This must be chained together with a WebKit exploit, for example https://github.com/Fire30/bad_hoist for FW 6.50.​

July 6

Apologies, the WebKit exploit works upto FW 6.72.​

Future

• 
  
  So, what does this mean?
  We will be moving on from 5.05 in the future as the pieces are put together by the community. with 6.72 more then likely being the focus since we have a public webkit already and the wait will be for a 7.02 webkit exploit to be found and released to the public as that is needed for entry point to use the kernel exploit..
  
  thefl0w entry in the PS4 scene appears to be a brief but explosive one as the developer has also decided to call his short PS4 tenure quits confirming what he said on June 25 as those feelings seemed to stemmed from various disagreements and attitude's he did not like (more details can be found on his twitter)
  
  To summarize, A developer got $10,000 for releasing his Exploit, an exploit that many are going to get to use and upgrades from 5.05 It does look like that bounty program is not the end of the world after all as some were suggesting,
  
  Stay Tuned as this is sure to mature over the next several days/weeks,
  Do not update past 6.72 and if on 5.05 currently stay until been properly prepared for public consumption. ​
  
  

  ---

  .Exploit Disclosure @: hackerone.com​
  
  
  Source: twitter.com/theflow0​

Updates: ​

6.72 (Jailbreak) Progress Development Opinion's on Exploit disclosure Slide 3

• 
  Update (July 17) : Another group released rushed a 6.72 jailbreak and is out in the wild. It's very unstable and prone to errors and looks to be untested. Advised to wait for SpecterDev's work or a better version of the current work currently released
  
  
  Currently @SpecterDev is trying to bring the PoC from TheFlow to a usable jailbreak on 6.72.
  Exploring a new PS4/FreeBSD kernel bug
  
  • Day 1 - https://www.twitch.tv/videos/671973876
  • Day 2 - https://www.twitch.tv/videos/672962246
  • Day 3 - https://www.twitch.tv/videos/673989781
  • Day 4 - https://www.twitch.tv/videos/674953490
  
  Developer @_AlAzif has updated payload for 6.72 (for when its ready)
  

  Majority of old payloads are ported for 6.72 along with Mira already being ported to 6.72 this should cover most use cases besides Linux. So when the exploit is implemented there should be no down time: https://github.com/Scene-Collective/ps4-payload-repo/releases/tag/1.0.2

  
  
  

  6.72 support has been upstreamed: https://github.com/OpenOrbis/mira-project/runs/861230386 Elf and Loader available

• '
  
  PS3 developer @bguerville (of PS3Xploit) on the exploit released by TheFlow (via psx-place)​

  Also afaik the C code provided by theflow is a poc that triggers the kernel UAF, not a kernel payload loader so that's not the end of the story for a ps4 public release.
  
  Once both webkit & kernel exploits are chained & the kernel UAF triggered, you still need to implement some krop to take control of execution & execute a payload & restore system execution.

•  

 

https://twitter.com/theflow0/status/1280224554393178122?s=21
https://github.com/Fire30/bad_hoist

 

https://twitter.com/theflow0/status/1280224554393178122?s=21
https://github.com/Fire30/bad_hoist

if i understand correctly, he didnt release any files for an exploit. he disclosed the bug.

 

Kernel Exploit FW 7.02: https://twitter.com/theflow0/status/1280224554393178122

 

if i understand correctly, he didnt release any files for an exploit. he disclosed the bug.

The exploit file is on hackerone. ;-)
Now someone with 7.02 webkit (or another userland) exploit needs to integrate the kexploit code.

 

Kernel Exploit FW 7.02: https://twitter.com/theflow0/status/1280224554393178122

there are NO files. he says he fould exploit up to 7.02 but it has to be paired with webkit. he links one good up until 6.72. he did not "release" anything though. somebody else would have to do the work. he isnt working on ps4 anymore.

EDIT:
there is a file! on hackerone from the link. my bad!

 

The exploit file is on hackerone. ;-)

my bad...i didnt read that page yet.

 

Looks like we're may getting exploits a little bit longer due to $ony wanted to do exploit bounty hunter program.

 

looks like it shuts the naysayers up considering the exploit was discovered last year. "there are no private exploits." it's for 7.02 and below, and there's already a webkit exploit for 6.72.

 

looks like it shuts the naysayers up considering the exploit was discovered last year. "there are no private exploits." it's for 7.02 and below, and there's already a webkit exploit for 6.72.

You are correct.
Of course there are private exploits out there & why wouldn't there be?
After all, what incentive does the community give to private exploit holders to release their work exactly?
I am not endorsing the bounty system & I am not saying it is good for the scene but then again, now everyone knows the worth value of a raw exploit. With that price tag, how can anyone still feel entitled to getting new 0-day exploits on tap?
If anything, the bounty system might induce a rise in exploit releases. We shall see...

 

You are correct.
Of course there are private exploits out there & why wouldn't there be?
After all, what incentive does the community give to private exploit holders to release their work exactly?
I am not endorsing the bounty system & I am not saying it is good for the scene but then again, now everyone knows the worth value of a raw exploit. With that price tag, how can anyone still feel entitled to getting new 0-day exploits on tap?
If anything, the bounty system might induce a rise in exploit releases. We shall see...

that's what I was thinking. the program states that they can release exploits as long as a reasonable amount of time has passed for it to be fixed. a year is a good start.

 

that's what I was thinking. the program states that they can release exploits as long as a reasonable amount of time has passed for it to be fixed. a year is a good start.

Usually it's only a few weeks although it can be extended on request.

 

maybe theflow was waiting 'til he got the cash?

 

maybe theflow was waiting 'til he got the cash?

Everything was in process, he waited for that process to be completed.

Afaik, first you submit the vulnerability with supporting evidence, the bounty people check everything with code makers (Sony here), they make a decision on the severity of the vulnerability & agree on the number of weeks before publishing, at that stage they send the bounty money.
Finally the process is complete when the number of weeks is reached & no extension was requested, notes & code if any is made public.

 

it has the disclosed date as today, so maybe that indicates that the process is complete. I'm surprised theflow mentioned anything after he called out the people who kept feeling entitled. if you recall, there's a user on here who keeps making new accounts to discredit ps4 hackers, because they wouldn't release anything. I think that's the kind of person theflow's talking about.

 

It seems crazy to think Sony would offer bounties for such a thing. They must be beefing up for PS5 security.

 

It seems crazy to think Sony would offer bounties for such a thing. They must be beefing up for PS5 security.

maybe copying nintendo again? nintendo has a bounty system or has had one for a while for the 3ds and the switch.

 

I knew I had heard of that from somewhere but couldn't remember where.

What's funny is you know Nintendo's going to be paying that bounty, all of their systems get hacked lol.

They can't make the money too much I guess, some employee could leak the info to a friend and take the cash ha.

 

btw, @NoSoul81 , I know very little about switch hacking, since I haven't exploited my systems (have 2). however, I do know that a hacker named Kate Tempkin (think that's her name) received a bounty for her work on the switch. I think not all of it might've been her work or something, not sure, so she's hated.

 

It seems crazy to think Sony would offer bounties for such a thing. They must be beefing up for PS5 security.

I do not think it is crazy at all, quite the opposite, I wonder why they never did it earlier. They are late comers at this game, all big names in the software industry have been offering bounties for years now.

At the very least but not limited to
1. It allows them to use the hacking scene, it's much cheaper than using employees & it's risk free.
2. It allows them to improve security.
3. It allows them to avoid 0-day exploits being made public as much as possible.