Released! PS5 kernel exploit + webkit vulnerability for firmware 4.03

Oh wow, just a few hours after tweeting that this needs to be “fixed out”, SpecterDev has now released its implementation of the PS5 IPV6 kernel exploit!

This version relies on the Webkit vulnerability as an entry point, meaning it will work on any PS5 (including PS5 Digital Edition) running firmware 4.03. Lower firmwares may work (although the exploit may need tweaking). Higher firmwares currently do not work (they are not vulnerable to the webkit exploit)

PS5 4.03 kernel exploit is here!

SpecterDev warns against this significant limitations this exploit. Above all:

1. The exploit is quite unstable and based on our experience it will work about 30% of the time. If you try to run it, don’t give up, it may take multiple attempts before the exploit gets through
2. Possibly more importantly, this exploit gives us read/write access but no execution! This means that at the moment there is no way to load and run binaries, everything is constrained within the framework of the ROP chain. However, the current implementation allows debug settings.

Specifically, from the exploit’s readme:

Currently included

• Gets arbitrary read/write access and can run a simple RPC server for read/writes (or a dump server for large reads) (must edit your own address/port into the exploit file at lines 673-677 )
• Activates the debug settings menu (note: you have to exit and re-enter the settings completely to see it).
• Gets root privileges

limitations

• This exploit achieves read/write access, but no code execution. This is because we are currently unable to emit kernel code for gadgets as kernel .text pages are marked as eXecute Only Memory (XOM). Attempting to read kernel .text pointers causes panic!
• Same as above + the hypervisor (HV) that forces the kernel to be write-protected, this exploit will too cannot install patches or hooks in kernel spacewhich means no homebrew-related code for now.
• Clang-based fine-grain Control Flow Integrity (CFI) is in place and enforced.
• Supervisor Mode Access Prevention/Execution (SMAP/SMEP) cannot be disabled due to HV.
• The write primitive is somewhat restricted since bytes 0x10–0x14 must be zero (or a valid network interface).
• The stability of the exploit is currently poor. More on that below.
• With a successful run Quit the browser with the circle button, the PS button panics for a currently unknown reason.

Stability Notes

The stability of this exploit is around 30% and has several potential bugs. In order of observed decreasing probability:

1. stage 1 causes more than one UAF due to failing to catch one or more in the reclamation, resulting in a latent corruption that causes a panic some time later.
2. Level 4 finds the overlap/victim socket, but the pktopts is the same as that of the master socket, resulting in the “read” primitive just reading back the pointer you’re trying to read, instead of the contents of that pointer. This needs to be improved and fixed if possible as it is really annoying.
3. stage 1‘s attempt to reclaim the UAF fails and something else steals the pointer, causing immediate panic.
4. The kqueue leak fails and finds no recognized kernel .data pointer.

In other words, this version is only useful for hackers or people curious to break into the inside of the PS5. Note, however, that despite its limitations, this is the first-ever public release of such a powerful hack for the PS5, meaning new discoveries are bound to happen!

PS5 IPV6 exploit showcase video

Scene member Echo Stretch managed to run the exploit and provide us with a video of it in action as seen below. In the video you can see how to unlock the debug menu and package installer on PS5

Testing PS5 4.03 kernel exploit for disc or digital PS5@frwololo @ps4_hacking pic.twitter.com/K8p8j0owoq

— Echo Stretch (@StretchEcho) October 3, 2022

Download and run

You can download the hack here.

You’ll need Python to run SpecterDev’s implementation, and you’ll be running a web server on your local PC that your PS5 can access.

1. Configure fakedns via dns.conf point it out manuals.playstation.net to the IP address of your PC
2. Run Fake DNS: python fakedns.py -c dns.conf
3. Run HTTPS server: python host.py
4. Go into advanced PS5 network settings and set the primary DNS to your PC’s IP address and leave the secondary as is 0.0.0.0
   1. Sometimes the manual still won’t load and requires a reboot, not sure why it’s really weird
5. In the settings go to the user guide and accept the prompt for untrusted certificates, run it
6. Optional: Run rpc/dump server scripts (Note: address/port must be replaced in binary form in Exploit.js)

This is an evolving story as more people will test and report on this hack in the coming days, so stay tuned!

Source: SpecterDev