Released! PS5 Kernel exploit + Webkit vulnerability for Firmware 4.03

Oh, wow, only a few hours after tweeting that this needed to be “ironed out”, SpecterDev has now published his implementation of the PS5 IPV6 Kernel exploit!

This release relies on the Webkit vulnerability as an entry point, meaning it will work on any PS5 (including PS5 Digital edition) running firmware 4.03. Lower firmwares might work (although the exploit might need tweaking). Higher firmwares will not work at the moment (they are not vulnerable to the Webkit exploit)

PS5 4.03 Kernel exploit is here!

SpecterDev warns about significant limitations of this exploit. Notably:

1. The exploit is fairly unstable, and in his experience will work about 30% of the time. If you are trying to run it, don’t give up, it might require several attempts before the exploit gets through
2. Possibly more important, this exploit gives us read/write access, but no execute! This means no possibility to load and run binaries at the moment, everything is constrained within the scope of the ROP chain. The current implementation does however enable debug settings.

More precisely, from the exploit’s readme:

Currently Included

• Obtains arbitrary read/write and can run a basic RPC server for reads/writes (or a dump server for large reads) (must edit your own address/port into the exploit file on lines 673-677)
• Enables debug settings menu (note: you will have to fully exit settings and go back in to see it).
• Gets root privileges

Limitations

• This exploit achieves read/write, but not code execution. This is because we cannot currently dump kernel code for gadgets, as kernel .text pages are marked as eXecute Only Memory (XOM). Attempting to read kernel .text pointers will panic!
• As per the above + the hypervisor (HV) enforcing kernel write protection, this exploit also cannot install any patches or hooks into kernel space, which means no homebrew-related code for the time being.
• Clang-based fine-grained Control Flow Integrity (CFI) is present and enforced.
• Supervisor Mode Access Prevention/Execution (SMAP/SMEP) cannot be disabled, due to the HV.
• The write primitive is somewhat constrained, as bytes 0x10-0x14 must be zero (or a valid network interface).
• The exploit’s stability is currently poor. More on this below.
• On successful run, exit the browser with circle button, PS button panics for a currently unknown reason.

Stability Notes

Stability for this exploit is at about 30%, and has multiple potential points of failure. In order of observed descending liklihood:

1. Stage 1 causes more than one UAF due to failing to catch one or more in the reclaim, causing latent corruption that causes a panic some time later on.
2. Stage 4 finds the overlap/victim socket, but the pktopts is the same as the master socket’s, causing the “read” primitive to just read back the pointer you attempt to read instead of that pointer’s contents. This needs some improvement and to be fixed if possible because it’s really annoying.
3. Stage 1‘s attempt to reclaim the UAF fails and something else steals the pointer, causing immediate panic.
4. The kqueue leak fails and it fails to find a recognized kernel .data pointer.

In other words, this release is useful for hackers only, or people who are curious to dig into the inside of the PS5. Note however that despite its limitations, this is the first ever public release of such a powerful hack for the PS5, which means fresh discoveries are bound to happen!

PS5 IPV6 Exploit showcase video

Scene member Echo Stretch managed to run the exploit and get us a video of it in action, as can be seen below. In the video, you can see Debug menu and package installer being unlocked on the PS5

Testing PS5 4.03 Kernel Exploit For Disc Or Digital PS5@frwololo @ps4_hacking pic.twitter.com/K8p8j0owoq

— Echo Stretch (@StretchEcho) October 3, 2022

Download and run

You can download the hack here.

You will need Python to run SpecterDev’s implementation, and you will be running a webserver on your local PC for your PS5 to access.

1. Configure fakedns via dns.conf to point manuals.playstation.net to your PCs IP address
2. Run fake dns: python fakedns.py -c dns.conf
3. Run HTTPS server: python host.py
4. Go into PS5 advanced network settings and set primary DNS to your PCs IP address and leave secondary at 0.0.0.0
   1. Sometimes the manual still won’t load and a restart is needed, unsure why it’s really weird
5. Go to user manual in settings and accept untrusted certificate prompt, run
6. Optional: Run rpc/dump server scripts (note: address/port must be substituted in binary form into exploit.js)

This is a developing story, as more people will test and report on this hack in the days to come, so stay tuned!

Source: SpecterDev