the new PS4 jailbreak is sort of hilarious

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so this is a PS4 you're probably very familiar with what this is It's a gaming console it's well known it's loved but the crazy part about this thing is that it was recently jailbroken a new jailbreak was found the crazy part about this jailbreak is that it took advantage of a bug that has been known about publicly since 2006 in this video we're going to break down how this exploit Works where the vulnerability is in the PS4 and talk about how this is kind of a funny story about this thing known as software bill of materials keeping track of what code is in your code base that you didn't necessarily write now if you're new here hi my name is Ed I'm a security researcher during the day so instead of writing code I read code find bugs and code and write reports I think this is a really interesting case study of how the most secure software that you write may have underlying vulnerabilities if you don't know what other code is inside of your code so if you like that kind of stuff or if you want to just hang out with me hit that sub button I really appreciate it here is a write up of the vulnerability and kind of how you can use this vulnerability to take control of your Ps P4 and jailbreak it right and again jailbreaking a PS4 means there is code that runs that is controlled by Sony if you're able to get code that runs that isn't written by Sony you have custom remote code execution on the PS4 you have jailbroken your PS4 you can put your own apps on there you can load your own software and the PS4 is now effectively yours to do whatever you want with really kind of a cool concept now to do this you need to write an xplay right you have to remotely get code execution on the PS4 in a way that allows you to run your own code so this is a summary of the bug this is on hacker one and malicious pppoe server so PPP is point-to-point protocol a pppoe server can cause a denial of service or potentially remote code execution I always love this by the way when they say yeah denial of service or potentially remote code execution it's like okay which one is it like just being a Dos condition is much less severe than it being a remote cut execution vulnerability the the reason that they're tied together like this is because typically if you can crash a thing a lot of the times the reason for that crash is memory corruption that you can then take advantage of in a malicious way but anyway or potentially remote code execution in the kernel context on the PS4 and the PS5 now this is because of a heap buffer overwrite you have this destination buffer called buff or R and it comes from Malo so Malo is function to use to allocate the Heap and then you have this other buffer called p and p comes out of H+ one where H is the header so effectively this is the source of the data this is the destination of the data and then P of one is going to be the value that determines how many bytes to copy right the N value the length that you're copying out now the issue here is that you probably don't see anything in here that validates that P is less than the length value right so because P of one is not less than the length we don't check that it will take an arbitrary length value off the network and allow you to copy that into the heat I want to make a few comments about this code first of all you can tell this code is written in 6 because naming a variable naming variables things like buff and R and P and H are just like terrible naming conventions like if you're going to write code write it in a way that other people can read and that's kind of like a much more publicly known like accessible idea now but I think maybe 20 years ago people didn't really think that way anyway so you have this vulnerability where you're able to given a PPP frame you can send to the PS4 it will read out the value from that frame arbitrarily into the Heap of any lengths so you can control this length but you don't control this length and because one can be larger than the other it will overflow pretty freaking cool right so you have this overflow condition furthermore three uh at three the return length is incremented by the malicious length hence the data that is overhead from M buffer is copied into buff and returned to the malicious pppoe server with this send so it's an arbitrary buffer overflow and also you get to read out an arbitrary amount of data which is really really interesting then regarding the exploitability of the overwrite not that the alloc for Malo can be influenced via the LCP header so there's an outer layer of encapsulation where basically you can tell the protocol how big you want the small buffer to be how big you want the big buffer to be and then it also leaks that data to you so because of this you can effectively control what is called the bin in uh in the Heap allocator you can control what bin that Alec chunk goes into and where you get a leak out of so it makes this a very exploitable bug because you have a lot of fine grain control just via a a few protocol headers what bin of data your exploit goes into or what bin of data your leak comes from very interesting stuff so by doing so it is possible to trigger a copy from a bigger mbff to a smaller buff thus allowing an overwrite adjacent allocations with controllable data now this is a really big important concept when you're doing Heap exploitation right for example if you have a chunk that you know you can overflow out of that's kind of useful if you want to take advantage of the Heap metadata to do metadata exploitation but if you have another chunk to the right of you that you can overflow into there are function pointers in that Heap chunk that's even better you don't have to do any Heap food to get an arbitrary right and then hook a function call somewhere else you can just overwrite that function data and then have that function get called and now you control what gets called so enter PP pone this is the name of the exploit that takes advantage of this vulnerability and again PPP being the point-to-point protocol piece kind of hard to say PP pone I keep saying PPP pone but that's not correct PP pone is a remote kernel code execution exploit for the PS4 up to firmware version 11 and again I think it is so funny that it takes advantage of a bug from 2006 all because we have a buffer overflow it doesn't just mean like oh boom you win like having these Primitives in the kernel you need to do a lot of really really crazy stuff and you'll see that the readout of this exploit as it runs is like really absolutely insane so they not only have to initialize this by setting up the the PPP connection they have to confirm that they have memory corruption in the device by confirming that they can overflow a response packet then they have to defeat this thing that is called K aslr so aslr is address space layout randomization what that is is basically when you have things in your computer when you have programs that run the computer will randomize where that code goes so that if a hacker is trying to hack into something and they want to point a controlled function pointer for example to code that they control if you don't know where your code is you can't point it anywhere you don't know where your code lives so by having this arbitrary leak that we talked about we can leak data out of the Heap we can leak information from the kernel and thus we have a k aslr bypass what they do is they leak this pointer called Pope Soft C list which is this address and then by calculating the offset to that object in the kernel image they now have the Base address of the colel which is amazing so now okay now we have a confirmed buffer overflow and we've leaked out the Kernel's Base address awesome and then they use this to get arbitrary code execution so the way that they actually get code execution on the PS4 is is absolutely insane and honestly props to the person that made this exploit because it's just a it's just a jailbreak of PS4 like there's no there's no like it's just it's crazy how much effort they put into this to make this jailbreak happen okay so here's what's going on we said before that this is a heap base buff for overflow and they need to make sure that when they overflow the Heap that the data structures that are there are sane enough to continue for the for the kernel to continue to function right if they overflow the wrong thing or corrupt the wrong data the colonel will just panic and crash the device and flip over over right so they have to organize the memory in the right order to make sure that the kernel thinks it's legit while also forming the data in a way that allows it to be exploitable so they're creating these things called fake LL fake linked list elements for this thing called the LCP the link control protocol that's like a layer just slightly above pboe um but yeah we have the fake LL we're just creating a scene lle here but inside of the link list element we're also hiding these things called R gadgets now if you don't know what R is R is this thing called return oriented programming where basically you're using other code that's inside of the program to execute your own code so for example if I had a gadget called pop RDI R if I were able to control the return address of any function if pop RDI Rett already exists inside of the code I can just return to pop RDI r that would pop the next element off of the stack put it into RDI the register and then return to the next area on the stack I can use these Gadgets in sequence to effectively write my own program with code that's already inside of the program so they create this sanely formed link list element will also stuffing these R gadgets inside of it but then at the end of this they build this thing called the second rchain now a r chain is just a a concatenation of multiple R gadgets but through this second R chain they're making the uh the kernel memory globally writable they are making the km Alex the Heap allocator for the kernel read right X which basically means you can write to it and execute that's not a default behavior of the kernel at all and then they turn right protection back on and then they Point RDI to the kernel map call km Alec they mem copy their stage one their shell code into the kernel and then eventually jump into the stage one truly insane so now we have code execution by wopping around getting the Kernel's Heap to be executable and then we can jump to our code what is the code the code is this thing called a stage one basically what they're doing here is they're taking the linked list that they corrupted via their buffer overflow and they're cleaning up all of the elements that may have been corrupted so effectively they're removing themsel from this cor this corrupted list which is pretty sweet and then eventually they call this piece of code here now if you've ever written Network code code this looks just like normal Network code and that's actually exactly what it is this is a stage one loader which creates a socket on a particular Port the port I think is uh Port 9020 yep and then they just literally receive from the socket they close it and then they call that function so they have wrapped around the kernel they load in Shell Code that binds to a port in the kernel and then the stage two is the actual the evilness right or whatever they want to do with this and I think all they do is they like print something onto the screen yeah they they open the dev notification zero uh which is a device in the PS4 whenever you see like a little notification on the PS4 and I'll kind of put a a screenshot up right now uh you can put a message there via this this driver on the on the PS4 and they just write PPP pones to it totally insane exploit right we're doing some Heap grooming to create that hole we want to put our Heap chunk into to overflow it we memory corrupted the chunk to get an aslr defeat cuz we have the Overflow and the arbitrary read we've defeated kslr and then they use that fake linked list element to overflow the Heap in a way that keeps It Sane they ROP around and disable kernel memory protections and then jump into their shell code which just creates a little TCP server and they shoot Shell Code into that server for their stage two and pppp pwned dude the world of memory corruption exploits is so crazy and I think it's hilarious because you know obviously a company like Sony is incentivized to lock down their Hardware like they want to do a really good job of making sure that like no one can just put code on the machine because then they lose the authority as the game console owner like other people can start to write code for that machine they can make their own games for it it kind of loses the validity of like the SDK but when you have a machine like this that on release costs like $500 right and it's exploited by a bug from 2006 it's really interesting because you have this question of software bill of materials we're like okay you write this piece of code you're not going to write the TCP stack you're not going to write the gzip decompressor right everyone else already has that code everyone else has already written that code so if you don't know like exactly what version of code you're using or depending on you might leave yourself open to bugs like this so I don't know I think this is really interesting uh if you like this video hit the sub button and then go watch this other video this this other video and we'll see you guys there take care

Info

Channel: Low Level Learning

Views: 592,520

Rating: undefined out of 5

Keywords: ps4, jailbreak, ps4 exploit, pppwn, hacking, security, cyber

Id: 7OwdCc81zHo

Channel Id: undefined

Length: 12min 20sec (740 seconds)

Published: Fri May 17 2024