PlayStation 4 and Playstation 5: Manipulated USB stick enabled jailbreak

A hacker has discovered a vulnerability in Sony’s implementation of the exFAT file system. This made it possible to jailbreak PS4 and PS5 using a manipulated USB stick.

Google security researcher Andy Nguyen has discovered a vulnerability in the code for handling exFAT file systems in Sony’s Playstation 4 and Playstation 5. As a result, attackers could inject code at the kernel level by plugging in a manipulated USB stick – a jailbreak is possible. Sony has confirmed the vulnerability and paid Nguyen a $10,000 reward.

Details on bug bounty platform

Nguyen is online with the handle @theflow0 and reported the vulnerability to Sony via the HackerOne bug bounty platform. The vulnerability is based on an integer conversion from 64 to 32 bits in a size variable that is used to allocate the upper case table. The fields dataLengthand sizeare 64 bits wide, while the sizeelement of the function is sceFatfsCreateHeapVl()only 32 bits.

In the error message, Nguyen further explains that the function dataLengthonly creates a small buffer for large values ​. As a result, an overflow occurs when the function UVFAT_ReadDevice()is called on the heap, which destroys subsequent objects on the heap. The vulnerability allows heap buffers to be created in multiples of 512 bytes. There would be objects like the usb_endpointstructure that contained interesting pointers that could be manipulated in this way.

Or, as Nguyen sums it up in simple terms: jailbreak the PS4/5 by plugging in a USB stick and directly gaining kernel code execution. The vulnerability has received CVE entry CVE-2022-3349. There is still disagreement about the risk. NIST is still investigating the vulnerability and currently rates it at CVSS 6.8 and medium risk, while the report on HackerOne shows a range of CVSS 7-8.9 with a high threat rating.

Since Sony has now confirmed the vulnerability and paid a reward, and the history of the case goes back a year, the chances that the vulnerability is still present in the current firmware version of your own Playstation are slim. But there are other security gaps, for example in the PS2 emulator, which should allow you to run your own code.