December 6, 2013 // 7:15 pm
- Following up on the recent PS4 Factory Service Mode
and PS4 Jailbreak
rumors, today German PlayStation 4 hacker SKFU
Tweeted that an alleged PS4 vulnerability has been detected with hopes that an exploit has been found.
While there currently isn't much more than a single Tweet by SKFU
on this rumored PS4 vulnerability, according to him testing is indeed underway. We will update this article if/when new information surfaces, and below is the actual Tweet for those interested:
PS4 vulnerability detected... executing test protocol...
Finally, below are some PS4 Bugs & Vulnerabilities
(via psdevwiki.com/ps4/Bugs_&_Vulnerabilities), as follows:
Vidnow (TCP Buffer Overflow)
When you launch Vidnow for the first time it gets http://sceecatalogs.vidzone.tv/386/vidzone_386_US.db.psarc
. This file is 5mb. This file loads into a 60k tcp buffer. No checks are done at all on the files size/hash/contents.
Therefore, it is possible to redirect Vidnow to load a substitute file. When vidnow is redirected to load a large enough file the TCP Window buffer is overrun, somewhere between byte 34,125,000 and 35,000,000 of the substitute file.
Despite the buffer overflow and crash, the substitute data is still transmitted and the application only throws the exception when another tcp packet is sent. As a result, the application crashes and the console locks up for a minute.
Directly before the console resumes normal operations after the crash, an unusually large number of tcp (RST) packets are sent. While no exploit that makes use of this crash is currently available, a carefully crafted file may be able to exploit this or similar issues to gain code execution, among other things.
17:17:40 (System locks up) Crash
17:17:50.356427000 (System no longer locked up) Console Regains Control (74 byte packet sent)
17:17:50.357555000 Contacts Crashlog Server/System Operation Resumes
Running your own code in sandbox requires 4 things:
1. Disabling SHA-1 Checksums ✔
2. Generate a valid signature/disable or bypass signature authentication ✖
3. Repacking Containers ✔
4. Crafting proper binary ✔
Assuming you can get code running disabling sandboxing is trivial.