One of the PlayStation scene's most notable figures, TheFlow (Andy Nguyen), is back at it again. He's discovered a major exploit that affects not just one PlayStation console, but three. A hackerone report by TheFlow sheds light on five vulnerabilities that range in effectiveness, allowing users to load payloads that can be used to exploit the PlayStation 3, PlayStation 4, and even the PlayStation 5. The exploit is referred to as bd-jb, or the Blu-ray Disc Java Sandbox Escape, and was featured during a panel at this year's hardwear.io security conference.

Below are 5 vulnerabilities chained together that allows an attacker to gain JIT capabilities and execute arbitrary payloads. The provided payload triggers a buffer overflow that causes a kernel panic. Please consider each of the vulnerabilities individually. AFAIK, this is the first exploit chain that is being submitted to you

According to Nguyen's report, a UDF driver can cause an overflow on both the PS4 and the PS5. An exploit chain, aka bd-jb, can then be loaded as the payload as a burned Blu-ray disc. The hack, in summary, will allow users to burn physical discs of game backups, and then play them on their consoles. This affects PlayStation 4 consoles below OFW 9.50, and PlayStation 5 systems that are below OFW 5.0.

With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.

bd-jb: Blu-ray Disc Java Sandbox Escape affecting PS3, PS4, PS5. My talk at @hardwear_io will be uploaded in a few weeks. #hardwear_io https://t.co/gVs03Ie46q

— Andy Nguyen (@theflow0) June 10, 2022

TheFlow's panel that discusses the exploit in detail will be uploaded in "a few weeks". The full hackerone report and all of its technical details can be read about below.

Following the initial report, TheFlow made an update to his claims.

I wanted to clarify: Without a kernel exploit, you won't be able to run any pirated games (which would have worked on the PS4 only anyways), because we don't have enough RAM in the bd-j process and there are some other constraints. It was only a theoretical impact.

— Andy Nguyen (@theflow0) June 11, 2022

Source

 

[chrisrlink]

This mf just open up Pandora's Box and this is gonna turn out to be the second coming of the "G-Hotz" saga. TheFlow better lawyer up, lol.

doubt that will happen he wouldn't disclose if Sony put him under an NDA sony's been gracious enough to allow hax after they are patched theres a reason SciresM didn't disclose fusee-geele directly to nintendo (he disclosed it to nvidia the chip maker or we'll never have that exploit EVER

 

[TomRiddle]

Awesome but sad that Sony was able to patch it, imagine running homebrew on a playstation system while still being able to go online.

Yeah, homebrew is great but one of the biggest unfortunate disadvantages is that it's too risky for most to install cfw on PS5, let alone run backups if you still want online support.

Now don't get me wrong, it's still always possible to be careful but overall the better thing when hacking systems is to accept and be fine with the chance of loosing online support imo.

 

[gudenau]

So Sony didn't know one of the most basic things about Java's built in object serialization?

So many exploits revolve around that feature, it has so much power and you have to be really careful with it.

 

[godreborn]

Yeah, homebrew is great but one of the biggest unfortunate disadvantages is that it's too risky for most to install cfw on PS5, let alone run backups if you still want online support.

Now don't get me wrong, it's still always possible to be careful but overall the better thing when hacking systems is to accept and be fine with the chance of loosing online support imo.

I agree. I personally don't think exploited consoles for any system should be online. it just ruins it for legit players often enough.

 

[EnigmaExodus]

So Sony didn't know one of the most basic things about Java's built in object serialization?

So many exploits revolve around that feature, it has so much power and you have to be really careful with it.

You have to remember this is coming from the same people who thought using a constant random-value for ECDSA signatures was a good idea...

https://media.ccc.de/v/27c3-4087-en-console_hacking_2010

Seemingly Sony is trying to play nice with hackers instead of DMCA/lawsuit bullshit from years past.

 

[Shubshub]

But is the Blu Ray Drive Updateable?

 

[TomRiddle]

I agree. I personally don't think exploited consoles for any system should be online. it just ruins it for legit players often enough.

I mean if you're specifically taking about people who abuse homebrew to cheat in online games then yeah, you have a point.

It sucks because those types of people are ruining online functionality for those who just want to hack their consoles for getting themes or whatever, so I still see why consoles ban you for putting cfw (although I mostly disagree with it).

 

[godreborn]

I mean if you're specifically taking about people who abuse homebrew to cheat in online games then yeah, you have a point.

It sucks because those types of people are ruining online functionality for those who just want to hack their consoles for getting themes or whatever, so I still see why consoles ban you for putting cfw (although I mostly disagree with it).

well, there's that. I also don't think you should be able to sync trophies or achievements. it's unfair to have all the amenities of being legit when most do not even pay for games. it's a catch 22 really. you have to be willing to sacrifice certain aspects of the console if you're going to exploit it.

 

[raxadian]

From what I know ( I can be wrong ) it didn't overheat compared to slim and OG ( I have a slim and it heat a lot while playing somme games and I'm afraid it will not live forever ;+; )

My slim doesn't overheat, maybe yours needs cleaning of the internals?

 

[gudenau]

You have to remember this is coming from the same people who thought using a constant random-value for ECDSA signatures was a good idea...

https://media.ccc.de/v/27c3-4087-en-console_hacking_2010

Seemingly Sony is trying to play nice with hackers instead of DMCA/lawsuit bullshit from years past.

To be fair, there is more president for that stuff to fail now.

Plus this was submitted to a bug bounty website so it could be fixed.

 

[chrisrlink]

the worst part of hacker one anyone can submit a working exploit even if it isn't theres (good example is a former member on here that was blacklisted by a lot of devs for infiltrating teams and stealing exploit code and selling it to nintendo via hackerone

 

[KuntilanakMerah]

come on we need a hero like George Hotz who can hack on firmware level

 

[CanIHazWarez]

the worst part of hacker one anyone can submit a working exploit even if it isn't theres (good example is a former member on here that was blacklisted by a lot of devs for infiltrating teams and stealing exploit code and selling it to nintendo via hackerone

That's a problem. But also, the real worst part is that the exploits get patched

 

[Blavla]

This mf just open up Pandora's Box and this is gonna turn out to be the second coming of the "G-Hotz" saga. TheFlow better lawyer up, lol.

Why should he? He even sold that to Sony, (10K i think) he is alowed to share it after the sony patches it

 

[godreborn]

yeah, sony is the one who decides whether an exploit can be disclosed to the public, so theflow0 won't be sued.

 

[Blavla]

yeah, sony is the one who decides whether an exploit can be disclosed to the public, so theflow0 won't be sued.

that is false. Typically, responsible disclosure guidelines allow vendors 60 to 120 business days to patch a vulnerability. Often, vendors negotiate with researchers to modify the schedule to allow more time to fix difficult flaws. After the responsible disclosure time he can do with it whatever he wants. That´s why Sony needs to patch it or ask the "researcher" for more time

 

[godreborn]

that is false. Typically, responsible disclosure guidelines allow vendors 60 to 120 business days to patch a vulnerability. Often, vendors negotiate with researchers to modify the schedule to allow more time to fix difficult flaws

Not true. They cannot disclose exploits that are closed source.

 

[Hayato213]

that is false. Typically, responsible disclosure guidelines allow vendors 60 to 120 business days to patch a vulnerability. Often, vendors negotiate with researchers to modify the schedule to allow more time to fix difficult flaws. After the responsible disclosure time he can do with it whatever he wants. That´s why Sony needs to patch it or ask the "researcher" for more time

Yup it says 60 - 120 days to patch it

https://www.techtarget.com/searchsecurity/definition/vulnerability-disclosure

 

[godreborn]

like I said, they can't disclose closed source based on the nda, non-disclosure agreement, that you sign with hackerone.

 

[Blavla]

Not true. They cannot disclose exploits that are closed source.

Blueray and driver for it is not owned by sony. So after the time period he can if he will