One of the PlayStation scene's most notable figures, TheFlow (Andy Nguyen), is back at it again. He's discovered a major exploit that affects not just one PlayStation console, but three. A hackerone report by TheFlow sheds light on five vulnerabilities that range in effectiveness, allowing users to load payloads that can be used to exploit the PlayStation 3, PlayStation 4, and even the PlayStation 5. The exploit is referred to as bd-jb, or the Blu-ray Disc Java Sandbox Escape, and was featured during a panel at this year's hardwear.io security conference.

Below are 5 vulnerabilities chained together that allows an attacker to gain JIT capabilities and execute arbitrary payloads. The provided payload triggers a buffer overflow that causes a kernel panic. Please consider each of the vulnerabilities individually. AFAIK, this is the first exploit chain that is being submitted to you

According to Nguyen's report, a UDF driver can cause an overflow on both the PS4 and the PS5. An exploit chain, aka bd-jb, can then be loaded as the payload as a burned Blu-ray disc. The hack, in summary, will allow users to burn physical discs of game backups, and then play them on their consoles. This affects PlayStation 4 consoles below OFW 9.50, and PlayStation 5 systems that are below OFW 5.0.

With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.

bd-jb: Blu-ray Disc Java Sandbox Escape affecting PS3, PS4, PS5. My talk at @hardwear_io will be uploaded in a few weeks. #hardwear_io https://t.co/gVs03Ie46q

— Andy Nguyen (@theflow0) June 10, 2022

TheFlow's panel that discusses the exploit in detail will be uploaded in "a few weeks". The full hackerone report and all of its technical details can be read about below.

Following the initial report, TheFlow made an update to his claims.

I wanted to clarify: Without a kernel exploit, you won't be able to run any pirated games (which would have worked on the PS4 only anyways), because we don't have enough RAM in the bd-j process and there are some other constraints. It was only a theoretical impact.

— Andy Nguyen (@theflow0) June 11, 2022

Source

 

[godreborn]

I said closed source, not stuff that has written documentation from reliable sources like freebsd.

 

[godreborn]

@caki883 , I put you on my ignore list. I'm not going to get into an argument on here, no matter what it's about.

 

[Blavla]

@caki883 , I put you on my ignore list. I'm not going to get into an argument on here, no matter what it's about.

Who cares about your ignore list?

 

[Hayato213]

@caki883 , I put you on my ignore list. I'm not going to get into an argument on here, no matter what it's about.

Well actually he is correct about it,

The vulnerabilty was submitted in March 21 2020, patched by Sony in firmware 7.50 on April 22nd 2020.

 

[godreborn]

Well actually he is correct about it,

View attachment 313991

The vulnerabilty was submitted in March 21 2020, patched by Sony in firmware 7.50 on April 22nd 2020.

I didn't say he was incorrect, I said that the agreement you sign with hackerone and sony says you can't disclose certain things. like you can't just disclose keys without getting into trouble. what you disclose can get you kicked out of hackerone, permanently, read the agreement sony posted for things that can not be disclosed.

 

[Marc_LFD]

So Sony knew about the exploits of 5.05 - 9.00, but weren't able to stop it?

Hackers inform Sony and then are allowed to publicly announce?

I'm just curious, sorry for sounding confused.

 

[godreborn]

yes, so it's a win win for the most part, hackers get money and notoriety and sony further protects their systems. I'm pretty sure the only systems on hackerone are only ps4 and 5, no vita or ps3.

 

[godreborn]

I believe it's hackerone that has this agreement rather than sony (they are a member), but the latest firmware is refrained from being exploited and disclosed while it's the latest I think, because I think that falls in line with something that could potentially hurt customers or their products. if you were a part of the ps3 scene once the first exploits were released on the latest firmware, it was a disaster. people getting banned, then unbanning themselves with an idps of all 0's (f*ckpsn), banning others themselves by stealing their idps, adding funds to their wallets from nothing, massive cheating, etc. though, sony was unprepared after stating their system was unhackable. massive cheating isn't exactly patched, but all the others are. I feel sorry for the legit users who had to endure that.

 

[EnigmaExodus]

HackerOne just serve as a connection between the researcher and vendor. It is Sony who sets the disclosure rules. Knowing past animosity of Sony towards exploits and homebrew it does seem rather generous.

 

[godreborn]

I need to write a blog about what I'm thinking, been meaning to. I've thought about quitting for a long time (since the ps3 days), except I'd have no ties to the outside world being on disability. all I do is come here to help others, so it upsets me when I'm attacked or others insult my intelligence/question my intentions. I have discord now, since November of last year, so I could go there to have contact with others. I've been talking on there with my friend @Glyptofane , he's the one who tells me about all those sales, usually by way of Wario64. I then relay them here, usually in @KiiWii 's thread if anyone even buys games anymore. a lot of ridiculous deals up to 90% off.

 

[EnigmaExodus]

I apologise if my post was considered an insult. Was just laying down some facts of how the process works here.

What specifically is your blog going to discuss?

 

[godreborn]

it wasn't your post. it's the grand cumulative number of times I've been treated disrespectfully. it reminds me of my real life, at the jobs I've been at. I'm not going to put up with it much longer, I don't care if I have to drop everybody. my blog is going to be about that. I can go to discord if I have to, I have several people in dm on there. before, I only had websites to go to. now, I'm a member of 10-12 channels, mostly dev channels, so I learn more there than anywhere else, which is my primary goal.

 

[linuxares]

Bluray is actually "owned" by Sony. They're the major contributor to it.

 

[AbdNuts]

He usually does once it's patched there is no threat of it being used for online cheating...I think.

PS4 and PS5 will be patched, now PS3 on the other hand will most likely be abandoned like usual.

 

[Lumince]

~Snip
Thought I was on the latest page...

 

[UnderJinx]

How the Bd-Jb would work

​

 

[smf]

HackerOne just serve as a connection between the researcher and vendor. It is Sony who sets the disclosure rules. Knowing past animosity of Sony towards exploits and homebrew it does seem rather generous.

I think Sony realized that paying people money to explain the exploits was cheaper and more effective than waking up to find a released exploit that they then have to reverse engineer.

 

[Digital_Cheese]

I am not too surprised this happened for the PS3 now and not too surprised about the PS4 having this too. What is crazy is that even the PS5 has such an exploit.

 

[urbanman2004]

Why should he? He even sold that to Sony, (10K i think) he is alowed to share it after the sony patches it

Didn't realize Sony paid a bounty for his exploit discovery...

 

[iLL wiLL]

is it really worth it??? the games are HUGE!!!I have both a ps4 pro & ps5 that I bought broken from value pawn for$40 ps4 pro & $65 ps5 disc version which were stuck with fw issues which took me 2hrs to fix. one had a game stuck inside lol.