TheFlow has discovered a major exploit called bd-jb for PS3, PS4, and PS5, can be used to load game backups burned to discs
One of the PlayStation scene's most notable figures, TheFlow (Andy Nguyen), is back at it again. He's discovered a major exploit that affects not just one PlayStation console, but three. A hackerone report by TheFlow sheds light on five vulnerabilities that range in effectiveness, allowing users to load payloads that can be used to exploit the PlayStation 3, PlayStation 4, and even the PlayStation 5. The exploit is referred to as bd-jb, or the Blu-ray Disc Java Sandbox Escape, and was featured during a panel at this year's hardwear.io security conference.
Below are 5 vulnerabilities chained together that allows an attacker to gain JIT capabilities and execute arbitrary payloads. The provided payload triggers a buffer overflow that causes a kernel panic. Please consider each of the vulnerabilities individually. AFAIK, this is the first exploit chain that is being submitted to you
According to Nguyen's report, a UDF driver can cause an overflow on both the PS4 and the PS5. An exploit chain, aka bd-jb, can then be loaded as the payload as a burned Blu-ray disc. The hack, in summary, will allow users to burn physical discs of game backups, and then play them on their consoles. This affects PlayStation 4 consoles below OFW 9.50, and PlayStation 5 systems that are below OFW 5.0.
With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.
TheFlow's panel that discusses the exploit in detail will be uploaded in "a few weeks". The full hackerone report and all of its technical details can be read about below.
Following the initial report, TheFlow made an update to his claims.
I wanted to clarify: Without a kernel exploit, you won't be able to run any pirated games (which would have worked on the PS4 only anyways), because we don't have enough RAM in the bd-j process and there are some other constraints. It was only a theoretical impact.— Andy Nguyen (@theflow0) June 11, 2022