Front-page Hacking 

TheFlow has discovered a major exploit called bd-jb for PS3, PS4, and PS5, can be used to load game backups burned to discs

photo_2022-06-10_13-34-33.jpg

One of the PlayStation scene's most notable figures, TheFlow (Andy Nguyen), is back at it again. He's discovered a major exploit that affects not just one PlayStation console, but three. A hackerone report by TheFlow sheds light on five vulnerabilities that range in effectiveness, allowing users to load payloads that can be used to exploit the PlayStation 3, PlayStation 4, and even the PlayStation 5. The exploit is referred to as bd-jb, or the Blu-ray Disc Java Sandbox Escape, and was featured during a panel at this year's hardwear.io security conference.

Below are 5 vulnerabilities chained together that allows an attacker to gain JIT capabilities and execute arbitrary payloads. The provided payload triggers a buffer overflow that causes a kernel panic. Please consider each of the vulnerabilities individually. AFAIK, this is the first exploit chain that is being submitted to you :)
Click to expand...

According to Nguyen's report, a UDF driver can cause an overflow on both the PS4 and the PS5. An exploit chain, aka bd-jb, can then be loaded as the payload as a burned Blu-ray disc. The hack, in summary, will allow users to burn physical discs of game backups, and then play them on their consoles. This affects PlayStation 4 consoles below OFW 9.50, and PlayStation 5 systems that are below OFW 5.0.

With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.
Click to expand...



TheFlow's panel that discusses the exploit in detail will be uploaded in "a few weeks". The full hackerone report and all of its technical details can be read about below.

Following the initial report, TheFlow made an update to his claims.



:arrow: Source
 
  • Like
  • Love
  • Wow
Reactions: grillmasterxbbq, Dothackjhe, lordelan and 62 others
Click to expand...
chrisrlink

chrisrlink

Has a PhD in dueling
Member
Level 16
Joined
Aug 27, 2009
Messages
5,563
Trophies
2
Location
duel acadamia
XP
5,752
Country
United States
urbanman2004 said:
This mf just open up Pandora's Box and this is gonna turn out to be the second coming of the "G-Hotz" saga. TheFlow better lawyer up, lol.
Click to expand...
doubt that will happen he wouldn't disclose if Sony put him under an NDA sony's been gracious enough to allow hax after they are patched theres a reason SciresM didn't disclose fusee-geele directly to nintendo (he disclosed it to nvidia the chip maker or we'll never have that exploit EVER
 
  • Like
Reactions: urbanman2004
TomRiddle

TomRiddle

Yare Yare Daze
Member
Level 5
Joined
Nov 12, 2021
Messages
202
Trophies
0
Location
Hogwarts
XP
550
Country
Canada
sley said:
Awesome but sad that Sony was able to patch it, imagine running homebrew on a playstation system while still being able to go online.
Click to expand...

Yeah, homebrew is great but one of the biggest unfortunate disadvantages is that it's too risky for most to install cfw on PS5, let alone run backups if you still want online support.

Now don't get me wrong, it's still always possible to be careful but overall the better thing when hacking systems is to accept and be fine with the chance of loosing online support imo.
 
  • Like
Reactions: Marc_LFD
godreborn

godreborn

Welcome to the Machine
Member
Level 33
Joined
Oct 10, 2009
Messages
38,471
Trophies
3
XP
29,138
Country
United States
TomRiddle said:
Yeah, homebrew is great but one of the biggest unfortunate disadvantages is that it's too risky for most to install cfw on PS5, let alone run backups if you still want online support.

Now don't get me wrong, it's still always possible to be careful but overall the better thing when hacking systems is to accept and be fine with the chance of loosing online support imo.
Click to expand...
I agree. I personally don't think exploited consoles for any system should be online. it just ruins it for legit players often enough.
 
  • Like
Reactions: xkoeckiiej and Marc_LFD
E

EnigmaExodus

Member
Newcomer
Level 1
Joined
Feb 6, 2022
Messages
23
Trophies
0
Location
Earth
XP
49
Country
Belgium
gudenau said:
So Sony didn't know one of the most basic things about Java's built in object serialization?

So many exploits revolve around that feature, it has so much power and you have to be really careful with it.
Click to expand...
You have to remember this is coming from the same people who thought using a constant random-value for ECDSA signatures was a good idea...

https://media.ccc.de/v/27c3-4087-en-console_hacking_2010

Seemingly Sony is trying to play nice with hackers instead of DMCA/lawsuit bullshit from years past.
 
  • Like
Reactions: Marc_LFD
TomRiddle

TomRiddle

Yare Yare Daze
Member
Level 5
Joined
Nov 12, 2021
Messages
202
Trophies
0
Location
Hogwarts
XP
550
Country
Canada
godreborn said:
I agree. I personally don't think exploited consoles for any system should be online. it just ruins it for legit players often enough.
Click to expand...

I mean if you're specifically taking about people who abuse homebrew to cheat in online games then yeah, you have a point.

It sucks because those types of people are ruining online functionality for those who just want to hack their consoles for getting themes or whatever, so I still see why consoles ban you for putting cfw (although I mostly disagree with it).
 
godreborn

godreborn

Welcome to the Machine
Member
Level 33
Joined
Oct 10, 2009
Messages
38,471
Trophies
3
XP
29,138
Country
United States
TomRiddle said:
I mean if you're specifically taking about people who abuse homebrew to cheat in online games then yeah, you have a point.

It sucks because those types of people are ruining online functionality for those who just want to hack their consoles for getting themes or whatever, so I still see why consoles ban you for putting cfw (although I mostly disagree with it).
Click to expand...
well, there's that. I also don't think you should be able to sync trophies or achievements. it's unfair to have all the amenities of being legit when most do not even pay for games. it's a catch 22 really. you have to be willing to sacrifice certain aspects of the console if you're going to exploit it.
 
gudenau

gudenau

Largely ignored
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,398
Country
United States
EnigmaExodus said:
You have to remember this is coming from the same people who thought using a constant random-value for ECDSA signatures was a good idea...

https://media.ccc.de/v/27c3-4087-en-console_hacking_2010

Seemingly Sony is trying to play nice with hackers instead of DMCA/lawsuit bullshit from years past.
Click to expand...

To be fair, there is more president for that stuff to fail now.

Plus this was submitted to a bug bounty website so it could be fixed.
 
chrisrlink

chrisrlink

Has a PhD in dueling
Member
Level 16
Joined
Aug 27, 2009
Messages
5,563
Trophies
2
Location
duel acadamia
XP
5,752
Country
United States
the worst part of hacker one anyone can submit a working exploit even if it isn't theres (good example is a former member on here that was blacklisted by a lot of devs for infiltrating teams and stealing exploit code and selling it to nintendo via hackerone
 
  • Wow
Reactions: Marc_LFD
CanIHazWarez

CanIHazWarez

Well-Known Member
Member
Level 8
Joined
Jan 21, 2016
Messages
371
Trophies
0
Age
32
XP
1,352
Country
United States
chrisrlink said:
the worst part of hacker one anyone can submit a working exploit even if it isn't theres (good example is a former member on here that was blacklisted by a lot of devs for infiltrating teams and stealing exploit code and selling it to nintendo via hackerone
Click to expand...
That's a problem. But also, the real worst part is that the exploits get patched :rofl:
 
Blavla

Blavla

Well-Known Member
Member
Level 7
Joined
Sep 20, 2020
Messages
247
Trophies
0
Age
33
XP
1,233
Country
Germany
urbanman2004 said:
This mf just open up Pandora's Box and this is gonna turn out to be the second coming of the "G-Hotz" saga. TheFlow better lawyer up, lol.
Click to expand...
Why should he? He even sold that to Sony, (10K i think) he is alowed to share it after the sony patches it
 
Blavla

Blavla

Well-Known Member
Member
Level 7
Joined
Sep 20, 2020
Messages
247
Trophies
0
Age
33
XP
1,233
Country
Germany
godreborn said:
yeah, sony is the one who decides whether an exploit can be disclosed to the public, so theflow0 won't be sued.
Click to expand...
that is false. Typically, responsible disclosure guidelines allow vendors 60 to 120 business days to patch a vulnerability. Often, vendors negotiate with researchers to modify the schedule to allow more time to fix difficult flaws. After the responsible disclosure time he can do with it whatever he wants. That´s why Sony needs to patch it or ask the "researcher" for more time
 
  • Like
Reactions: Hayato213
godreborn

godreborn

Welcome to the Machine
Member
Level 33
Joined
Oct 10, 2009
Messages
38,471
Trophies
3
XP
29,138
Country
United States
caki883 said:
that is false. Typically, responsible disclosure guidelines allow vendors 60 to 120 business days to patch a vulnerability. Often, vendors negotiate with researchers to modify the schedule to allow more time to fix difficult flaws
Click to expand...
Not true. They cannot disclose exploits that are closed source.
 
Hayato213

Hayato213

Newcomer
Member
Level 28
Joined
Dec 26, 2015
Messages
19,983
Trophies
1
XP
21,035
Country
United States
caki883 said:
that is false. Typically, responsible disclosure guidelines allow vendors 60 to 120 business days to patch a vulnerability. Often, vendors negotiate with researchers to modify the schedule to allow more time to fix difficult flaws. After the responsible disclosure time he can do with it whatever he wants. That´s why Sony needs to patch it or ask the "researcher" for more time
Click to expand...

Yup it says 60 - 120 days to patch it

https://www.techtarget.com/searchsecurity/definition/vulnerability-disclosure
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Wii U and 3DS online services shutting down today, but Pretendo is here to save the day

GBAtemp Exclusive  Introducing tempBOT AI - your new virtual GBAtemp companion and aide (April Fools)

Nintendo Switch firmware update 18.0.1 has been released

The first retro emulator hits Apple's App Store, but you should probably avoid it

Delta emulator now available on the App Store for iOS

MisterFPGA has been updated to include an official release for its Nintendo 64 core

Nintendo takes down Gmod content from Steam's Workshop

Editorial  Making Pokemon Emerald my own one tweak at a time - Scarlet's March of gaming

General chit-chat
Help Users
  • K3Nv2 @ K3Nv2:
    How do you know if the night will be good when you're asleep
  • BakerMan @ BakerMan:
    because i didn't say i was asleep
  • BakerMan @ BakerMan:
    i said i was sleeping...
  • BakerMan @ BakerMan:
    sleeping with uremum
  • K3Nv2 @ K3Nv2:
    Even my mum slept on that uremum
  • TwoSpikedHands @ TwoSpikedHands:
    yall im torn... ive been hacking away at tales of phantasia GBA (the USA version) and have so many documents of reverse engineering i've done
  • TwoSpikedHands @ TwoSpikedHands:
    I just found out that the EU version is better in literally every way, better sound quality, better lighting, and there's even a patch someone made to make the text look nicer
  • TwoSpikedHands @ TwoSpikedHands:
    Do I restart now using what i've learned on the EU version since it's a better overall experience? or do I continue with the US version since that is what ive been using, and if someone decides to play my hack, it would most likely be that version?
  • Sicklyboy @ Sicklyboy:
    @TwoSpikedHands, I'll preface this with the fact that I know nothing about the game, but, I think it depends on what your goals are. Are you trying to make a definitive version of the game? You may want to refocus your efforts on the EU version then. Or, are you trying to make a better US version? In which case, the only way to make a better US version is to keep on plugging away at that one ;)
  • Sicklyboy @ Sicklyboy:
    I'm not familiar with the technicalities of the differences between the two versions, but I'm wondering if at least some of those differences are things that you could port over to the US version in your patch without having to include copyrighted assets from the EU version
  • TwoSpikedHands @ TwoSpikedHands:
    @Sicklyboy I am wanting to fully change the game and bend it to my will lol. I would like to eventually have the ability to add more characters, enemies, even have a completely different story if i wanted. I already have the ability to change the tilemaps in the US version, so I can basically make my own map and warp to it in game - so I'm pretty far into it!
  • TwoSpikedHands @ TwoSpikedHands:
    I really would like to make a hack that I would enjoy playing, and maybe other people would too. swapping to the EU version would also mean my US friends could not legally play it
  • TwoSpikedHands @ TwoSpikedHands:
    I am definitely considering porting over some of the EU features without using the actual ROM itself, tbh that would probably be the best way to go about it... but i'm sad that the voice acting is so.... not good on the US version. May not be a way around that though
  • TwoSpikedHands @ TwoSpikedHands:
    I appreciate the insight!
  • The Real Jdbye @ The Real Jdbye:
    @TwoSpikedHands just switch, all the knowledge you learned still applies and most of the code and assets should be the same anyway
  • The Real Jdbye @ The Real Jdbye:
    and realistically they wouldn't

    be able to play it legally anyway since they need a ROM and they probably don't have the means to dump it themselves
  • The Real Jdbye @ The Real Jdbye:
    why the shit does the shitbox randomly insert newlines in my messages
  • Veho @ Veho:
    It does that when I edit a post.
  • Veho @ Veho:
    It inserts a newline in a random spot.
  • The Real Jdbye @ The Real Jdbye:
    never had that i don't think
  • Karma177 @ Karma177:
    do y'all think having an sd card that has a write speed of 700kb/s is a bad idea?
    trying to restore emunand rn but it's taking ages... (also when I finished the first time hekate decided to delete all my fucking files :wacko:)
  • The Real Jdbye @ The Real Jdbye:
    @Karma177 that sd card is 100% faulty so yes, its a bad idea
  • The Real Jdbye @ The Real Jdbye:
    even the slowest non-sdhc sd cards are a few MB/s
  • Psionic Roshambo @ Psionic Roshambo:
    https://www.youtube.com/watch?v=SjCivnt5t50
  • Karma177 @ Karma177:
    @The Real Jdbye it hasn't given me any error trying to write things on it so I don't really think it's faulty (pasted 40/50gb+ folders and no write errors)
    Karma177 @ Karma177: @The Real Jdbye it hasn't given me any error trying to write things on it so I don't really...