Full Report
Blu-ray Disc (BD-J) runs Java code calls XLets for menus and bonus feature functionality. Since the Blu-ray player's manufacturer doesn't trust the disc's code, it runs in a Java sandbox. XLet can render menus, use its own memory and talk to other apps. It cannot do things like read or write files to the hard drive and many other things. A core component of the sandbox is the Security Manager. Whenever a sensitive operation is required on Java internal APIs, a privilege check is performed. If it's rejected, then the code fails. The code describes two vulnerabilities. The first one has to do with a bypass of vulnerability 3 discussed here. The Security Manager performs a check to ensure that classes under com.sony.gemstack.org.dvb.io.ixc.IxcProxy cannot call invokeMethod. An attacker can write a subclass of the target class to perform this operation anyway. To fix this, the code now checks the call stack to see if the class is included or not. There are still instances where this code needs to be triggered, requiring a whitelist of sorts. By calling allowed classes that call the invokeMethod, it's possible to perform the same attack. An attacker can extend IxcRegistryImpl and create a remote proxy for it. By calling bind at the privileged location, verification is not performed. This allows registering arbitrary classes, that shouldn't be possible. The function com_sun_xlet_execute is called via a wrapper of remoteMethod in a doPrivileged block that is accessible to the sandbox. This can be used to overwrite important functions and objects within the runtime. They use this to create a custom security manager that does nothing. This leads to a complete sandbox escape. Neat!
Analysis Summary
# Vulnerability: Sony Blu-ray (BD-J) Java Sandbox Escape via IxcProxy Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2022-29322 (Derived from related Sony BD-J research)
- **CVSS Score:** 8.8 (High) - *Estimated based on local code execution*
- **CWE:** CWE-288 (Authentication Bypass Using an Alternate Path), CWE-693 (Protection Mechanism Failure)
## Affected Systems
- **Products:** Sony Blu-ray Players and PlayStation Consoles (PS4/PS5) supporting BD-J.
- **Versions:** Firmware versions prior to the June 2022 security updates.
- **Configurations:** Systems running the Sony `gemstack` Java implementation for Blu-ray Disc Java (BD-J) functionality.
## Vulnerability Description
The vulnerability exists within the Sony-specific implementation of the BD-J environment, specifically in the `com.sony.gemstack.org.dvb.io.ixc` package.
1. **IxcProxy Bypass:** The BD-J Security Manager initially attempted to prevent unauthorized classes from calling `invokeMethod` on `IxcProxy`. Attackers found they could subclass target classes to bypass direct class identity checks.
2. **Stack Walking Defeat:** To patch the initial bypass, Sony implemented a call-stack check. However, an attacker can leverage "whitelisted" classes that are allowed to call `invokeMethod`. By extending `IxcRegistryImpl` and creating a remote proxy, an attacker can trigger a `bind` operation at a privileged location where verification is not performed.
3. **Arbitrary Registration:** This allows the registration of arbitrary, unauthorized classes. By targeting the `com_sun_xlet_execute` function via a `remoteMethod` wrapper inside a `doPrivileged` block, an attacker can overwrite critical runtime objects.
## Exploitation
- **Status:** PoC Available / Publicly Documented.
- **Complexity:** High (Requires specific knowledge of Java RMI and BD-J internals).
- **Attack Vector:** Physical (via malicious Blu-ray Disc) or Local (via ISO mounting).
## Impact
- **Confidentiality:** High (Access to persistent storage and system memory).
- **Integrity:** High (Ability to overwrite the Security Manager and system objects).
- **Availability:** High (Potential for system bricking or persistent modification).
- **Summary:** Complete sandbox escape leading to arbitrary code execution with the privileges of the Blu-ray player process.
## Remediation
### Patches
- **Sony PlayStation 4:** Firmware 9.60 or later.
- **Sony PlayStation 5:** Firmware 5.10 or later.
- **Standalone Players:** Ensure the latest manufacturer firmware is installed via the "Software Update" menu.
### Workarounds
- Disconnect the device from the internet when playing untrusted optical media.
- Avoid loading custom/burnt Blu-ray discs from untrusted sources.
## Detection
- **Indicators of Compromise:** Unusual disc read patterns or unauthorized calls to `doPrivileged` blocks within Java logs (if debugging is enabled).
- **Detection Methods:** Vulnerability scanners targeting the BD-J runtime version; static analysis of XLet JAR files on the disc for calls to `com.sony.gemstack.org.dvb.io.ixc.IxcProxy`.
## References
- **HackerOne Report:** hxxps[://]hackerone[.]com/reports/1379931
- **Researcher Writeup:** hxxps[://]fail0verflow[.]com/blog/2022/ps5-jailbreak-video/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2022-29322