Full Report
The PS5 has a major bug bounty program. The author decided to look into this device, being a legend in the playstation hacking scene. After looking at the attack surface, they decided to look at the Playstation 2 emulator. This was because the JIT privileged code had been removed from other part of the system and it would be unpatchable once fund. Initially, the author needed code execution within the context of the game while in the emulator. This was done by using a known save game exploit from Okage Shadow King, with a standard buffer overflow in the player/town name. Since the PS2 had no exploit mitigations, this was trivial to do. Now, it was time to reverse engineer the emulator itself. While reviewing the code for memory read/write callbacks, the author noticed a missing bounds check on the buffered operations. This would allow for writing 16 times the allowed amount of data; this bug had several variants of it in other locations. By using the first vulnerability, we can overwrite a status index being used. Using this, we gain the ability to write an arbitrary byte to an offset of 4 bytes. Since this is relative to a static buffer, ASLR can be defeated with the relative write. The vulnerability above allows us to corrupt a set of function pointers within the program. Since no CFI is enabled on this, this allows for arbitrary functions to be called. Additionally, this returns a value in EAX, which could be used for a very strange read call. The PS5 has ASLR turned on, which needs to be defeated. One way would have been using Spectre-like side channel attack. In this case, they found that using a relative overwrite on the function pointer allowed (which was written to EAX), to return instantly allowed for the leaks of pointers. From this leak, they could gather the offsets they needed for the rest of the eboot binary; they knew where the executable, read/write and read only pages were. This allowed for further gadget created within this part of the ecosystem. They found a gadget to leak the stack address, using the code execution technique above. Single code gadgets are nice, but not powerful enough. Instead, the author wanted to be able to execute arbitrary ROP chains of multiple gadgets at a time by pivoting the stack pointer. To pivot the stack several nested calls had to be made to control the value in ESP. To load a custom game, a few things could be done, such as USB ports or networking. The program had to be put into a recognizable state but arbitrary PS2 games could now be loaded to the system. In part 2, they will get arbitrary code execution outside the emulator for a homebrew-like experience.
Analysis Summary
# Vulnerability: PS5 PlayStation 2 Emulator Memory Corruption leading to Arbitrary Code Execution (Emulator Context)
## CVE Details
- CVE ID: Not explicitly assigned in the summary. (These are likely Zero-Day vulnerabilities being described)
- CVSS Score: Not explicitly provided. (Severity is implied as High/Critical due to arbitrary code execution)
- CWE: CWE-120 (Buffer Copy without Checking Size of Input) likely applies to the initial overflow; CWE-840 (Improper Restriction of Pointer Access) or CWE-20 (Improper Input Validation) based on the bounds check issue.
## Affected Systems
- Products: Sony PlayStation 5 (PS5) running the integrated PlayStation 2 (PS2) Emulator component.
- Versions: Specific vulnerable versions are not mentioned, but the context implies firmwares released prior to any associated patch.
- Configurations: Systems running the PS2 emulation feature.
## Vulnerability Description
This summary describes a chained exploit targeting the PS2 emulator running on the PS5. The attack leverages two primary vulnerabilities:
1. **Initial Code Execution (Emulator Context):** Achieved via a known *Okage Shadow King* save game buffer overflow in the player/town name field, exploiting the lack of PS2 exploit mitigations within the emulated environment. This grants code execution within the context of the game running inside the emulator.
2. **Out-of-Bounds Write in Emulator Host Code:** During reverse engineering of the emulator's memory read/write callbacks, a **missing bounds check** on buffered operations was discovered. This allows an attacker to write **16 times the intended amount of data**, leading to memory corruption.
The first vulnerability is leveraged to manipulate a status index, leading to an arbitrary byte write at a fixed offset (4 bytes relative to a static buffer). This bypasses ASLR due to the predictable relative write location and subsequently corrupts adjacent function pointers within the main program (`eboot`). Since Control Flow Integrity (CFI) is absent in this component, this leads to **arbitrary function call execution** within the emulator process context. Further techniques were used to leak program pointers (bypassing PS5 ASLR) and construct Return-Oriented Programming (ROP) chains, allowing the loading of custom PS2 games.
## Exploitation
- Status: PoC developed and demonstrated internally (implied by the description of the successful chain). Not reported as exploited in the wild based solely on this text.
- Complexity: High (Requires deep reverse engineering of the emulator, chaining two distinct exploits, and defeating system-level ASLR/leak information).
- Attack Vector: Local (Requires the ability to provide a malicious save file or exploit the entry point via the PS2 environment).
## Impact
- Confidentiality: High (Successful exploitation leading to information leaks like stack addresses/ASLR offsets).
- Integrity: Critical (Arbitrary function pointer corruption leading to code execution within the emulator process).
- Availability: Medium (Potential for system instability or crash, but the immediate goal was system modification/code execution).
## Remediation
### Patches
- No specific patch versions are mentioned as the report is describing the discovery phase prior to a public disclosure/patch release.
### Workarounds
- None explicitly stated, as the described vulnerability chain is complex and relies on flaws in the emulator design (e.g., missing bounds checks and lack of CFI). Limiting access to the PS2 emulation feature (if possible) would be a theoretical interim step.
## Detection
- **Indicators of Compromise:** Anomalous memory operations within the PS2 emulation process, particularly large memory writes in specific callback handlers, unexpected function pointer modifications, or ROP gadget execution sequences.
- **Detection Methods and Tools:** Monitoring memory access patterns and flow control within the PS2 emulator sandbox.
## References
- Vendor advisories: None provided.
- Relevant links - defanged: None provided.