Details on bug bounty platform

Nguyen is online with the handle @theflow0 and reported the vulnerability to Sony via the hackerone bug bounty platform. The vulnerability is based on an integer conversion from 64 to 32 bits in a size variable used to allocate the uppercase table. The fields dataLength and size be 64 bits wide while that size-Element of the function sceFatfsCreateHeapVl() is only 32 bits in size.

Google Fit: how to measure your heart and respiratory rate from a Pixel and soon on more mobiles

• TAGS
• fit
• google
• heart
• measure
• Mobiles
• pixel
• rate
• respiratory

In the error message, Nguyen goes on to say that for large values ​​of dataLength only create a small buffer. As a result, an overflow occurs when the function is called UVFAT_ReadDevice() on the heap, which destroys subsequent objects on the heap. The vulnerability allows heap buffers to be created in multiples of 512 bytes. There were objects like that usb_endpointstructure that contained interesting pointers that could be manipulated in this way.

Or, as Nguyen sums it up in simple terms: jailbreak the PS4/5 by plugging in a USB stick and directly gaining kernel code execution. The vulnerability has received CVE entry CVE-2022-3349. There is still disagreement about the risk. NIST is still investigating the vulnerability and currently rates it at CVSS 6.8 and medium risk, while the report on hackerone shows a range of CVSS 7-8.9 with a high threat rating.

Since Sony has now confirmed the vulnerability and paid a reward, and the case history goes back a year, the chances that the vulnerability is still present in the current firmware version of your own Playstation are slim. But there are other vulnerabilities, for example in the PS2 emulator, which should allow you to run your own code.