TheFlow confirms his bd-jb exploit still works on PS5 latest firmware 7.61

PlayStation hacker TheFloW has confirmed that his BD-JB exploit still works on the latest PS5 Firmware.

The complete BD-JB exploit chain, which constitutes a usermode entry point for hacks on the PS4/PS5, was originally made of 5 separate exploits, which TheFloW had disclosed last year:

1. The class com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl deserializes the userprefs file under privileged context using readObject() which is insecure
2. The class com.oracle.security.Service contains a method newInstance which calls Class.forName on an arbitrary class name. This allows arbitrary classes, even restricted ones (for example in sun.), to be instantiated.
3. The class com.sony.gemstack.org.dvb.io.ixc.IxcProxy contains the protected method invokeMethod which can call methods under privileged context. Permission checks in methods can be bypassed
4. (PS4 only) The “compiler receiver thread” receives a structure of size 0x58 bytes from the runtime process. An attacker can simply send an untrusted pointer and the compiler receiver thread will copy data from the request into its memory. In other words, we have a write-what-where primitive
5. The UDF driver https://github.com/williamdevries/UDF is used on the PS4 and PS5 which contains a buffer overflow.

This BD-JB hack is currently actively used on PS5 Firmwares 3.00 to 4.51, as an entry point to the kernel exploit which allows hacking these firmwares. (As an alternative to the BD-JB exploit, many of us use a webkit exploit instead, although in both cases, the goal is to then trigger the same kernel exploit for privilege escalation)

What is a bit surprising is that the hacker had stated a while ago that the BD-JB vulnerabilities (or some of them) had been fixed in PS5 Firmware 5.00. It is unclear to me if he has found additional exploits to reactivate the chain, if some bugs were reintroduced, if Sony never properly patched the exploits, or if it is something else. It would appear Sony simply never bothered to patch the vulnerability.

Multiple usermode exploits already exist on the PS5

A new tweet from TheFloW regarding PS5 exploits is always a nice treat, but usermode exploits for the PS5 are not the main issue that the scene is facing on new firmwares. Mast1c0re for example is still an entry point that works on recent firmwares, and hackers have stated that more usermode entry points exist on the PS5. From CrazyVoid recently:

Kernel exploits (and more) remain the bigger issue on the PS4 and PS5, to get more people access to a hackable console.

Source: TheFloW