PlayStation discloses “severe” Use-After-Free kernel vulnerability

Researcher awarded a $10,000 bounty for reporting the bug

Ax Sharma
2 min readJul 7, 2020
Photo by Luis Villasmil on Unsplash

Originally published at securityreport.com on July 7, 2020.

PlayStation has disclosed a severe use-after-free vulnerability, after over three months since it was reported.

The vulnerability discovered by researcher Andy Nguyen exists in PS4 Firmware versions 7.02 and below. After constructing a demonstrable Proof of Concept (PoC) exploit, the researcher had responsibly reported the flaw to the company in March 2020.

If exploited in conjunction with a WebKit/Chromium vulnerability (such as CVE-2018–4386, in PS4 firmware versions up to 6.72), an attacker could:

  • Achieve a fully chained remote attack on a console.
  • Steal or modify user data.
  • Dump and run pirated games on the console.

“Due to missing locks in option IPV6_2292PKTOPTIONS of setsockopt , it is possible to race and free the struct ip6_pktopts buffer, while it is being handled by ip6_setpktopt,” states Nguyen in the HackerOne coordinated disclosure made public yesterday.

“This structure contains pointers ( ip6po_pktinfo) that can be hijacked to obtain arbitrary kernel R/W…

--

--