A hacker by the name of Volodymyr Pikhur has presented an exploit which he has been sitting on for almost 2 years now. The exploit was presented at the Recon Brussels hacking conference a couple of days ago. Just a couple days ago Pikhur released the slides and a demo video of the exploit in action. According to the slides posted Pikhur has had the exploit working for 2 years but decided to finally disclose it since Sony doesn't have a bug bounty.
You can check out the video below to see the exploit in action, Pikhur seems to be running an FTP server alongside other things to gain access to the PS4 in rest mode.
It appears that Pikhur is using a kernel exploit which is not publicly known. He also is leveraging a vulnerability in sys_kldload. Looking at the presentation and the video, there is definitely enough information provided for people with bad intentions to take this and use it maliciously.
The hacker did not stop after gaining kernel access but continued on by using hardware glitching in order to extract the console's kernel bootloader.
Wololo reached out to Pikhur and received the following clarifications:
- According to the hacker, the sys_kldload exploit still exists in firmware 5.00, potentially more recent firmwares as well
- The important point of the video above is that the hack persists after boot, demonstrating what is probably the very first custom firmware on the PS4
- Sony changed their keys in 5.05, but apparently not the signing process.
- The kernel bootloader contains the keys for Rest Mode kernel, which is why it was interesting to get access to it.
Hopefully, Sony will take notice of this exploit soon and will be releasing a firmware patch which takes care of the vulnerabilities disclosed.