mast1c0re: Part 3 - Escaping the emulator
A PS2 emulator escape that can be exploited on PS4/PS5. In the previous binary episode we covered part 2 which was a stack overflow in Okage: Shadow King, by chaining that with this out-of-bounds (OOB) write in the emulator, full userland code execution is possible. As part of its duties, the PS2 emulator has to simulate Memory Mapped I/O (MMIO) for various devices such as the DVD device. The registers that are particularly relevant are the SCMD_SEND
and SCMD_STATUS
registers. When writing to SCMD_STATUS
, the fake DVD device will update a global status buffer with the written value, and track the current position via gSStatusIndex
. There’s only room for 16 entries though, and no bounds checking is performed to ensure only up to 16 entries are written, giving linear out-of-bounds write.
They then use this weaker primitive to escalate by smashing the gNStatusIndex
global, which when the NCMD_STATUS
register is written to can give the attacker a relative 1-byte write to escape the emulator.