mast1c0re: Part 3 - Escaping the emulator

We discussed this vulnerability during Episode 190 on 21 February 2023

A PS2 emulator escape that can be exploited on PS4/PS5. In the previous binary episode we covered part 2 which was a stack overflow in Okage: Shadow King, by chaining that with this out-of-bounds (OOB) write in the emulator, full userland code execution is possible. As part of its duties, the PS2 emulator has to simulate Memory Mapped I/O (MMIO) for various devices such as the DVD device. The registers that are particularly relevant are the SCMD_SEND and SCMD_STATUS registers. When writing to SCMD_STATUS, the fake DVD device will update a global status buffer with the written value, and track the current position via gSStatusIndex. There’s only room for 16 entries though, and no bounds checking is performed to ensure only up to 16 entries are written, giving linear out-of-bounds write.

They then use this weaker primitive to escalate by smashing the gNStatusIndex global, which when the NCMD_STATUS register is written to can give the attacker a relative 1-byte write to escape the emulator.