PlayStation 4 Privilege Escalation Vulnerability in BD-J Sandbox

A privilege escalation vulnerability has been identified in PlayStation 4 firmware versions 13.00 through 13.02. This vulnerability allows an attacker to escape the BD-J (Blu-ray Disc Java) sandbox by using a malformed JAR file. The issue arises because the BD-J security policy improperly canonicalizes file paths, enabling untrusted code to be executed with elevated permissions.

Impact

Exploitation of this vulnerability allows for complete privilege escalation from a sandboxed Blu-ray application to full system access, with all permissions granted.

Reproduction

The vulnerability can be reproduced by creating a nested JAR file that exploits the path traversal vulnerability. When this JAR file is loaded by a Blu-ray application on a PlayStation 4 running the vulnerable firmware, the BD-J security policy will incorrectly grant all permissions, allowing the application to execute untrusted code with elevated privileges.