Critical remote code execution fixed in PlayStation Now

Security flaws in the PlayStation Now cloud gaming Windows application allowed hackers to execute arbitrary code on Windows systems.

Bug bounty hunter Parsia Hakimian discovered multiple security flaws in the PlayStation Now (PS Now) cloud gaming Windows application that allowed hackers to execute arbitrary code on Windows devices running vulnerable app versions.

The bugs affected PS Now version 11.0.2 and earlier on systems running Windows 7 SP1 or later.

Since the its launch in 2014, PlayStation Now reached more than 2.2 million subscribers [PDF] at the end of April 2020.

Hakimian reported the bugs to Sony on May 13, 2020, through PlayStation’s official bug bounty program operated via bug bounty platform HackerOne. PlayStation addressed the issues on June 25th, 2020 and rewarded the experts with a $15,000 bounty.

Chaining the vulnerabilities found by Hakimian, an unauthenticated attacker could achieve remote code execution (RCE) by exploiting a code injection vulnerability.

“The PlayStation Now application version 11.0.2 is vulnerable to remote code execution (RCE).” explained Hakimian. “Any website loaded in any browser on the same machine can run arbitrary code on the machine through a vulnerable websocket connection.”

The attackers can run malicious code on a PS NOW user’s computer via a local WebSocket server started by the psnowlauncher.exe on port 1235 using the AGL Electron application it spawns after launch.

“The local websocket server at localhost:1235 does not check the origin of incoming requests.

This allows websites loaded in browsers on the same machine to send requests to the websocket server.” continues the Hakimian.Websockets are not bound by the Same-Origin Policy so the websocket server has to do this manually.”“JavaScript loaded by AGL will be able to spawn processes on the machine. This can lead to arbitrary code execution. The AGL application performs no checks on what URLs it loads.”

This issue stems from WebSocket server that started on the target’s device without performing any Origin header or request origin checks.

An attacker could exploit the flaw by triking PS NOW users into opening a specially crafted site using a malicious link provided via phishing emails, forums, Discord channels, etc.

Upon opening the link in the victim’s browser, malicious scripts on the website will connect to the local WebSocket server and ask AGL to load malicious Node code from another site and run it on the target’s machine.

The PlayStation bug bounty program via HackerOne has been launched by Sony in June 2020, it covers vulnerabilities in the PlayStation Network, in Sony gaming consoles PlayStation 4 and 5, operating systems, and accessories.

White hat hackers could receive bounty payouts ranging from $100 up to $50,000 for a PlayStation 4 critical vulnerability.

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, PlayStation Now)

The post Critical remote code execution fixed in PlayStation Now appeared first on Security Affairs.