Security bugs found in the PlayStation Now (PS Now) cloud gaming Windows application allowed attackers to execute arbitrary code on Windows devices running vulnerable app versions.
PlayStation Now reached more than 2.2 million subscribers [PDF] at the end of April 2020 since the service’s launch in 2014.
The vulnerabilities discovered by bug bounty hunter Parsia Hakimian affected PS Now version 11.0.2 and earlier on computers running Windows 7 SP1 or later.
Hakimian reported the PS Now bug on May 13, 2020, through PlayStation’s official bug bounty program on HackerOne. PlayStation addressed the bug and tagged the bug report as ‘Resolved’ one month later, on June 25th, 2020.
He was awarded a $15,000 bounty for his report even though his submission was not in-scope — i.e., it affected a Windows app and not one of the target assets included in the bug bounty program (the PlayStation 4 and PlayStation 5 systems, operating systems, accessories, or the PlayStation Network.)
Insecure Electron app exposes users to RCE attacks
Hakimian found that, when chained, the critical security issues allowed unauthenticated attackers to launch remote code execution (RCE) attacks by abusing a code injection weakness.
“Any website loaded in any browser on the same machine can run arbitrary code on the machine through a vulnerable websocket connection,” Hakimian said.
The attackers can run malicious code on a PS NOW user’s computer via a local WebSocket server started by the psnowlauncher.exe on port 1235 using the AGL Electron application it spawns after launch.
“JavaScript loaded by AGL will be able to spawn processes on the machine,” the researcher further explained. “This can lead to arbitrary code execution. The AGL application performs no checks on what URLs it loads.”
My $15K PlayStation bug has finally been disclosed. My one and only tip is to read every single @taviso bug. This is essentially two of his public bugs chained together. https://t.co/0tQyJmn3q9
— Parsia Hakimian (@CryptoGangsta) December 4, 2020
This is possible because the websocket server started on the target’s device does not perform any Origin header or request origin checks.
To successfully exploit the RCE bug, attackers have to persuade the PS NOW user whose device they want to compromise to open a specially crafted site using a malicious link provided via phishing emails, forums, Discord channels, etc.
After opening it in any web browser on their computer, malicious scripts on the website will connect to the local WebSocket server and ask AGL to load malicious Node code from another site and run it on the target’s device.
Sony bug bounty programs
Sony announced the launch of its public HackerOne PlayStation bug bounty program in June 2020, a program that pays security researchers and gamers for reporting security issues found in the PlayStation 4 and 5 systems, operating systems, accessories, and the PlayStation Network.
Qualified PlayStation bug submissions are eligible for bounty payouts ranging from $100 for a low severity PlayStation Network vulnerability up to $50,000 for a PlayStation 4 critical flaw.
This bug bounty program was already running privately with some security researchers when it was launched in June, which explains Hakimian’s submissions one month prior to the program’s launch.
The company also runs a separate Vulnerability Disclosure Program on HackerOne since October 2017 that allows bug bounty hunters to report qualifying security vulnerability in Sony products or websites not covered by the PlayStation program.
PlayStation Now is not the only cloud-based game streaming service that fixed a critical security issue this year.
NVIDIA also released a security update to address a vulnerability in the GeForce Now cloud gaming Windows app that allowed attackers to execute arbitrary code or escalate privileges on systems running unpatched software.