Multiple security flaws were discovered in the PlayStation Now (PS Now) cloud gaming Windows application that allowed hackers to execute arbitrary code on Windows devices running vulnerable app versions.
The bugs which were found by the bug bounty hunter Parsia Hakimian affected PS Now version 11.0.2 and earlier on systems running Windows 7 SP1 or later.
PlayStation Now launched in 2014 has more than 2.2 million subscribers at the end of April 2020.
The researcher reported the flaws to Sony on May 13, 2020, through PlayStation’s official bug bounty program operated via bug bounty platform HackerOne. The issue was addressed by PlayStation on June 25th, 2020 and rewarded the experts with a $15,000 bounty.
By chaining the vulnerabilities, it is possible for an unauthenticated attacker to achieve remote code execution (RCE) by exploiting a code injection vulnerability.
Hakimian said that the PlayStation Now application version 11.0.2 is vulnerable to remote code execution (RCE). Any website loaded in any browser on the same machine can run arbitrary code on the machine through a vulnerable websocket connection.
The attackers can run malicious code on a PS NOW user’s computer via a local WebSocket server started by the psnowlauncher.exe on port 1235 using the AGL Electron application it spawns after launch.
The local websocket server at localhost:1235 does not check the origin of incoming requests. This allows websites loaded in browsers on the same machine to send requests to the websocket server.
This issue stems from WebSocket server that started on the target’s device without performing any Origin header or request origin checks.
A threat actor can exploit the flaw by tricking PS NOW users into opening a specially crafted site using a malicious link provided via phishing emails, forums, Discord channels, etc.
When a victim opens the link in the browser, malicious scripts on the website will connect to the local WebSocket server and ask AGL to load malicious Node code from another site and run it on the target’s machine.