Proof of concept webkit exploit running on PS4 firmwares 2.xx
Developer Fire30 released a webkit exploit proof of concept for the PS4, ported from a webkit heap buffer overflow revealed in 2014. I haven’t tested this myself, and this is still unconfirmed information at this point.
Fire30 says the exploit should run on any PS4 firmware below 2.50, although he mentions parts of the exploit implementation will only work on firmware 2.03, presumably because this is the firmware he’s using to write the code.
There’s not much to be said about this at this point, although in theory the kernel exploits BadIRET and dlclose could be ported to this exploit, if confirmed legit: it has been mentioned these kernel exploits are compatible up to firmware 2.xx, and the only thing preventing those from being used on any other firmware than 1.76 so far was because the only publicly available userland exploit has been the 1,76 webkit exploit.
A port of the dlclose exploit to this new webkit vulnerability could bring some Linux joy to more PS4 users, and help decrease the current asking price for hackable PS4s.
Download and install the CVE 2014-1303 Proof Of Concept for PS4
You can Download Fire30’s proof of concept on his github here. You’ll need a PS4 running below firmware 2.50, ideally firmware 2.03. According to the readme:
a poc for the CVE 2014-1303 originally disclosed by Liang Chen. It has been tested to work on system firmware 2.03, but should work for systems on a firmware < 2.50, the ROP test will however only work on 2.03.
You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run
python fakedns.py -c dns.conf
Debug output will come from this process.
Navigate to the User’s Guide page on the PS4 and various information should be printed to the console. The ROP test will print what is stored in the rsp register. Continuing execution after rsp is pivoted still needs to be done.
fire30 credits the following people, in addition to Liang Chen who revealed the vulnerability in 2014:
If you happen to have a PS4 running a firmware below 2.50, and have the skills to 1) confirm that this is true and 2) try and get the dlclose exploit to run on this, then by all means, help the PS4 scene 🙂
Otherwise… stay tuned!