PS4: Webkit exploit released for 6.xx, could potentially work on 7.xx
Security researchers Mehdi Talbi and Quentin Meffre of French Infosec company Synacktiv have disclosed yesterday a Webkit exploit running on the PS4. The exploit, they say, runs on 6.xx firmwares, and could possibly be tweaked to run on 7.xx.
The fact that hacking utilities are publicly available up to 6.72 made it easier for the security researchers to weaponize their exploit on firmwares 6.xx. On 7.xx, however, they say further research is required to port their work. It is possible that hackers on the scene, with access to more exploits, could work on porting this webkit entry point to 7.xx firmwares.
Brute forcing on the PS4 is tedious as the browser requires a user interaction in order to restart. Our idea is to plug a Raspberry Pi that acts as a keyboard on the PS4. Its main goal is to hit enter at periodical time (5s) to restart the browser after the crash. The brute forced address is updated at each attempt and stored in a cookie. Unfortunately, we didn’t get any result so far. We probably haven’t run the brute force for a long enough period of time to cover the entire address space.
The exploit in itself leverages a use-after-free bug in function ValidationMessage::buildBubbleTree() of the Webkit DOM engine. People interested in how console exploitation works should give a read to the full writeup on Synacktiv’s blog.
For the PS4 hacking scene, this means it could be possible to couple this webkit exploit with TheFlow’s 7.02 kernel exploit, in order to provide a jailbreak for 7.02 owners.
It is unclear if, and when, Sony patched this exploit on the PS4. More digging will probably be required by the scene on that front.
Download PS4 6.xx Webkit exploit from Synacktiv
The exploit proof of concept can be downloaded on Synacktiv’s github. This will probably only be useful at the moment for people who intend to work on a port for firmwares above 6.72
Source: Synacktiv on twitter