Use-After-Free Webkit vulnerability impacts PS4, possibly up to firmware 9.00 included
A Use-After-Free vulnerability in Webkit (CVE-2021-30858) has been identified an patched in September. Early tests and source code investigation indicate that the vulnerability is also present on the PS4 version of webkit, although it is not sure yet up to which firmware, and whether this vulnerability can be turned into a full fledged exploit or not.
CVE-2021-30858 Use-After-Free in Webkit’s removeFromFacesLookupTable
Security researcher Maddie Stone, of the Google Project Zero security team, has reported and disclosed a Use-After-Free vulnerability in Webkit back in September, as part of the team’s efforts looking into Apple’s Webkit.
The issue lies into adding an invalid FontFace object to a FonceFaceSet. The add operation will not work, but the system will then still try to remove the object (which had not been added), leading to a “Use After Free”.
Code with the bug:
void CSSFontFaceSet::removeFromFacesLookupTable(const CSSFontFace& face, const CSSValueList& familiesToSearchFor)
{
for (auto& item : familiesToSearchFor) {
String familyName = CSSFontFaceSet::familyNameFromPrimitive(downcast(item.get()));
if (familyName.isEmpty())
continue;
auto iterator = m_facesLookupTable.find(familyName);
ASSERT(iterator != m_facesLookupTable.end());
bool found = false;
for (size_t i = 0; i < iterator->value.size(); ++i) {
if (iterator->value[i].ptr() == &face) {
found = true;
iterator->value.remove(i);
break;
}
}
ASSERT_UNUSED(found, found);
if (!iterator->value.size())
m_facesLookupTable.remove(iterator);
}
}
Proof of concept javascript:
var fontFace1 = new FontFace("font1", "", {});
var fontFaceSet = new FontFaceSet([fontFace1]);
fontFace1.family = "font2";
Use-After Free Webkit vulnerability impacts the PS4
The issue seems pretty obvious after the fact, and proof of concept code has been easily reproduced to test on the PS4. @NazkyYT has some proof of concept code running at https://nazky.github.io/PS4CVE202130858/. You can point your PS4’s browser to the proof of concept url to see to which extent your console is impacted. (or run you own on a local server if you prefer).
Several people have confirmed that the vulnerability does in fact reproduce on PS4s up to firmware 8.52 included. Some users have reported that the vulnerability is not “working” on their PS4 running 9.00, but analysis of the Webkit version in PS4 9.00 seems to indicate the bug is still present there. In my personal tests, 9.00 reacts with a “not enough memory” error when trying the proof of concept, which to me is a good sign until proven otherwise.
It’s also worth mentioning that firmware 9.00 was released mere days after this issue was patched in Webkit, meaning it is fairly unlikely Sony had time to import the Webkit patch into firmware 9.00 in time. Everything points to the issue existing in firmware 9.00, if it weren’t for a few early test reports.
Screenshot of the Webkit source code in PS4 9.00 (as shared on Sony’ official page), still has the vulnerability.
I had fears that the proof of concept was void, considering that the FontFaceSet constructor is a Safari specific thing (source):
Specifically, if you try the PoC code on a browser such as Chrome, you will get an error in the form: “FontFaceSet is not defined”. Meaning the PoC fails before even reaching the vulnerability on pretty much any browser except for Safari. But I was able to independently verify that the FonceFaceSet constructor does exist on the PS4. In other words, as far as I could tell, there are significant chances that this vulnerability impacts the PS4, up to 9.00 included.
PS4 9.00 Potentially vulnerable to Webkit Use-After-Free, what’s next?
The fact that a new Webkit vulnerability surfaces on the PS4 is potentially big news for the PS4 Scene. But a bunch of things need to happen before this becomes useful to the end user.
First of all, whatever your current firmware might be, do not update if you intend to leverage this opportunity. The lower your firmware is, the higher your chances are for a future hack or exploit.
Secondly, PS4 hackers need to look into this webkit vulnerability to understand 1) if it can actually be turned into a useful exploit (this can take a significant amount of time), and 2) if 9.00 is really impacted or not. Going from a vulnerability to actual exploitable code is not something that will happen instantly.
If this Webkit exploit can be leveraged on the PS4, it could have two main uses:
- First, this exploit could potentially be more “stable” than the current Webkit exploit used up to firmwares 7.55, meaning it could be used to improve the stability of existing Jailbreaks, up to firmware 7.55.
- Second, if a kernel exploit is revealed in the future for firmwares 8.xx or 9.00, the Webkit exploit and the kernel exploit could be combined to give the scene a Jailbreak for firmwares 8.xx, or, one can dream, up to 9.00. This is a good time to remind everyone that a webkit exploit alone is not enough for a Jailbreak. It is an entry point to running unsigned code, but then needs to be combined with a privilege escalation exploit (a.k.a kernel exploit) in order to get an actual Jailbreak.
There’s of course a long way to go before any of this happens, but this could be the best piece of news the PS4 scene has had in a long time.
That would be great news. Although I have a ps5, this great news for PS4 users.
Btw, f#ck your first reply!
ps4 is sill not fully jailbroken as ps3 is so ps5 has a long time before being hacked at least via webkit…
wow….this is good news
Yeah, I hope something comes from this my PS4s just be gathering dust since I got a ps5
Is there a chance that it will work also on ps5?
one can dream.
Yea. Pretty sure this WebKit comes from the IOS exploit about to be released on Oct 22 for the newer iPhone chips in iPhone 12s and 13s. It was used to supossedly create a new untethered jb in iOS 14. Not positive but I’m pretty sure this is coming from that.
If I’m right about that, everyone should be looking squarely at Cturt with this or those familiar with his recently discovered exploit bounty.
Can it do 4K?
It wolud be wise if you don’t get your hopes up guys.
sorry I mean *would*
it wololo be wise to don’t get our hopes up.
It’s indeed a good news everyone
Apparently the webkit exploit also works on the latest PS5 version
https://twitter.com/Cedsaill2/status/1448747622005710850
I’m currently still stay at the lowest FW 8.00 so i have high hopes. Yay. I’m still sad that by the time 7.55 got jailbreak at the time I’m already on 7.60 or higher.
Hail brilliant hackers! Ps4 is my first console, and I was too naivem, bur from my next console, I’ve learned never to update your firmware, which is our right in first place. We own our console, and we have the right to use the hardware the way we want, not they way Manufacturers want.
Yes, but they also have a right to decline customer service and repairs to the modified system, since it breaches their policies. They can also ban your Playstation off their network completely, like what Nintendo does
That’s because they’re making policies that they’re not entitled to. We bought the machine, and we have the right to make it do anything it’s capable of, but their “policies” force us only to use them for a specific use they allow, which basically denies our ownership of our console. Like I want my console to be a all-in-one device. I want my switch to play music, to play videos, to play switch games, and all the retro games it can run. I had a bunch of gba games, which no longer come in handy in the original dim screen. Do Nintendo allow that? Noooooo. *** it, it’s my machine
tested on 8.50 no error after lunch and get feedback that
API is not patched!
vulnerability ok something like that
LAST!!!
not anymore
I want my PS4 with fw 7.02 to have a stable webkit exploit than the current one I have now. The current webkit exploit takes lots of tries before enable the kernel exploit. This is a very good news for us because we will be getting a stable webkit just like firmware 6.72 has.