Webkit vulnerabilities on PS4 8.xx, 9.00 and PS5 21.02: the current status
Last week, multiple Webkit vulnerabilities have been unearthed for scene members to test on the PS4 and PS5. Among those, three of them seem to have caught the scene’s interest, and both the PS4 and PS5 might be impacted for some of these bugs.
An important disclaimer about the Proof of Concept pages that have been circulating: Bear in mind that I’m not blaming anyone, as everybody’s trying to help here and we’re in the early stages, but I’ve seen a few PoC pages that I would consider “non scientific” in their approach to testing for a vulnerability on the consoles. Long story short, if you decide to test these vulnerabilities through one of these pages, at this point it doesn’t mean a lot if you get an error message, or if you don’t, or if you get a “patched” or “ok” messagebox. The only case you can be 100% sure that you hit a vulnerability is if you crash the webkit browser. In what I’ve seen so far, an “out of memory” error message (on either PS4 or PS5) is the most promising sign that a crash happened through these vulnerabilities (although I can also think of many ways to write code that would trigger a legitimate memory issue with no underlying vulnerability.).
Bottom line: unless you understand what the code does, do not get too excited by a message box in your PS4/PS5 browser. And do not start reporting weird stuff such as “oh, PS4 9.xx is vulnerable but 8.50 is not”. Such a use case (where a patch would have been “reverted” in a higher firmware) is actually so unlikely that if you see this happen, your first reaction should be to assume that the Proof of Concept is flawed.
The three Webkit vulnerabilities the PS4/PS5 scene is looking at right now
Below are the three vulnerabilities that were reported in the past few days:
CVE-2021-30858 Use-After-Free in removeFromFacesLookupTable
I’ve personally tested this one on PS4 9.00 and to the extent of my understanding, the vulnerability exists on PS4 up to 9.00 (and I’ve detailed here some of the things I’ve tested for). People have reported PS5 is also impacted, up to the latest firmware. This is a fairly recent issue so it would make sense that, if the PS4 and PS5 are impacted, even recent firmwares are vulnerable. Again, keep the disclaimer above in mind, but an error message such as “not enough memory” is a good sign here.
there is not enough space in the system memory 🤔
— ششمآلي (@abdurahman350) October 15, 2021
My uneducated guess on this vulnerability is that it could be hard to turn into an exploit, given the limited control an attacker could have on the impacted variables, but we’d need a hacker with actual experience to confirm this 🙂
If value.size is a large number, this might lead to out of memory error (not useful)? If it’s 0 something could happen on the last line when the remove is triggered? If it’s a “regular” number then possibly no issue. Arbitrary at each execution. pic.twitter.com/f1T1vDzYOd
— Wololo (@frwololo) October 15, 2021
CVE-2021-30848 WebKit EventHandler::keyEvent Heap Use-After-Free
Another recent report, with full details and PoC available on packetstorm here.
This one was unearthed by @Zellix67, who states it works on Firmwares 8.xx. Again, with no crash in the browser, it’s unlikely at this point that anything actually happens, although the vulnerability disclosure does state that the behavior here is quite arbitrary.
Little to no information is provided on this issue. PacketStorm have a proof of concept that was provided by Ivan Fratic of Google Security. The issue is described as a “crash”, and from the security engineer’s report, it doesn’t seem obvious that any code execution is actually possible.
This issue was reported in July this year, so recent firmwares (if the PS4/PS5 are actually impacted) could have been patched.
Can these 3 webkit vulnerabilities be transformed into exploits?
From my personal tests and observations of the scene, out of the three Webkit vulnerabilities that everybody’s excited about, only CVE-2021-30858 is confirmed to impact PS4/PS5 so far. I’m not saying the other two vulnerabilities do not impact PS4/PS5, but I haven’t seen concrete proof of that yet.
For all three vulnerabilities, we need people with the right sets of skills to turn the initial disclosure proof-of-concepts into much more concrete code with, at the very least, a way to ensure a crash, which would confirm the vulnerabilities. From there, whether a crash can be transformed into an exploit is pretty much the result of luck, experience, and a lot of work, so it could take time to know this.
At the moment, I’d say it would be safe to not get too hyped over these disclosures, until it is confirmed that they are at least worth looking into.