Webkit vulnerabilities on PS4 8.xx, 9.00 and PS5 21.02: the current status
Last week, multiple Webkit vulnerabilities have been unearthed for scene members to test on the PS4 and PS5. Among those, three of them seem to have caught the scene’s interest, and both the PS4 and PS5 might be impacted for some of these bugs.
An important disclaimer about the Proof of Concept pages that have been circulating: Bear in mind that I’m not blaming anyone, as everybody’s trying to help here and we’re in the early stages, but I’ve seen a few PoC pages that I would consider “non scientific” in their approach to testing for a vulnerability on the consoles. Long story short, if you decide to test these vulnerabilities through one of these pages, at this point it doesn’t mean a lot if you get an error message, or if you don’t, or if you get a “patched” or “ok” messagebox. The only case you can be 100% sure that you hit a vulnerability is if you crash the webkit browser. In what I’ve seen so far, an “out of memory” error message (on either PS4 or PS5) is the most promising sign that a crash happened through these vulnerabilities (although I can also think of many ways to write code that would trigger a legitimate memory issue with no underlying vulnerability.).
Bottom line: unless you understand what the code does, do not get too excited by a message box in your PS4/PS5 browser. And do not start reporting weird stuff such as “oh, PS4 9.xx is vulnerable but 8.50 is not”. Such a use case (where a patch would have been “reverted” in a higher firmware) is actually so unlikely that if you see this happen, your first reaction should be to assume that the Proof of Concept is flawed.
The three Webkit vulnerabilities the PS4/PS5 scene is looking at right now
Below are the three vulnerabilities that were reported in the past few days:
CVE-2021-30858 Use-After-Free in removeFromFacesLookupTable
I’ve personally tested this one on PS4 9.00 and to the extent of my understanding, the vulnerability exists on PS4 up to 9.00 (and I’ve detailed here some of the things I’ve tested for). People have reported PS5 is also impacted, up to the latest firmware. This is a fairly recent issue so it would make sense that, if the PS4 and PS5 are impacted, even recent firmwares are vulnerable. Again, keep the disclaimer above in mind, but an error message such as “not enough memory” is a good sign here.
PS5
21.01-03.21.00.00.00.00.00.01
there is not enough space in the system memory 🤔— ششمآلي (@abdurahman350) October 15, 2021
My uneducated guess on this vulnerability is that it could be hard to turn into an exploit, given the limited control an attacker could have on the impacted variables, but we’d need a hacker with actual experience to confirm this 🙂
If value.size is a large number, this might lead to out of memory error (not useful)? If it’s 0 something could happen on the last line when the remove is triggered? If it’s a “regular” number then possibly no issue. Arbitrary at each execution. pic.twitter.com/f1T1vDzYOd
— Wololo (@frwololo) October 15, 2021
CVE-2021-30848 WebKit EventHandler::keyEvent Heap Use-After-Free
Another recent report, with full details and PoC available on packetstorm here.
In the tests I’ve seen so far being reported on twitter, PS4/PS5 are not directly impacted by the issue. It doesn’t mean the vulnerability isn’t here, but I’ve seen no proof so far that the consoles are actually vulnerable in this case. Remember that you’d need a crash to confirm the issue, a javascript alert (or lack thereof) proves nothing, in particular in this case. At the very least, the proof of concept files need to be improved/refined to generate something that remotely looks like an attempt at getting a crash.
CVE-2021-30797 slow_path_profile_catch JavascriptCore crash
This one was unearthed by @Zellix67, who states it works on Firmwares 8.xx. Again, with no crash in the browser, it’s unlikely at this point that anything actually happens, although the vulnerability disclosure does state that the behavior here is quite arbitrary.
Little to no information is provided on this issue. PacketStorm have a proof of concept that was provided by Ivan Fratic of Google Security. The issue is described as a “crash”, and from the security engineer’s report, it doesn’t seem obvious that any code execution is actually possible.
This issue was reported in July this year, so recent firmwares (if the PS4/PS5 are actually impacted) could have been patched.
Can these 3 webkit vulnerabilities be transformed into exploits?
From my personal tests and observations of the scene, out of the three Webkit vulnerabilities that everybody’s excited about, only CVE-2021-30858 is confirmed to impact PS4/PS5 so far. I’m not saying the other two vulnerabilities do not impact PS4/PS5, but I haven’t seen concrete proof of that yet.
For all three vulnerabilities, we need people with the right sets of skills to turn the initial disclosure proof-of-concepts into much more concrete code with, at the very least, a way to ensure a crash, which would confirm the vulnerabilities. From there, whether a crash can be transformed into an exploit is pretty much the result of luck, experience, and a lot of work, so it could take time to know this.
At the moment, I’d say it would be safe to not get too hyped over these disclosures, until it is confirmed that they are at least worth looking into.
FIRST FROM INDONESIA
I’m currently playing on PC. My ps4 8.00 can wait as long as it take. It’s not like I need to play any game on ps4. In fact, i don’t feel like there is any interesting game on ps4.
This. Exactly this. Ever since the covid lockdowns last year, nothing new and exciting has been dropping. I have never seen such few AAA game releases. Usually there are like 4-5 titles per year I consider “must haves or definitely purchasing”. This year and end of last year combined I think there was one for me and that was Far Cry 6 that just dropped. I got mass effect legendary too but that’s was more of a “I’m bored and I wanna game on redic settings with my pc” deal. I already have played all ME titles many times.
I *** off my Ps4 after the reported 8.0 WebKit vuln dropped as I had just updated to 8.03 literally days before as I had been locked out of psn due to not upgrading and any update patchers that I found or already knew of no longer worked. And I really wanted to download FFVII Remake as app retailers were closed at the time for shutdowns and online stops had tons of issues with digital orders (I mean Jesus I ordered ME Legendary using a gift card on bestbuy. Said I should reiecve the code In 24 hours. 72 hours later no code was sent and my order was marked as delivered on bestbuy site. I called them up. Talked to over ten diff people. No one could tell me what was going on. Three people said they reissued the code… which was a lie as the next Reps literally told me they couldn’t do that as they didn’t have capabilities to do so. Finally I got the code sent by their VP of customer relations after I sent a nasty email. Took two weeks to finally get a single damn steam key code.
So yes… ps4 has been off and sitting since like Jan waiting for next jb. Any games I wanted to play, I could get right away on steam or with a repack download. I mean heck, my system is a Ryzen 9 3950x and a RTX 3080… I may not have been able to grab a ps5 but I got better than a ps5 already
*me glancing over at FFVII Remake, Ghost of Tsushima and The Last of Us 2…*
Uhh.. and why exactly would you buy a Ryzen 9 3950x for Gaming?
Did you not watch Steves (Gamers Nexus) review for that?
Hm…
there are games.for now try br ones
Why did you buy a Ps4 then?
Be cautiously optimistic, 审慎乐观~
Hopefully we can get something out of all of this, nice write-up!
Fifth
Silly billy (the fake) fifth is kinda a worthless place
You’re not the orginal I am, I’m so glad I’m living in your head rent free 🙂
that’s not me, but i’m also glad that that guy also lives in yours
Bruh, it seems like the original bro is in your head too.
In my heart
Can it do 4K?
That’s interesting. For pc, even i3 processors from years ago can output 4k, as long as you don’t do anything intense. The thing with console is that no matter what output resolution you set, games always run at their native internal resolution, so really the result doesn’t matter even if its upscaled to 4k
doubt, if we get a 8.00 jailbreak for example, we will be able to dump games up to 8.52 or only at 8.00?
Only up to 8.00
Let the kids play. Im pretty sure the people who know what they are doing know this already. False information in this case literally means nothing because the technical level of this exploit gates people from doing any harm to their own consoles or others.
After a year with a jb’en Ps4 pro got bored, think Amma sell it out an try getting a ps5 for future hacks… Wish we had stuff like the ps3.
I’m still sitting with my PS4, but I didn’t think that the PS5 had exactly the same problems. I myself work on the new Engre engineering platform, where I am approached for services in the field of IT Hardware. It’s a pity that I can’t get a job at the PS main office to solve all their problems. I hope by the release of the new version I will be able to achieve some results in this.