Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 287: | Line 287: | ||
=== WebKit sources === | === WebKit sources === | ||
[https://web.archive.org/web/20231108165430/https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources] Currently archived up to version 10.01. Useful for developers that can't access PlayStation URLs and also for when Sony inevitably stops hosting the sources in the future. | |||
[https://web.archive.org/web/ | |||
=== FW ?10.00?-11.52 - Unknown heap and string overflow (no CVE) leading to crash === | === FW ?10.00?-11.52 - Unknown heap and string overflow (no CVE) leading to crash === | ||
Line 380: | Line 309: | ||
'''Yes''' on PS4 FW 12.00 and PS5 FW 10.00. | '''Yes''' on PS4 FW 12.00 and PS5 FW 10.00. | ||
Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60. | Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60. | ||
=== FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to crash === | === FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to crash === | ||
==== Credits ==== | ==== Credits ==== | ||
* ENKI for public disclose and analysis (2024-06-03) | |||
* ENKI for public disclose and | |||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc Analysis by ENKI (2024-06-03)] | * [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc Analysis by ENKI (2024-06-03)] | ||
* [https://github.com/WebKit/WebKit/commit/1b0741f400ee2d31931ae30f2ddebe66e8fb0945 Patch commit #1 | * [https://github.com/WebKit/WebKit/commit/1b0741f400ee2d31931ae30f2ddebe66e8fb0945 Patch commit #1 (2023-07-31)] | ||
* [https://github.com/WebKit/WebKit/commit/39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f Patch commit #2 (2023-05-01)] | * [https://github.com/WebKit/WebKit/commit/39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f Patch commit #2 (2023-05-01)] | ||
* [https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons Inverting Your Assumptions: A Guide to JIT Comparisons by Jasiel Spelman (2018-04-12)] | * [https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons Inverting Your Assumptions: A Guide to JIT Comparisons by Jasiel Spelman (2018-04-12)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
According to abc (anonymous): | |||
"The clobber bug PoC turns out not to be a memory corruption. Just like the article said, you can access a `GetterSetter` directly. The crash came from triggering `GetterSetter`'s methods that will call `RELEASE_ASSERT()`. We actually came across a bug that can leak `GetterSetter`s at WebKit's git main branch: `ceb7e89febcd [JSC] get_by_id_with_this + ProxyObject can leak JSScope objects https://bugs.webkit.org/show_bug.cgi?id=267425 <rdar://120777816>` | |||
The clobber bug PoC turns out not to be a memory corruption. Just like the article said, you can access a `GetterSetter` directly. The crash came from triggering `GetterSetter`'s methods that will call `RELEASE_ASSERT()`. | <br /> | ||
In summary with tinkering with this bug, we do not think you can do anything useful with accessing a `GetterSetter`. The clobber bug however does allow setting properties in places where you usually cannot like `Function's prototype` in the article. But without JIT, we do not think you can cause any memory corruption. The impact for both bugs is probably just JS execution, which we already have, which is a no go in some context (JS injection) but it does not help in gaining PS4/PS5 usermode execution. | |||
We actually | <br /> | ||
Note that the PS4 webbrowser JIT has been removed around PS4 System Software version 5.00 or lower so using the article is not applicable." | |||
In summary with tinkering with this bug, | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
Line 473: | Line 336: | ||
'''Yes''' on PS4 FW 11.50 and PS5 FW 9.00. | '''Yes''' on PS4 FW 11.50 and PS5 FW 9.00. | ||
Tested working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60. PS4 FWs <= ?9.60? and PS5 FWs <= ?5.50? are invulnerable. | Tested working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60. PS4 FWs <= ?9.60? and PS5 FWs <= ?5.50? are invulnerable. | ||
=== FW 6.00-9.60 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW === | === FW 6.00-9.60 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW === | ||
Line 482: | Line 343: | ||
* Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013) | * Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013) | ||
* Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14) | * Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14) | ||
* | * Abc (anonymous person) for making an OOM PoC for webkit-gtk, PS4 and PS5 (2023-10-03) then making an arbitrary RW PoC (PSFree) for webkit-gtk, PS4 6.00-9.60 and PS5 1.00-5.50 (2023-10-24) | ||
* CelesteBlue for testing and porting abc' PSFree to PS4 6.00-9.60 and PS5 1.00-5.50 (2023-11-04) | * CelesteBlue for testing and porting abc' PSFree to PS4 6.00-9.60 and PS5 1.00-5.50 (2023-11-04) | ||
Line 545: | Line 406: | ||
The patch changes the stateObject argument to loadInSameDocument from a raw pointer, SerializedScriptValue*, to a reference-counted pointer, RefPtr<SerializedScriptValue>, so that loadInSameDocument now increments the reference count on the object. | The patch changes the stateObject argument to loadInSameDocument from a raw pointer, SerializedScriptValue*, to a reference-counted pointer, RefPtr<SerializedScriptValue>, so that loadInSameDocument now increments the reference count on the object. | ||
Tested working on PS4 FWs 6.00-9.60 and PS5 FWs 1.00-5.50. PS4 FWs <= 5.56 are invulnerable as the HTML input field stays focused (blue outline) after second timeout whilst it should not if the console were exploitable. | Tested working on PS4 FWs 6.00-9.60 and PS5 FWs 1.00-5.50. PS4 FWs <= 5.56 are invulnerable as the HTML input field stays focused (blue outline) after second timeout whilst it should not if the console were exploitable. | ||
=== FW 9.00-9.04 - WebCore::CSSFontFaceSet vulnerabilities leading to arbitrary RW === | === FW 9.00-9.04 - WebCore::CSSFontFaceSet vulnerabilities leading to arbitrary RW === | ||
Line 596: | Line 455: | ||
Might have been introduced in PS4 FW 3.50 and before PS5 FW 1.00 according to dates (need to check). However the vulnerability cannot be exploited in some conditions depending on how WebKit was compiled. For example, on PS4 FWs 7.55-8.52 and PS5 FWs <= 2.00, the FontFaceSet constructor returns with an exception that is propagated to JavaScript, preventing exploitation this way. | Might have been introduced in PS4 FW 3.50 and before PS5 FW 1.00 according to dates (need to check). However the vulnerability cannot be exploited in some conditions depending on how WebKit was compiled. For example, on PS4 FWs 7.55-8.52 and PS5 FWs <= 2.00, the FontFaceSet constructor returns with an exception that is propagated to JavaScript, preventing exploitation this way. | ||
Tested working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.50 and >=5.00. | Tested working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.50 and >=5.00. | ||
=== FW 6.00-7.55 - WebCore::ValidationMessage::buildBubbleTree() UaF leading to arbitrary RW === | === FW 6.00-7.55 - WebCore::ValidationMessage::buildBubbleTree() UaF leading to arbitrary RW === | ||
Line 626: | Line 483: | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' in 8.00 FW. | '''Yes''' in 8.00 FW. Tested working on FWs 6.00-7.55, not working on FWs <= 5.56. HTML textarea guessed addresses for FWs 6.70-7.55 are known but not for FWs 6.00-6.51 so an attacker needs to make tests to determine these addresses on FWs 6.00-6.51. | ||
Tested working on FWs 6.00-7.55, not working on FWs <= 5.56. HTML textarea guessed addresses for FWs 6.70-7.55 are known but not for FWs 6.00-6.51 so an attacker needs to make tests to determine these addresses on FWs 6.00-6.51. | |||
=== FW 6.00-6.72 - bad_hoist Type Confusion exploit (CVE-2018-4386) leading to arbirary RW === | === FW 6.00-6.72 - bad_hoist Type Confusion exploit (CVE-2018-4386) leading to arbirary RW === | ||
Line 673: | Line 526: | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' in 7.00 FW. | '''Yes''' in 7.00 FW. Vulnerable on PS4 FWs 4.50-6.72. Not vulnerable on FWs <= 4.07. Not vulnerable on FWs >=7.00 according to manual tests but need to check WebKit sources. | ||
Vulnerable on PS4 FWs 4.50-6.72. Not vulnerable on FWs <= 4.07. Not vulnerable on FWs >=7.00 according to manual tests but need to check WebKit sources. | |||
---- | ---- | ||
Line 699: | Line 549: | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' in 6.50 FW. | '''Yes''' in 6.50 FW. It does not work on <= 4.07 FW PS4 according to tests as the exploit fails at step "Triggering memory corruption". | ||
It does not work on <= 4.07 FW PS4 according to tests as the exploit fails at step "Triggering memory corruption". | |||
---- | ---- | ||
Line 843: | Line 690: | ||
==== Tested ==== | ==== Tested ==== | ||
Works on 3.15-4.07. Not working on <= 3.11. | Works on 3.15-4.07. Not working on <= 3.11. | ||
---- | ---- | ||
Line 900: | Line 700: | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://blog.xyz.is/2016/webkit-360.html PSVita 3.60 | * [https://blog.xyz.is/2016/webkit-360.html PSVita 3.60 HENKaku WebKit exploit writeup] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Line 918: | Line 718: | ||
=== FW <= 3.50 - WebCore::TimerBase::heapPopMin() Heap UaF leading to crash === | === FW <= 3.50 - WebCore::TimerBase::heapPopMin() Heap UaF leading to crash === | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://github.com/WebKit/WebKit-http/commit/98845d940e30529098eea7e496af02e14301c704 WebKit fix commit ( | * [https://github.com/WebKit/WebKit-http/commit/98845d940e30529098eea7e496af02e14301c704 WebKit fix commit (17-05-2016)] | ||
* [https://xz.aliyun.com/t/292 Summary of Critical and Exploitable iOS Vulnerabilities in 2016 by Min (Spark) Zheng, Cererdlong, Eakerqiu @ Team OverSky] | * [https://xz.aliyun.com/t/292 Summary of Critical and Exploitable iOS Vulnerabilities in 2016 by Min (Spark) Zheng, Cererdlong, Eakerqiu @ Team OverSky] | ||
Line 930: | Line 727: | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [http://psxhax.com/threads/ps4-3-50-webkit-exploit-from-playstation-4-dev-qwertyoruiop.450/ Article about qwertyoruiop's tests ( | * [http://psxhax.com/threads/ps4-3-50-webkit-exploit-from-playstation-4-dev-qwertyoruiop.450/ Article about qwertyoruiop's tests (20-05-2016)] | ||
* [http://psxhax.com/threads/ps4-heap-use-after-free-at-webcore-3-50-poc-by-hunter128.452/ Article about initial PoC for PS4 ( | * [http://psxhax.com/threads/ps4-heap-use-after-free-at-webcore-3-50-poc-by-hunter128.452/ Article about initial PoC for PS4 (21-05-2016)] | ||
* [http://wololo.net/talk/viewtopic.php?t=45888 Initial PoC for PS4 ( | * [http://wololo.net/talk/viewtopic.php?t=45888 Initial PoC for PS4 (21-05-2016)] | ||
* [https://web.archive.org/web/20161030085033/http://cryptoanarchic.me/wat.txt iOS 9.3.2 WebKit RCE via heapPopMin (2016 | * [https://web.archive.org/web/20161030085033/http://cryptoanarchic.me/wat.txt iOS 9.3.2 WebKit RCE via heapPopMin (07-2016)] | ||
* [https://twitter.com/qwertyoruiopz/status/756268361282125824 qwertyoruiop's tweet ( | * [https://twitter.com/qwertyoruiopz/status/756268361282125824 qwertyoruiop's tweet (22-07-2016)] | ||
* [https://github.com/Jailbreaks/jbme/tree/master mirror of iOS 9.3.2 WebKit RCE via heapPopMin] | * [https://github.com/Jailbreaks/jbme/tree/master mirror of iOS 9.3.2 WebKit RCE via heapPopMin] | ||
Line 1,043: | Line 840: | ||
* Vitaliy Toropov for the exploit on Mac OS X Safari (September 4, 2013) | * Vitaliy Toropov for the exploit on Mac OS X Safari (September 4, 2013) | ||
* nas and Proxima for the first PS4 POC on 1.76 PS4 ( | * nas and Proxima for the first PS4 POC on 1.76 PS4 (Oct. 23, 2014) | ||
* sony for patching the exploit in FW 2.00 ( | * sony for patching the exploit in FW 2.00 (Oct 27, 2014) | ||
* CTurt for the rewriting (PS4 1.76 PlayGround) and implementation with his 1.76 kexploit (December 6, 2015) [https://twitter.com/CTurtE/status/673581693207502849] | * CTurt for the rewriting (PS4 1.76 PlayGround) and implementation with his 1.76 kexploit (December 6, 2015) [https://twitter.com/CTurtE/status/673581693207502849] | ||
Line 1,068: | Line 865: | ||
==== Tested ==== | ==== Tested ==== | ||
* Working on | * Working on 1.00-1.76 FW, AppleWebKit/531.3-536.26 | ||
* Might work on | * Might work on FW 0.930.020. | ||
== Usermode securities == | == Usermode securities == | ||
Line 1,177: | Line 970: | ||
* [https://www.freebsd.org/security/advisories/FreeBSD-SA-06:18.ppp.asc FreeBSD Security Advisory for CVE-2006-4304 (2006-08-23)] | * [https://www.freebsd.org/security/advisories/FreeBSD-SA-06:18.ppp.asc FreeBSD Security Advisory for CVE-2006-4304 (2006-08-23)] | ||
* [https://hackerone.com/reports/2177925 HackerOne report about Remote vulnerabilities in spp by TheFloW (2023-09-22)] | * [https://hackerone.com/reports/2177925 HackerOne report about Remote vulnerabilities in spp by TheFloW (2023-09-22)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Line 1,460: | Line 1,251: | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/ fail0verflow's writeup on the | * [https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/ fail0verflow's writeup on the 1.01-4.05 namedobj kernel exploit] (2017-10-19) | ||
* [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/NamedObj%20Kernel%20Exploit%20Overview.md Specter's first writeup] (2017-10-20) | * [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/NamedObj%20Kernel%20Exploit%20Overview.md Specter's first writeup] (2017-10-20) | ||
* [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md Specter's writeup on his | * [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md Specter's writeup on his 4.05 implementation] (2017-12-28) | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Line 1,470: | Line 1,259: | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
[https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit PS4 4.05 WebKit + Kernel Exploit] | |||
==== Patched ==== | ==== Patched ==== | ||
Line 1,477: | Line 1,266: | ||
==== Tested ==== | ==== Tested ==== | ||
Works on FWs 4.00-4.05. On <= 3.70 FW we have not found a way to leak the target object, but it might be doable as Fail0verflow did it on 1.01. | Works on FWs 4.00-4.05. On <= 3.70 FW we have not found a way to leak the target object, but it might be doable as Fail0verflow did it on 1.01. | ||
---- | ---- | ||