Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 125: | Line 125: | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)] | * [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
Basing on | Basing on BD-JB1 exploit files, in /bdmv/bdjo.xml changing bdjo/applicationManagementTable/baseDirectory to a path of the form `file:///app0/cdc/lib/../../../disc/BDMV/JAR/00000.jar` allows loading a JAR Java executable file. | ||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://twitter.com/theflow0/status/1717088032031982066 | * [https://twitter.com/theflow0/status/1717088032031982066 PoC by TheFloW (2023-10-25)] | ||
==== Patched ==== | ==== Patched ==== | ||
'''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00 | '''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00. | ||
=== FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW === | === FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW === | ||
Line 153: | Line 150: | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
TO ADD DESCRIPTION OF EACH ONE OF THE 5 BUGS: | |||
* #1 com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl userprefs hijack leading to classes instantiation under privileged context (affecting ?PS3?, PS4, PS5) | |||
* #2 com.oracle.security.Service leading to privileged constructor call (affecting ?PS3?, PS4, not PS5) | |||
* #3 com.sony.gemstack.org.dvb.io.ixc.IxcProxy leading to privileged method call (affecting ?PS3?, PS4, PS5) | |||
* #4 JIT compiler hack leading to usermode arbitrary RW and arbitrary usermode code execution (affecting ?PS3?, PS4, not PS5) | |||
* #5 UDF buffer overflow kernel exploit (affecting ?PS3?, PS4, PS5) | |||
This exploit chain alone does not allow one to run pirated games on PS4 or PS5 as there is not enough RAM allowed in the BD-J process and there are other constraints. | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
Line 236: | Line 219: | ||
---- | ---- | ||
=== FW ? | === FW ?10.00-11.52? - Immediate overflow/underflow in JSC SBFX (CVE-2024-27833) leading to arbitrary code execution === | ||
==== Credits ==== | ==== Credits ==== | ||
* | * Manfred Paul (@_manfp), working with Trend Micro Zero Day Initiative, for discovering the vulnerability on Apple Safari at pwn2own 2024 (2024-03-21) [https://twitter.com/thezdi/status/1770611705510293546 Zero Day Initiative's tweet] | ||
* | * Justin Michaud for fix commit, Yusuke Suzuki for fix commit review (2024-05-15) | ||
* | * Apple disclose that Safari update integrates the fix (2024-06-10) | ||
* xvonfers and Bearseater (@JamesMa52390215) for discovering it affects PS4 and PS5 (2024-06-11) [https://twitter.com/xvonfers/status/1800426437486485635 xvonfer's tweet] | |||
==== Analysis ==== | ==== Analysis ==== | ||
* [https:// | * [https://github.com/WebKit/WebKit/commit/1ea4ef8127276fd00ca43ffcb22bed162072abde WebKit fix commit by Justin Michaud (2024-05-15)] | ||
* [https:// | * [https://bugs.webkit.org/show_bug.cgi?id=271491 WebKit Bugzilla #271491 with restricted access] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
It | There is an integer underflow in WebKit renderer. It was addressed with improved input validation. | ||
The JavaScriptCore Isel SBFX patterns in JavaScriptCore/b3/B3LowerToAir.cpp allowed immediate overflow as 'lsb' and 'width' are not properly checked. | |||
The | SBFX stands for Signed Bitfield Extract. See [https://www.scs.stanford.edu/~zyedidia/arm64/sbfx_sbfm.html] and [https://developer.arm.com/documentation/101273/0001/The-Cortex-M55-Instruction-Set--Reference-Material/Bit-field-instructions/SBFX-and-UBFX]. SBFX is an alias for SBFM (Signed Bitfield Move). See [https://www.scs.stanford.edu/~zyedidia/arm64/sbfm.html]. SBFM is a bitfield extraction opcode. | ||
Isel is a short name for Instruction SELect. This pass transforms generic machine instructions into equivalent target-specific instructions. It traverses the MachineFunction bottom-up, selecting uses before definitions, enabling trivial dead code elimination. | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/sbfx-offset-overflow.js Vulnerability test by Justin Michaud] | |||
* [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/ | |||
==== Patched ==== | ==== Patched ==== | ||
''' | '''Yes''' on PS4 FW 12.00 and PS5 FW ?10.00?. | ||
==== Tested ==== | ==== Tested ==== | ||
Tested working on PS4 FWs 11.50 and PS5 FWs ?6.00-9.60?. Not working on PS4 <= 9.00 and PS5 >= 10.01. | |||
---- | ---- | ||
=== FW ? | === FW ?10.00?-11.52 - Unknown heap and string overflow (no CVE) leading to crash === | ||
==== Credits ==== | ==== Credits ==== | ||
* | * Debty for PoC public disclose (2024-08-29) | ||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://github.com/ | * [https://github.com/Debvt/Wm/tree/Root0 PoC and analysis by Debty (2024-08-29)] | ||
==== Bug Description ==== | ==== Bug Description ==== | ||
* TODO | |||
Implementation description by Debty:<br /> | |||
String exploit is not actually an exploit but just a memory exhauster. It is not actually viable so instead there is a feature called "latest iteration". | |||
==== Exploit Implementation ==== | ==== Exploit Implementation ==== | ||
* [https://github.com/ | * [https://github.com/Debvt/Wm/tree/Root0 PoC by Debty (2024-08-29)] | ||
==== Patched ==== | ==== Patched ==== | ||
'''Yes''' on PS4 FW | '''Yes''' on PS4 FW 12.00 and PS5 FW 10.00. | ||
==== Tested ==== | ==== Tested ==== | ||
Tested working on PS4 FWs | Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60. | ||
---- | ---- | ||
=== FW 6.00- | === FW ?6.00-11.52? - Integer underflow in JSC genericTypedArrayViewProtoFuncCopyWithin (CVE-2023-38600) === | ||
==== Credits ==== | ==== Credits ==== | ||
* | * anonymous researcher for discovering the vulnerability and reporting it to Zero Day Initiative (2023-05) | ||
* Yusuke Suzuki and Mark Lam for fixing the bug in WebKit (2023-07-31) | |||
* | * Hossein Lotfi for publishing a writeup (2023-10-18) | ||
* | |||
==== Analysis ==== | ==== Analysis ==== | ||
* [https://github.com/WebKit/WebKit/commit/aa31b6b4d09b09acdf1cec11f2f7f35bd362dd0e WebKit bug-reintroducing commit by Darin Adler reviewed by Alex Christensen (2016-12-31)] | * [https://www.zerodayinitiative.com/blog/2023/10/17/cve-2023-38600-story-of-an-innocent-apple-safari-copywithin-gone-way-outside Writeup by Hossein Lotfi (2023-10-18)] | ||
* [https://bugs.webkit.org/show_bug.cgi?id=235551 WebKit fix talk by Yusuke Suzuki reviewed by Mark Lam (2022-01-24)] | * [https://github.com/WebKit/WebKit/commit/6e7e654417b61630d67f02b65798439cf3d6b0b5 WebKit fix commit by Yusuke Suzuki (2023-07-31)] | ||
* [https://github.com/WebKit/WebKit/commit/486816dc355c19f1de1b8056f85d0bbf7084dd6e WebKit fix commit by Yusuke Suzuki reviewed by Mark Lam (2022-01-25)] | |||
* [https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-22620.html Short writeup by Maddie Stone (2022-06-14)] | ==== Bug Description ==== | ||
* [https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html Detailed writeup by Maddie Stone (2022-06-14)] | It is required to recompute length properly when resize happens during TypedArray copyWithin. | ||
copyWithin's side effectful operation can resize resizable ArrayBuffer. WebKit has a code catching this and recompute the appropriate copy count again, but it can overflow if `to` or `from` are larger than the newly updated `length`. The patch handles this case correctly: returning since there is no copying content in this case. | |||
The issue was patched by aborting the copy if either of the two variables to or from is larger than the updated length. | |||
The values used during the exploit were sane as they went through a sanitizer function. However, in the final stage, the values were updated without checking if there are inside the buffer length bounds. | |||
According to PS4 WebKit source code for System Software version 11.00, not only it is not patched but it uses code from 2021! Looking at [https://github.com/WebKit/WebKit/blob/cccb58deac3c56a831678458ce95ea5b7c837614/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h#L177 a version close to one in the PS4 source code for System Software version 11.00], it should be exploitable. | |||
==== Exploit Implementation ==== | |||
* [https://gist.github.com/zdi-team/ad320bdc6ad095cc210c7031e0f0ecda/raw/746ce622fe73344ccb9cd51bc03ad97950f4ea3b/CVE-2023-38600-0.js Minimal PoC by Hossein Lotfi (2023-10-18)] | |||
* [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/resizable-array-buffer-copy-within-length-update.js Vulnerability test code by Yusuke Suzuki (2023-07-31)] | |||
==== Patched ==== | |||
'''Maybe''' in FW 11.50. | |||
==== Tested ==== | |||
Not tested yet on PS4 nor PS5. To test on PS4 11.00. | |||
---- | |||
=== FW ?10.00-11.02? - JSC::DFG::clobberize() needs to be more precise with the *ByOffset nodes (CVE-2023-41993) leading to arbitrary RW === | |||
==== Credits ==== | |||
* Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group for discoverting the vulnerability and reporting it (2023-09-21) | |||
* Keith Miller for the WebKit fix commit (2023-10-09) | |||
* po6ix for his writeup (2023-10-15) | |||
==== Analysis ==== | |||
* [https://github.com/WebKit/WebKit/commit/08d5d17c766ffc7ca6a7c833c5720eb71b427784 WebKit fix commit by Keith Miller (2023-10-09)] | |||
* [https://github.com/po6ix/POC-for-CVE-2023-41993 Writeup by po6ix (2023-10-15)] | |||
==== Bug Description ==== | |||
clobberize needs to be more precise with the *ByOffset nodes. CSE phase uses clobberize to figure out if it's safe to merge two operations that def the same HeapLocation. Since HeapLocation does not currently have a way to track the offset used by the various *ByOffset nodes it can get confused and think that two ByOffset instructions produce the same value even if they do not use the same offset. This patch solves this by adding a new field to HeapLocation, which takes the metadata associated with the corresponding *ByOffset node. If two *ByOffset operations don't share the same metadata then they cannot be CSEed. | |||
This vulnerability is ranked 7.5 (HIGH) on CVSS:3.1. | |||
This vulnerability should provide r/w primitive to the webcontent process, but currently the PoC is written only up to addrof/fakeobj. | |||
==== Exploit Implementation ==== | |||
* [https://github.com/po6ix/POC-for-CVE-2023-41993 PoC written only up to addrof/fakeobj by po6ix (2023-10-15)] | |||
==== Patched ==== | |||
'''Maybe''' on PS4 FW 12.00 and PS5 ?10.00? | |||
==== Tested ==== | |||
Not tested yet. According to open source code, PS4 FW 11.00 should be vulnerable. | |||
---- | |||
=== FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to crash === | |||
==== Credits ==== | |||
* Alexey Shvayka for vulnerability discovery and fixes in WebKit (2023-05-01) | |||
* ENKI for public disclose and writeup (2024-06-03) | |||
* abc (anonymous) for tests and analysis (2024-10-01) | |||
==== Analysis ==== | |||
* [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc Analysis by ENKI (2024-06-03)] | |||
* [https://github.com/WebKit/WebKit/commit/1b0741f400ee2d31931ae30f2ddebe66e8fb0945 Patch commit #1 for vulnerability detection (2023-07-31)] | |||
* [https://github.com/WebKit/WebKit/commit/39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f Patch commit #2 (2023-05-01)] | |||
* [https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons Inverting Your Assumptions: A Guide to JIT Comparisons by Jasiel Spelman (2018-04-12)] | |||
==== Bug Description ==== | |||
Note that the PS4 web browser JIT support has been removed since around PS4 System Software version 5.00 or lower so using the article directly is not applicable. | |||
The clobber bug PoC turns out not to be a memory corruption. Just like the article said, you can access a `GetterSetter` directly. The crash came from triggering `GetterSetter`'s methods that will call `RELEASE_ASSERT()`. | |||
We actually have [[#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects|a bug that can leak `GetterSetter`s]]. | |||
In summary with tinkering with this bug, abc (anonymous) do not think that an attacker can do anything useful with accessing a `GetterSetter`. The clobberWorld bug however does allow setting properties in places where you usually cannot like `Function's prototype` as shown in the article. But without JIT, one probably cannot cause any memory corruption. The impact for both bugs (clobberWorld and ProxyObject) is probably just JavaScript execution, which we already have, which is a no go in some context (JS injection) but it does not help in gaining usermode ROP execution on PS4 or PS5. | |||
==== Exploit Implementation ==== | |||
* [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc PoC by ENKI (2024-06-03)] | |||
==== Patched ==== | |||
'''Yes''' on PS4 FW 11.50 and PS5 FW 9.00. | |||
==== Tested ==== | |||
Tested working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60. PS4 FWs <= ?9.60? and PS5 FWs <= ?5.50? are invulnerable. | |||
---- | |||
=== FW ?6.00-11.00? - CloneDeserializer::deserialize() UaF (CVE-2023-28205) leading to arbitrary RW === | |||
==== Credits ==== | |||
* Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab for discovering the vulnerability and reporting it to Apple (2023-04-10) | |||
* Justin Michaud, Mark Lam and JonWBedard for fixing the bug in WebKit (2023-04-17) | |||
* abc (anonymous) for making an OOM PoC for PS4 and PS5 (2024-12-01) | |||
==== Analysis ==== | |||
* [https://github.com/WebKit/WebKit/commit/c9880de4a28b9a64a5e1d0513dc245d61a2e6ddb WebKit fix commit (2023-04-17)] | |||
==== Bug Description ==== | |||
Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects in a few Vectors, in a MarkedArgumentBufferBase. This is problematic because the GC is not aware of Vectors, and cannot scan them. Instead, CloneDeserializer::deserialize() should store cell pointers in a MarkedVector. | |||
The PoC code triggers a use-after-free (UaF) vulnerability by delaying the addition of Map and Date objects, which allows the garbage collector (GC) to free them. This can potentially lead to accessing freed objects to corrupt memory. Then it cannot avoid executing a release assert that causes an Out-Of-Memory crash. | |||
The WebKit patch refactors the MarkedArgumentBuffer class into a MarkedVector template class. | |||
==== Exploit Implementation ==== | |||
* [https://github.com/ntfargo/uaf-2023-28205/blob/main/poc.js PoC by abc (2024-12-01)] | |||
==== Patched ==== | |||
'''Yes''' on PS4 FW ?11.00? and PS5 FW ?8.00?. | |||
==== Tested ==== | |||
Tested working on PS4 FWs ? and PS5 FWs 6.00-7.61. | |||
---- | |||
=== FW 6.00-9.60 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW === | |||
==== Credits ==== | |||
* Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013) | |||
* Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14) | |||
* abc (anonymous) for making an OOM PoC for webkit-gtk, PS4 and PS5 (2023-10-03) then making an arbitrary RW PoC (PSFree) for webkit-gtk, PS4 6.00-9.60 and PS5 1.00-5.50 (2023-10-24) | |||
* CelesteBlue for testing and porting abc' PSFree to PS4 6.00-9.60 and PS5 1.00-5.50 (2023-11-04) | |||
==== Analysis ==== | |||
* [https://github.com/WebKit/WebKit/commit/aa31b6b4d09b09acdf1cec11f2f7f35bd362dd0e WebKit bug-reintroducing commit by Darin Adler reviewed by Alex Christensen (2016-12-31)] | |||
* [https://bugs.webkit.org/show_bug.cgi?id=235551 WebKit fix talk by Yusuke Suzuki reviewed by Mark Lam (2022-01-24)] | |||
* [https://github.com/WebKit/WebKit/commit/486816dc355c19f1de1b8056f85d0bbf7084dd6e WebKit fix commit by Yusuke Suzuki reviewed by Mark Lam (2022-01-25)] | |||
* [https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-22620.html Short writeup by Maddie Stone (2022-06-14)] | |||
* [https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html Detailed writeup by Maddie Stone (2022-06-14)] | |||
==== Bug Description ==== | |||
The History API allows access to (and modification of) a stack of the pages visited in the current frame, and these page states are stored as a <code>SerializedScriptValue</code>. The History API exposes a getter for state, and a method <code>replaceState()</code> which allows overwriting the "most recent" history entry. | |||
The bug is that <code>FrameLoader::loadInSameDocument()</code> takes the state as an argument (<code>stateObject</code>), but does not increase its reference count. Only a <code>HistoryItem</code> object holds a reference to the <code>stateObject</code>. <code>loadInSameDocument()</code> can trigger a callback into user JavaScript through the <code>onblur</code> event. The user's callback can call <code>replaceState()</code> to replace the <code>HistoryItem</code>'s state with a new object, therefore dropping the only reference to the <code>stateObject</code>. When the callback returns, <code>loadInSameDocument()</code> will still use this free'd object in its call to <code>statePopped()</code>, leading to the use-after-free. | |||
When <code>loadInSameDocument()</code> is called it changes the focus to the element its scrolling to. If we set the focus on a different element prior to <code>loadInSameDocument()</code>'s execution, the blur event will be fired on that element. Then we can free the <code>stateObject</code> by calling <code>replaceState()</code> in the <code>onblur</code> event handler. | |||
The bug is triggered by <code>history.back()</code> with the target state whose URL contains a hash. Here's a Proof-of-Concept that will crash: | |||
<source lang="js"> | |||
input = document.body.appendChild(document.createElement('input')); | |||
foo = document.body.appendChild(document.createElement('a')); | |||
foo.id = 'foo'; | |||
function pop(event) { | |||
alert('you get a crash after you close this alert'); | |||
event.state; // use the freed SerializedScriptValue | |||
alert('WebKit version not vulnerable'); | |||
} | |||
addEventListener('popstate', pop); | |||
history.pushState('state1', '', location + '#foo'); // URL with a hash | |||
history.pushState('state2', ''); | |||
setTimeout(() => { | |||
input.focus(); | |||
input.onblur = () => { | |||
history.replaceState('state3', '') | |||
}; | |||
setTimeout(() => { | |||
history.back(); // trigger loadInSameDocument() | |||
}, 1000); | |||
}, 1000); | |||
</source> | |||
The user may then trigger a double free and escalate it into an arbitrary read primitive via spraying <code>WTF::StringImpl</code>s like in the <code>buildBubbleTree()</code> UaF exploit. The read primitive is used to create the <code>addrof()</code> primitive and is used to save addresses of buffers that will be used to modify a <code>SerializedScriptValue</code>. After freeing the StringImpl (triple free), <code>SerializedScriptValue</code>s are sprayed via the <code>postMessage()</code> JavaScript function until one is allocated using the previously freed memory. | |||
The method used to modify the fields of the <code>StringImpl</code> for arbitrary reads can be used can also be used to modify the <code>SerializedScriptValue</code>. Appropriate fields can modified to have deserialization create a <code>JSC::JSArrayBufferView</code> whose <code>m_vector</code> field will point to another <code>JSArrayBufferView</code>, which will be called the worker. The user can modify the worker's fields for arbitrary read/write. Deserialization is done via <code>msg.data</code> where <code>msg</code> is the <code>MessageEvent</code> from <code>postMessage()</code>. | |||
The | |||
A way to know if the system is vulnerable is the appearance of the input HTML element in the PoC page. If the HTML input field stays focused (blue outline) after the second timeout, then the vulnerability is not present. Note that Maddie Stone's PoC will never trigger any sort of crash on release builds as it was meant for builds with memory sanitation that can detect UaFs. | |||
==== Exploit Implementation ==== | |||
* Simple PoC for ASAN webkit-gtk by Maddie Stone in Maddie Stone's writeups | |||
* [https://github.com/springsec/CVE-2022-22620/blob/main/CVE-2022-22620_infoleak_exploit.html Information leak PoC for webkit-gtk by springsec] | |||
* [https://discord.com OOM PoC for PS4 and PS5 by abc on ps4-dev discord (to mirror)] | |||
* [https://discord.com Arbitrary RW PoC (PSFree) for PS4 6.00-9.60 and PS5 1.00-5.50 by abc on ps4-dev discord (to mirror)] | |||
==== Patched ==== | |||
'''Yes''' on PS4 FW 10.00 and PS5 FW 6.00. | |||
The patch changes the stateObject argument to loadInSameDocument from a raw pointer, SerializedScriptValue*, to a reference-counted pointer, RefPtr<SerializedScriptValue>, so that loadInSameDocument now increments the reference count on the object. | |||
==== Tested ==== | |||
Tested working on PS4 FWs 6.00-9.60 and PS5 FWs 1.00-5.50. PS4 FWs <= 5.56 are invulnerable as the HTML input field stays focused (blue outline) after second timeout whilst it should not if the console were exploitable. | |||
---- | |||
=== FW 9.00-9.04 - WebCore::CSSFontFaceSet vulnerabilities leading to arbitrary RW === | |||
There are many FontFaceSet vulnerabilities. Explore [https://trac.webkit.org/search?q=mmaxfield%40apple.com+FontFaceSet&noquickjump=1&changeset=on]. | |||
==== Credits ==== | |||
* Myles C. Maxfield (litherum), Apple, for adding the vulnerability in WebKit (2016-02-22) then fixing and so disclosing the vulnerability (2021-08-26) | |||
* Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2021-10-13) | |||
* PS Test discord server community for testing PoCs of many WebKit vulnerabilities on their PS4s (2021-10-13) | |||
* sleirsgoevy for making the first exploit PoC for Safari (2021-10-24) and the first exploit PoC for PS4 FW 9.00-9.04 and PS5 FW 3.00-4.50 (2021-10-27) | |||
==== Analysis ==== | |||
* [https://github.com/WebKit/WebKit/commit/d5dbfd02054e9f904b27224a598ca1bb8ded5f87 WebKit bug-introducing commit by Myles C. Maxfield - r256659 (2016-02-22)] | |||
==== Analysis ==== | |||
* [https://github.com/WebKit/WebKit/commit/d5dbfd02054e9f904b27224a598ca1bb8ded5f87 WebKit bug-introducing commit by Myles C. Maxfield - r256659 (2016-02-22)] | |||
* [https://trac.webkit.org/changeset/281648/webkit WebKit fix commit by Myles C. Maxfield - r281648 (2021-08-26)] | * [https://trac.webkit.org/changeset/281648/webkit WebKit fix commit by Myles C. Maxfield - r281648 (2021-08-26)] | ||
* [https://github.com/WebKit/WebKit/commit/b22be72a013442ca9d1ff4bf3aa8aa436f78f142 WebKit commit adding FontFace tests (2021-09-01)] | * [https://github.com/WebKit/WebKit/commit/b22be72a013442ca9d1ff4bf3aa8aa436f78f142 WebKit commit adding FontFace tests (2021-09-01)] | ||
Line 898: | Line 996: | ||
CVE-2018-4192 | CVE-2018-4192 | ||
https://blog.ret2.io/2018/06/13/pwn2own-2018-vulnerability-discovery/ | https://blog.ret2.io/2018/06/13/pwn2own-2018-vulnerability-discovery/ | ||
https://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analysis/#arrayreverse-considered-harmful | https://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analysis/#arrayreverse-considered-harmful | ||
https://blog.ret2.io/2018/07/11/pwn2own-2018-jsc-exploit/ | https://blog.ret2.io/2018/07/11/pwn2own-2018-jsc-exploit/ | ||
CVE-2018-4443 | |||
WebKit JSC - 'AbstractValue::set' Use-After-Free | |||
lokihardt of Google Project Zero | |||
2019-01-22 | |||
https://www.exploit-db.com/exploits/46071 | |||
Improper Restriction of Operations within the Bounds of a Memory Buffer | |||
Unknown CVE | |||
Luca Todesco (qwertyruiopz) | |||
before 2019-08-15 | |||
https://gist.github.com/jakeajames/5ceb90ebaa34eabb3e170b5c7eb2c7d1/revisions | |||
CVE- | CVE-2023-41074 | ||
Affecting WebKitGTK. | |||
CVE-2023-42917 | |||
Affecting WebKitGTK. | |||
</pre> | </pre> | ||
Line 957: | Line 1,061: | ||
* See the PS4 [[Syscalls]] list. | * See the PS4 [[Syscalls]] list. | ||
=== | === Syscall 0 disabled i.e Error Kernel: The application directly issues a syscall instruction (24) === | ||
* Between 2.00 and 2.57, SCE has removed system call 0, so we can no longer call any syscall we want by specifying the call number in the rax register. | |||
* Doing so now crashes the app and gives error CE-34878-0, SCE_KERNEL_ABORT_REASON_SYSTEM_ILLEGAL_FUNCTION_CALL, with the message "Kernel: The application directly issues a syscall instruction (24)". | |||
* We now have to use wrappers provided to us from the libkernel / libkernel_web / libkernel_sys modules to access system calls. | |||
=== bpf_write function stripped out of the kernel === | === bpf_write function stripped out of the kernel === | ||
Line 1,537: | Line 1,634: | ||
* Discovered by yifan lu (2017-02-19), plutoo and Proxima (2018-08-09), Davee (2018-12-29) for PS Vita, by flatz (2021-12-18) for PlayStation 4. | * Discovered by yifan lu (2017-02-19), plutoo and Proxima (2018-08-09), Davee (2018-12-29) for PS Vita, by flatz (2021-12-18) for PlayStation 4. | ||
=== Bug description === | |||
The PS4 Crypto Coprocessor (CCP) interface in Secure Kernel has a bug that allows to dump (or better saying, bruteforce) key rings from SAMU. | |||
That is how AES/HMAC keys from PFS, portability keys, VTRM keys, etc can be retrieved. A crypto flaw was in the ability to issue HMAC operation with key length stricly lower than 16. For example, by setting it to 1 you can bruteforce key bytes one by one by comparing HMAC result with HMAC result with known partial key. | |||
This trick may work on other crypto hardware as well if it does not restrict key lengths. Amazingly, Intel Secure Key Storage (SKS) of CSME subsystem also has a bug allowing to brute-force any key slot, but the issue exists at hardware level - insecure design of the keys distribution to crypto engines (AES, SHA, RC4). Intel did not recognize the bug arguing that to access SKS the CSME privileged arbitrary code execution is required, but SKS is exactly designed to protect the ROM generated keys from CSME firmware... | |||
This can be used to dump the AES XTS key and HMAC key of a specific PS4 game PKG. Then one can use maxton's LibOrbisPkg or flatz's pkg_pfs_tool to unpack this PKG file. | |||
==== Analysis ==== | ==== Analysis ==== | ||
Line 1,576: | Line 1,648: | ||
* https://twitter.com/qlutoo/status/1027691272369262594 | * https://twitter.com/qlutoo/status/1027691272369262594 | ||
* https://www.lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/ | * https://www.lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/ | ||
* | * https://twitter.com/flat_z/status/1472243592815169546 | ||
==== Implementation ==== | ==== Implementation ==== | ||
* [https://github.com/jocover/ps4-hen-vtx/releases/tag/pfs_dump Compiled payload for PS4 5.05 by jogolden | * [https://github.com/jocover/ps4-hen-vtx/releases/tag/pfs_dump Compiled payload for PS4 5.05 by jogolden] | ||
* [https://github.com/jocover/ps4-hen-vtx/tree/samu_key_dump Implementation for PS4 5.05 by jogolden | * [https://github.com/jocover/ps4-hen-vtx/tree/samu_key_dump Implementation for PS4 5.05 by jogolden] | ||
* [https://gist.github.com/flatz/22215327864d7512e52268f9c9c51cd8 Exploit PoC for PS4 7.55 by flatz] | |||
* [https://gist.github.com/flatz/22215327864d7512e52268f9c9c51cd8 Exploit PoC for PS4 7.55 by flatz | |||
==== Patched ==== | ==== Patched ==== |