Editing Vulnerabilities

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 125: Line 125:


==== Analysis ====
==== Analysis ====
* [https://github.com/TheOfficialFloW/Presentations/blob/master/2022-hardwear-io-bd-jb.pdf Pages 27 and 28 of slides presented at hardwear.io by TheFloW (2022-06-10)]
* [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)]
* [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)]
* [https://github.com/TheOfficialFloW/bd-jb/commit/44713ef59f897ff2125efccbdcb5d07dbe1ffdb5 Diff between UserPreferenceManagerImpl hijack and Path traversal sandbox escape implementations by TheFloW (2024-11-28)]


==== Bug Description ====
==== Bug Description ====
Basing on the BD-JB1 exploit files, in /bdmv/bdjo.xml changing bdjo/applicationManagementTable/baseDirectory to a path of the form `file:///app0/cdc/lib/../../../disc/BDMV/JAR/00000.jar` allows loading a JAR Java executable file. This vulnerability can efficiently replace the UserPreferenceManagerImpl to extend the supported System Software versions range compared to BD-JB1.
Basing on BD-JB1 exploit files, in /bdmv/bdjo.xml changing bdjo/applicationManagementTable/baseDirectory to a path of the form `file:///app0/cdc/lib/../../../disc/BDMV/JAR/00000.jar` allows loading a JAR Java executable file.


==== Exploit Implementation ====
==== Exploit Implementation ====
* [https://twitter.com/theflow0/status/1717088032031982066 Removed PoC by TheFloW (2023-10-25)]
* [https://twitter.com/theflow0/status/1717088032031982066 PoC by TheFloW (2023-10-25)]
* [https://github.com/TheOfficialFloW/bd-jb/blob/d21fd76c0768d05ad01c4722eb21480fa8a8b619/src/com/bdjb/Loader.java#L62 Implementation by TheFloW (2024-11-28)]


==== Patched ====
==== Patched ====
'''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00. Probably not patched on PS3.
'''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00.


=== FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW ===
=== FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW ===
Line 153: Line 150:


==== Bug Description ====
==== Bug Description ====
This exploit chain alone does not allow one to run pirated games on PS4 or PS5 as there is not enough RAM allowed in the BD-J process and there are other constraints.
TO ADD DESCRIPTION OF EACH ONE OF THE 5 BUGS:


TODO!: ADD DESCRIPTION OF EACH ONE OF THE 5 BUGS:
* #1 com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl userprefs hijack leading to classes instantiation under privileged context (affecting ?PS3?, PS4, PS5)
* #2 com.oracle.security.Service leading to privileged constructor call (affecting ?PS3?, PS4, not PS5)
* #3 com.sony.gemstack.org.dvb.io.ixc.IxcProxy leading to privileged method call (affecting ?PS3?, PS4, PS5)
* #4 JIT compiler hack leading to usermode arbitrary RW and arbitrary usermode code execution (affecting ?PS3?, PS4, not PS5)
* #5 UDF buffer overflow kernel exploit (affecting ?PS3?, PS4, PS5)


===== #1 - userprefs hijack (?PS3?, PS4, PS5) =====
This exploit chain alone does not allow one to run pirated games on PS4 or PS5 as there is not enough RAM allowed in the BD-J process and there are other constraints.
 
com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl userprefs hijack leads to classes instantiation under privileged context.
 
===== #2 - com.oracle.security.Service (?PS3?, PS4, not PS5) =====
 
com.oracle.security.Service leads to privileged constructor call.
 
===== #3 - com.sony.gemstack.org.dvb.io.ixc.IxcProxy leading to privileged method call (?PS3?, PS4, PS5) =====
 
com.sony.gemstack.org.dvb.io.ixc.IxcProxy leads to privileged method call.
 
===== #4 - JIT compiler hack (?PS3?, PS4, not PS5) =====
 
JIT compiler hack leads to usermode arbitrary RW and usermode arbitrary code execution.
 
===== #5 - UDF buffer overflow (?PS3?, PS4, PS5) =====
 
The UDF driver in kernel contains a buffer overflow. Note that no implementation of the UDF kernel exploit has ever been done even by TheFloW, only a kernel panic PoC.


==== Exploit Implementation ====
==== Exploit Implementation ====
Line 236: Line 219:
----
----


=== FW ?6.00-11.52? - Integer underflow in JSC genericTypedArrayViewProtoFuncCopyWithin (CVE-2023-38600) ===
=== FW ?10.00-11.52? - Immediate overflow/underflow in JSC SBFX (CVE-2024-27833) leading to arbitrary code execution ===


==== Credits ====
==== Credits ====
* anonymous researcher for discovering the vulnerability and reporting it to Zero Day Initiative (2023-05)
* Manfred Paul (@_manfp), working with Trend Micro Zero Day Initiative, for discovering the vulnerability on Apple Safari at pwn2own 2024 (2024-03-21) [https://twitter.com/thezdi/status/1770611705510293546 Zero Day Initiative's tweet]
* Yusuke Suzuki and Mark Lam for fixing the bug in WebKit (2023-07-31)
* Justin Michaud for fix commit, Yusuke Suzuki for fix commit review (2024-05-15)
* Hossein Lotfi for publishing a writeup (2023-10-18)
* Apple disclose that Safari update integrates the fix (2024-06-10)
* xvonfers and Bearseater (@JamesMa52390215) for discovering it affects PS4 and PS5 (2024-06-11) [https://twitter.com/xvonfers/status/1800426437486485635 xvonfer's tweet]


==== Analysis ====
==== Analysis ====
* [https://www.zerodayinitiative.com/blog/2023/10/17/cve-2023-38600-story-of-an-innocent-apple-safari-copywithin-gone-way-outside Writeup by Hossein Lotfi (2023-10-18)]
* [https://github.com/WebKit/WebKit/commit/1ea4ef8127276fd00ca43ffcb22bed162072abde WebKit fix commit by Justin Michaud (2024-05-15)]
* [https://github.com/WebKit/WebKit/commit/6e7e654417b61630d67f02b65798439cf3d6b0b5 WebKit fix commit by Yusuke Suzuki (2023-07-31)]
* [https://bugs.webkit.org/show_bug.cgi?id=271491 WebKit Bugzilla #271491 with restricted access]


==== Bug Description ====
==== Bug Description ====
It is required to recompute length properly when resize happens during TypedArray copyWithin.
There is an integer underflow in WebKit renderer. It was addressed with improved input validation.


copyWithin's side effectful operation can resize resizable ArrayBuffer. WebKit has a code catching this and recompute the appropriate copy count again, but it can overflow if `to` or `from` are larger than the newly updated `length`. The patch handles this case correctly: returning since there is no copying content in this case.
The JavaScriptCore Isel SBFX patterns in JavaScriptCore/b3/B3LowerToAir.cpp allowed immediate overflow as 'lsb' and 'width' are not properly checked.


The issue was patched by aborting the copy if either of the two variables to or from is larger than the updated length.
SBFX stands for Signed Bitfield Extract. See [https://www.scs.stanford.edu/~zyedidia/arm64/sbfx_sbfm.html] and [https://developer.arm.com/documentation/101273/0001/The-Cortex-M55-Instruction-Set--Reference-Material/Bit-field-instructions/SBFX-and-UBFX]. SBFX is an alias for SBFM (Signed Bitfield Move). See [https://www.scs.stanford.edu/~zyedidia/arm64/sbfm.html]. SBFM is a bitfield extraction opcode.


The values used during the exploit were sane as they went through a sanitizer function. However, in the final stage, the values were updated without checking if there are inside the buffer length bounds.
Isel is a short name for Instruction SELect. This pass transforms generic machine instructions into equivalent target-specific instructions. It traverses the MachineFunction bottom-up, selecting uses before definitions, enabling trivial dead code elimination.
 
According to PS4 WebKit source code for System Software version 11.00, not only it is not patched but it uses code from 2021! Looking at [https://github.com/WebKit/WebKit/blob/cccb58deac3c56a831678458ce95ea5b7c837614/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h#L177 a version close to one in the PS4 source code for System Software version 11.00], it should be exploitable.


==== Exploit Implementation ====
==== Exploit Implementation ====
* [https://gist.github.com/zdi-team/ad320bdc6ad095cc210c7031e0f0ecda/raw/746ce622fe73344ccb9cd51bc03ad97950f4ea3b/CVE-2023-38600-0.js Minimal PoC by Hossein Lotfi (2023-10-18)]
* [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/sbfx-offset-overflow.js Vulnerability test by Justin Michaud]
* [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/resizable-array-buffer-copy-within-length-update.js Vulnerability test code by Yusuke Suzuki (2023-07-31)]


==== Patched ====
==== Patched ====
'''Maybe''' in FW 11.50.
'''Yes''' on PS4 FW 12.00 and PS5 FW ?10.00?.


==== Tested ====
==== Tested ====
Not tested yet on PS4 nor PS5. To test on PS4 11.00.
Tested working on PS4 FWs 11.50 and PS5 FWs ?6.00-9.60?. Not working on PS4 <= 9.00 and PS5 >= 10.01.
----
----


=== FW ?6.00-11.00? - CloneDeserializer::deserialize() UaF (CVE-2023-28205) leading to arbitrary RW ===
=== FW ?10.00?-11.52 - Unknown heap and string overflow (no CVE) leading to crash ===


==== Credits ====
==== Credits ====
* Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab for discovering the vulnerability and reporting it to Apple (2023-04-10)
* Debty for PoC public disclose (2024-08-29)
* Justin Michaud, Mark Lam and JonWBedard for fixing the bug in WebKit (2023-04-17)
* abc (anonymous) for making an OOM PoC for PS4 and PS5 (2024-12-01)


==== Analysis ====
==== Analysis ====
* [https://github.com/WebKit/WebKit/commit/c9880de4a28b9a64a5e1d0513dc245d61a2e6ddb WebKit fix commit (2023-04-17)]
* [https://github.com/Debvt/Wm/tree/Root0 PoC and analysis by Debty (2024-08-29)]


==== Bug Description ====
==== Bug Description ====
Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects in a few Vectors, in a MarkedArgumentBufferBase. This is problematic because the GC is not aware of Vectors, and cannot scan them. Instead, CloneDeserializer::deserialize() should store cell pointers in a MarkedVector.
* TODO


The PoC code triggers a use-after-free (UaF) vulnerability by delaying the addition of Map and Date objects, which allows the garbage collector (GC) to free them. This can potentially lead to accessing freed objects to corrupt memory. Then it cannot avoid executing a release assert that causes an Out-Of-Memory crash.
Implementation description by Debty:<br />
 
String exploit is not actually an exploit but just a memory exhauster. It is not actually viable so instead there is a feature called "latest iteration".
The WebKit patch refactors the MarkedArgumentBuffer class into a MarkedVector template class.


==== Exploit Implementation ====
==== Exploit Implementation ====
* [https://github.com/ntfargo/uaf-2023-28205/blob/main/poc.js PoC by abc (2024-12-01)]
* [https://github.com/Debvt/Wm/tree/Root0 PoC by Debty (2024-08-29)]


==== Patched ====
==== Patched ====
'''Yes''' on PS4 FW ?11.00? and PS5 FW ?8.00?.
'''Yes''' on PS4 FW 12.00 and PS5 FW 10.00.


==== Tested ====
==== Tested ====
Tested working on PS4 FWs ? and PS5 FWs 6.00-7.61.
Tested working on PS4 FWs 10.00-11.52 and PS5 FWs 6.00-9.60.
----
----


=== FW 6.00-9.60 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW ===
=== FW ?6.00-11.52? - Integer underflow in JSC genericTypedArrayViewProtoFuncCopyWithin (CVE-2023-38600) ===


==== Credits ====
==== Credits ====
* Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013)
* anonymous researcher for discovering the vulnerability and reporting it to Zero Day Initiative (2023-05)
* Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14)
* Yusuke Suzuki and Mark Lam for fixing the bug in WebKit (2023-07-31)
* abc (anonymous) for making an OOM PoC for webkit-gtk, PS4 and PS5 (2023-10-03) then making an arbitrary RW PoC (PSFree) for webkit-gtk, PS4 6.00-9.60 and PS5 1.00-5.50 (2023-10-24)
* Hossein Lotfi for publishing a writeup (2023-10-18)
* CelesteBlue for testing and porting abc' PSFree to PS4 6.00-9.60 and PS5 1.00-5.50 (2023-11-04)


==== Analysis ====
==== Analysis ====
* [https://github.com/WebKit/WebKit/commit/aa31b6b4d09b09acdf1cec11f2f7f35bd362dd0e WebKit bug-reintroducing commit by Darin Adler reviewed by Alex Christensen (2016-12-31)]
* [https://www.zerodayinitiative.com/blog/2023/10/17/cve-2023-38600-story-of-an-innocent-apple-safari-copywithin-gone-way-outside Writeup by Hossein Lotfi (2023-10-18)]
* [https://bugs.webkit.org/show_bug.cgi?id=235551 WebKit fix talk by Yusuke Suzuki reviewed by Mark Lam (2022-01-24)]
* [https://github.com/WebKit/WebKit/commit/6e7e654417b61630d67f02b65798439cf3d6b0b5 WebKit fix commit by Yusuke Suzuki (2023-07-31)]
* [https://github.com/WebKit/WebKit/commit/486816dc355c19f1de1b8056f85d0bbf7084dd6e WebKit fix commit by Yusuke Suzuki reviewed by Mark Lam (2022-01-25)]
 
* [https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-22620.html Short writeup by Maddie Stone (2022-06-14)]
==== Bug Description ====
* [https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html Detailed writeup by Maddie Stone (2022-06-14)]
It is required to recompute length properly when resize happens during TypedArray copyWithin.
 
copyWithin's side effectful operation can resize resizable ArrayBuffer. WebKit has a code catching this and recompute the appropriate copy count again, but it can overflow if `to` or `from` are larger than the newly updated `length`. The patch handles this case correctly: returning since there is no copying content in this case.
 
The issue was patched by aborting the copy if either of the two variables to or from is larger than the updated length.
 
The values used during the exploit were sane as they went through a sanitizer function. However, in the final stage, the values were updated without checking if there are inside the buffer length bounds.
 
According to PS4 WebKit source code for System Software version 11.00, not only it is not patched but it uses code from 2021! Looking at [https://github.com/WebKit/WebKit/blob/cccb58deac3c56a831678458ce95ea5b7c837614/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h#L177 a version close to one in the PS4 source code for System Software version 11.00], it should be exploitable.
 
==== Exploit Implementation ====
* [https://gist.github.com/zdi-team/ad320bdc6ad095cc210c7031e0f0ecda/raw/746ce622fe73344ccb9cd51bc03ad97950f4ea3b/CVE-2023-38600-0.js Minimal PoC by Hossein Lotfi (2023-10-18)]
* [https://github.com/WebKit/WebKit/blob/main/JSTests/stress/resizable-array-buffer-copy-within-length-update.js Vulnerability test code by Yusuke Suzuki (2023-07-31)]
 
==== Patched ====
'''Maybe''' in FW 11.50.
 
==== Tested ====
Not tested yet on PS4 nor PS5. To test on PS4 11.00.
----
 
=== FW ?10.00-11.02? - JSC::DFG::clobberize() needs to be more precise with the *ByOffset nodes (CVE-2023-41993) leading to arbitrary RW ===
 
==== Credits ====
* Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group for discoverting the vulnerability and reporting it (2023-09-21)
* Keith Miller for the WebKit fix commit (2023-10-09)
* po6ix for his writeup (2023-10-15)
 
==== Analysis ====
* [https://github.com/WebKit/WebKit/commit/08d5d17c766ffc7ca6a7c833c5720eb71b427784 WebKit fix commit by Keith Miller (2023-10-09)]
* [https://github.com/po6ix/POC-for-CVE-2023-41993 Writeup by po6ix (2023-10-15)]
 
==== Bug Description ====
clobberize needs to be more precise with the *ByOffset nodes. CSE phase uses clobberize to figure out if it's safe to merge two operations that def the same HeapLocation. Since HeapLocation does not currently have a way to track the offset used by the various *ByOffset nodes it can get confused and think that two ByOffset instructions produce the same value even if they do not use the same offset. This patch solves this by adding a new field to HeapLocation, which takes the metadata associated with the corresponding *ByOffset node. If two *ByOffset operations don't share the same metadata then they cannot be CSEed.
 
This vulnerability is ranked 7.5 (HIGH) on CVSS:3.1.
 
This vulnerability should provide r/w primitive to the webcontent process, but currently the PoC is written only up to addrof/fakeobj.
 
==== Exploit Implementation ====
* [https://github.com/po6ix/POC-for-CVE-2023-41993 PoC written only up to addrof/fakeobj by po6ix (2023-10-15)]
 
==== Patched ====
'''Maybe''' on PS4 FW 12.00 and PS5 ?10.00?
 
==== Tested ====
Not tested yet. According to open source code, PS4 FW 11.00 should be vulnerable.
----
 
=== FW 10.00-11.02 - JSC DFG Abstract Intepreter clobberWorld Type Confusion (no CVE) leading to crash ===
 
==== Credits ====
* Alexey Shvayka for vulnerability discovery and fixes in WebKit (2023-05-01)
* ENKI for public disclose and writeup (2024-06-03)
* abc (anonymous) for tests and analysis (2024-10-01)
 
==== Analysis ====
* [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc Analysis by ENKI (2024-06-03)]
* [https://github.com/WebKit/WebKit/commit/1b0741f400ee2d31931ae30f2ddebe66e8fb0945 Patch commit #1 for vulnerability detection (2023-07-31)]
* [https://github.com/WebKit/WebKit/commit/39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f Patch commit #2 (2023-05-01)]
* [https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons Inverting Your Assumptions: A Guide to JIT Comparisons by Jasiel Spelman (2018-04-12)]
 
==== Bug Description ====
Note that the PS4 web browser JIT support has been removed since around PS4 System Software version 5.00 or lower so using the article directly is not applicable.
 
The clobber bug PoC turns out not to be a memory corruption. Just like the article said, you can access a `GetterSetter` directly. The crash came from triggering `GetterSetter`'s methods that will call `RELEASE_ASSERT()`.
 
We actually have [[#FW_?6.00-11.52?_-_get_by_id_with_this_associated_with_ProxyObject_can_leak_JSScope_objects|a bug that can leak `GetterSetter`s]].
 
In summary with tinkering with this bug, abc (anonymous) do not think that an attacker can do anything useful with accessing a `GetterSetter`. The clobberWorld bug however does allow setting properties in places where you usually cannot like `Function's prototype` as shown in the article. But without JIT, one probably cannot cause any memory corruption. The impact for both bugs (clobberWorld and ProxyObject) is probably just JavaScript execution, which we already have, which is a no go in some context (JS injection) but it does not help in gaining usermode ROP execution on PS4 or PS5.
 
==== Exploit Implementation ====
* [https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc PoC by ENKI (2024-06-03)]
 
==== Patched ====
'''Yes''' on PS4 FW 11.50 and PS5 FW 9.00.
 
==== Tested ====
Tested working on PS4 FWs 10.00-11.02 and PS5 FWs 6.00-8.60. PS4 FWs <= ?9.60? and PS5 FWs <= ?5.50? are invulnerable.
----
 
=== FW ?6.00-11.00? - CloneDeserializer::deserialize() UaF (CVE-2023-28205) leading to arbitrary RW ===
 
==== Credits ====
* Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab for discovering the vulnerability and reporting it to Apple (2023-04-10)
* Justin Michaud, Mark Lam and JonWBedard for fixing the bug in WebKit (2023-04-17)
* abc (anonymous) for making an OOM PoC for PS4 and PS5 (2024-12-01)
 
==== Analysis ====
* [https://github.com/WebKit/WebKit/commit/c9880de4a28b9a64a5e1d0513dc245d61a2e6ddb WebKit fix commit (2023-04-17)]
 
==== Bug Description ====
Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects in a few Vectors, in a MarkedArgumentBufferBase. This is problematic because the GC is not aware of Vectors, and cannot scan them. Instead, CloneDeserializer::deserialize() should store cell pointers in a MarkedVector.
 
The PoC code triggers a use-after-free (UaF) vulnerability by delaying the addition of Map and Date objects, which allows the garbage collector (GC) to free them. This can potentially lead to accessing freed objects to corrupt memory. Then it cannot avoid executing a release assert that causes an Out-Of-Memory crash.
 
The WebKit patch refactors the MarkedArgumentBuffer class into a MarkedVector template class.
 
==== Exploit Implementation ====
* [https://github.com/ntfargo/uaf-2023-28205/blob/main/poc.js PoC by abc (2024-12-01)]
 
==== Patched ====
'''Yes''' on PS4 FW ?11.00? and PS5 FW ?8.00?.
 
==== Tested ====
Tested working on PS4 FWs ? and PS5 FWs 6.00-7.61.
----
 
=== FW 6.00-9.60 - FrameLoader::loadInSameDocument() UaF (CVE-2022-22620) leading to arbitrary RW ===
 
==== Credits ====
* Sergei Glazunov, Google Project Zero, for reporting the bug in 2013-01 and answering Maddie Stone's questions in 2022 (2013)
* Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2022-06-14)
* abc (anonymous) for making an OOM PoC for webkit-gtk, PS4 and PS5 (2023-10-03) then making an arbitrary RW PoC (PSFree) for webkit-gtk, PS4 6.00-9.60 and PS5 1.00-5.50 (2023-10-24)
* CelesteBlue for testing and porting abc' PSFree to PS4 6.00-9.60 and PS5 1.00-5.50 (2023-11-04)
 
==== Analysis ====
* [https://github.com/WebKit/WebKit/commit/aa31b6b4d09b09acdf1cec11f2f7f35bd362dd0e WebKit bug-reintroducing commit by Darin Adler reviewed by Alex Christensen (2016-12-31)]
* [https://bugs.webkit.org/show_bug.cgi?id=235551 WebKit fix talk by Yusuke Suzuki reviewed by Mark Lam (2022-01-24)]
* [https://github.com/WebKit/WebKit/commit/486816dc355c19f1de1b8056f85d0bbf7084dd6e WebKit fix commit by Yusuke Suzuki reviewed by Mark Lam (2022-01-25)]
* [https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-22620.html Short writeup by Maddie Stone (2022-06-14)]
* [https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html Detailed writeup by Maddie Stone (2022-06-14)]
 
==== Bug Description ====
The History API allows access to (and modification of) a stack of the pages visited in the current frame, and these page states are stored as a <code>SerializedScriptValue</code>. The History API exposes a getter for state, and a method <code>replaceState()</code> which allows overwriting the "most recent" history entry.
 
The bug is that <code>FrameLoader::loadInSameDocument()</code> takes the state as an argument (<code>stateObject</code>), but does not increase its reference count. Only a <code>HistoryItem</code> object holds a reference to the <code>stateObject</code>. <code>loadInSameDocument()</code> can trigger a callback into user JavaScript through the <code>onblur</code> event. The user's callback can call <code>replaceState()</code> to replace the <code>HistoryItem</code>'s state with a new object, therefore dropping the only reference to the <code>stateObject</code>. When the callback returns, <code>loadInSameDocument()</code> will still use this free'd object in its call to <code>statePopped()</code>, leading to the use-after-free.
 
When <code>loadInSameDocument()</code> is called it changes the focus to the element its scrolling to. If we set the focus on a different element prior to <code>loadInSameDocument()</code>'s execution, the blur event will be fired on that element. Then we can free the <code>stateObject</code> by calling <code>replaceState()</code> in the <code>onblur</code> event handler.
 
The bug is triggered by <code>history.back()</code> with the target state whose URL contains a hash. Here's a Proof-of-Concept that will crash:
<source lang="js">
input = document.body.appendChild(document.createElement('input'));
 
foo = document.body.appendChild(document.createElement('a'));
foo.id = 'foo';
 
function pop(event) {
    alert('you get a crash after you close this alert');
    event.state; // use the freed SerializedScriptValue
    alert('WebKit version not vulnerable');
}
 
addEventListener('popstate', pop);
 
history.pushState('state1', '', location + '#foo'); // URL with a hash
history.pushState('state2', '');
 
setTimeout(() => {
    input.focus();
    input.onblur = () => {
        history.replaceState('state3', '')
    };
    setTimeout(() => {
        history.back(); // trigger loadInSameDocument()
    }, 1000);
}, 1000);
 
</source>
The user may then trigger a double free and escalate it into an arbitrary read primitive via spraying <code>WTF::StringImpl</code>s like in the <code>buildBubbleTree()</code> UaF exploit. The read primitive is used to create the <code>addrof()</code> primitive and is used to save addresses of buffers that will be used to modify a <code>SerializedScriptValue</code>. After freeing the StringImpl (triple free), <code>SerializedScriptValue</code>s are sprayed via the <code>postMessage()</code> JavaScript function until one is allocated using the previously freed memory.


==== Bug Description ====
The method used to modify the fields of the <code>StringImpl</code> for arbitrary reads can be used can also be used to modify the <code>SerializedScriptValue</code>. Appropriate fields can modified to have deserialization create a <code>JSC::JSArrayBufferView</code> whose <code>m_vector</code> field will point to another <code>JSArrayBufferView</code>, which  will be called the worker. The user can modify the worker's fields for arbitrary read/write. Deserialization is done via <code>msg.data</code> where <code>msg</code> is the <code>MessageEvent</code> from <code>postMessage()</code>.
The History API allows access to (and modification of) a stack of the pages visited in the current frame, and these page states are stored as a <code>SerializedScriptValue</code>. The History API exposes a getter for state, and a method <code>replaceState()</code> which allows overwriting the "most recent" history entry.


The bug is that <code>FrameLoader::loadInSameDocument()</code> takes the state as an argument (<code>stateObject</code>), but does not increase its reference count. Only a <code>HistoryItem</code> object holds a reference to the <code>stateObject</code>. <code>loadInSameDocument()</code> can trigger a callback into user JavaScript through the <code>onblur</code> event. The user's callback can call <code>replaceState()</code> to replace the <code>HistoryItem</code>'s state with a new object, therefore dropping the only reference to the <code>stateObject</code>. When the callback returns, <code>loadInSameDocument()</code> will still use this free'd object in its call to <code>statePopped()</code>, leading to the use-after-free.
A way to know if the system is vulnerable is the appearance of the input HTML element in the PoC page. If the HTML input field stays focused (blue outline) after the second timeout, then the vulnerability is not present. Note that Maddie Stone's PoC will never trigger any sort of crash on release builds as it was meant for builds with memory sanitation that can detect UaFs.


When <code>loadInSameDocument()</code> is called it changes the focus to the element its scrolling to. If we set the focus on a different element prior to <code>loadInSameDocument()</code>'s execution, the blur event will be fired on that element. Then we can free the <code>stateObject</code> by calling <code>replaceState()</code> in the <code>onblur</code> event handler.
==== Exploit Implementation ====
* Simple PoC for ASAN webkit-gtk by Maddie Stone in Maddie Stone's writeups
* [https://github.com/springsec/CVE-2022-22620/blob/main/CVE-2022-22620_infoleak_exploit.html Information leak PoC for webkit-gtk by springsec]
* [https://discord.com OOM PoC for PS4 and PS5 by abc on ps4-dev discord (to mirror)]
* [https://discord.com Arbitrary RW PoC (PSFree) for PS4 6.00-9.60 and PS5 1.00-5.50 by abc on ps4-dev discord (to mirror)]


The bug is triggered by <code>history.back()</code> with the target state whose URL contains a hash. Here's a Proof-of-Concept that will crash:
==== Patched ====
<source lang="js">
'''Yes''' on PS4 FW 10.00 and PS5 FW 6.00.
input = document.body.appendChild(document.createElement('input'));


foo = document.body.appendChild(document.createElement('a'));
The patch changes the stateObject argument to loadInSameDocument from a raw pointer, SerializedScriptValue*, to a reference-counted pointer, RefPtr<SerializedScriptValue>, so that loadInSameDocument now increments the reference count on the object.
foo.id = 'foo';


function pop(event) {
==== Tested ====
    alert('you get a crash after you close this alert');
Tested working on PS4 FWs 6.00-9.60 and PS5 FWs 1.00-5.50. PS4 FWs <= 5.56 are invulnerable as the HTML input field stays focused (blue outline) after second timeout whilst it should not if the console were exploitable.
    event.state; // use the freed SerializedScriptValue
----
    alert('WebKit version not vulnerable');
}


addEventListener('popstate', pop);
=== FW 9.00-9.04 - WebCore::CSSFontFaceSet vulnerabilities leading to arbitrary RW ===


history.pushState('state1', '', location + '#foo'); // URL with a hash
There are many FontFaceSet vulnerabilities. Explore [https://trac.webkit.org/search?q=mmaxfield%40apple.com+FontFaceSet&noquickjump=1&changeset=on].
history.pushState('state2', '');


setTimeout(() => {
==== Credits ====
    input.focus();
* Myles C. Maxfield (litherum), Apple, for adding the vulnerability in WebKit (2016-02-22) then fixing and so disclosing the vulnerability (2021-08-26)
    input.onblur = () => {
* Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2021-10-13)
        history.replaceState('state3', '')
* PS Test discord server community for testing PoCs of many WebKit vulnerabilities on their PS4s (2021-10-13)
    };
* sleirsgoevy for making the first exploit PoC for Safari (2021-10-24) and the first exploit PoC for PS4 FW 9.00-9.04 and PS5 FW 3.00-4.50 (2021-10-27)
    setTimeout(() => {
        history.back(); // trigger loadInSameDocument()
    }, 1000);
}, 1000);


</source>
==== Analysis ====
The user may then trigger a double free and escalate it into an arbitrary read primitive via spraying <code>WTF::StringImpl</code>s like in the <code>buildBubbleTree()</code> UaF exploit. The read primitive is used to create the <code>addrof()</code> primitive and is used to save addresses of buffers that will be used to modify a <code>SerializedScriptValue</code>. After freeing the StringImpl (triple free), <code>SerializedScriptValue</code>s are sprayed via the <code>postMessage()</code> JavaScript function until one is allocated using the previously freed memory.
* [https://github.com/WebKit/WebKit/commit/d5dbfd02054e9f904b27224a598ca1bb8ded5f87 WebKit bug-introducing commit by Myles C. Maxfield - r256659 (2016-02-22)]
 
The method used to modify the fields of the <code>StringImpl</code> for arbitrary reads can be used can also be used to modify the <code>SerializedScriptValue</code>. Appropriate fields can modified to have deserialization create a <code>JSC::JSArrayBufferView</code> whose <code>m_vector</code> field will point to another <code>JSArrayBufferView</code>, which  will be called the worker. The user can modify the worker's fields for arbitrary read/write. Deserialization is done via <code>msg.data</code> where <code>msg</code> is the <code>MessageEvent</code> from <code>postMessage()</code>.
 
A way to know if the system is vulnerable is the appearance of the input HTML element in the PoC page. If the HTML input field stays focused (blue outline) after the second timeout, then the vulnerability is not present. Note that Maddie Stone's PoC will never trigger any sort of crash on release builds as it was meant for builds with memory sanitation that can detect UaFs.
 
==== Exploit Implementation ====
* Simple PoC for ASAN webkit-gtk by Maddie Stone in Maddie Stone's writeups
* [https://github.com/springsec/CVE-2022-22620/blob/main/CVE-2022-22620_infoleak_exploit.html Information leak PoC for webkit-gtk by springsec]
* [https://discord.com OOM PoC for PS4 and PS5 by abc on ps4-dev discord (to mirror)]
* [https://discord.com Arbitrary RW PoC (PSFree) for PS4 6.00-9.60 and PS5 1.00-5.50 by abc on ps4-dev discord (to mirror)]
 
==== Patched ====
'''Yes''' on PS4 FW 10.00 and PS5 FW 6.00.
 
The patch changes the stateObject argument to loadInSameDocument from a raw pointer, SerializedScriptValue*, to a reference-counted pointer, RefPtr<SerializedScriptValue>, so that loadInSameDocument now increments the reference count on the object.
 
==== Tested ====
Tested working on PS4 FWs 6.00-9.60 and PS5 FWs 1.00-5.50. PS4 FWs <= 5.56 are invulnerable as the HTML input field stays focused (blue outline) after second timeout whilst it should not if the console were exploitable.
----
 
=== FW 9.00-9.04 - WebCore::CSSFontFaceSet vulnerabilities leading to arbitrary RW ===
 
There are many FontFaceSet vulnerabilities. Explore [https://trac.webkit.org/search?q=mmaxfield%40apple.com+FontFaceSet&noquickjump=1&changeset=on].
 
==== Credits ====
* Myles C. Maxfield (litherum), Apple, for adding the vulnerability in WebKit (2016-02-22) then fixing and so disclosing the vulnerability (2021-08-26)
* Maddie Stone, Google Project Zero, for sharing a write-up describing this vulnerability (2021-10-13)
* PS Test discord server community for testing PoCs of many WebKit vulnerabilities on their PS4s (2021-10-13)
* sleirsgoevy for making the first exploit PoC for Safari (2021-10-24) and the first exploit PoC for PS4 FW 9.00-9.04 and PS5 FW 3.00-4.50 (2021-10-27)
 
==== Analysis ====
* [https://github.com/WebKit/WebKit/commit/d5dbfd02054e9f904b27224a598ca1bb8ded5f87 WebKit bug-introducing commit by Myles C. Maxfield - r256659 (2016-02-22)]
* [https://trac.webkit.org/changeset/281648/webkit WebKit fix commit by Myles C. Maxfield - r281648 (2021-08-26)]
* [https://trac.webkit.org/changeset/281648/webkit WebKit fix commit by Myles C. Maxfield - r281648 (2021-08-26)]
* [https://github.com/WebKit/WebKit/commit/b22be72a013442ca9d1ff4bf3aa8aa436f78f142 WebKit commit adding FontFace tests (2021-09-01)]
* [https://github.com/WebKit/WebKit/commit/b22be72a013442ca9d1ff4bf3aa8aa436f78f142 WebKit commit adding FontFace tests (2021-09-01)]
Line 898: Line 996:
CVE-2018-4192
CVE-2018-4192
https://blog.ret2.io/2018/06/13/pwn2own-2018-vulnerability-discovery/
https://blog.ret2.io/2018/06/13/pwn2own-2018-vulnerability-discovery/
https://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analysis/#arrayreverse-considered-harmful
https://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analysis/#arrayreverse-considered-harmful
https://blog.ret2.io/2018/07/11/pwn2own-2018-jsc-exploit/
https://blog.ret2.io/2018/07/11/pwn2own-2018-jsc-exploit/
 
CVE-2018-4443
WebKit JSC - 'AbstractValue::set' Use-After-Free
lokihardt of Google Project Zero
2019-01-22
https://www.exploit-db.com/exploits/46071
 
Improper Restriction of Operations within the Bounds of a Memory Buffer
 
Unknown CVE
Luca Todesco (qwertyruiopz)
before 2019-08-15
https://gist.github.com/jakeajames/5ceb90ebaa34eabb3e170b5c7eb2c7d1/revisions


CVE-2018-4443
CVE-2023-41074
WebKit JSC - 'AbstractValue::set' Use-After-Free
Affecting WebKitGTK.
lokihardt of Google Project Zero
2019-01-22
https://www.exploit-db.com/exploits/46071


Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2023-42917
 
Affecting WebKitGTK.
Unknown CVE
Luca Todesco (qwertyruiopz)
before 2019-08-15
https://gist.github.com/jakeajames/5ceb90ebaa34eabb3e170b5c7eb2c7d1/revisions
</pre>
</pre>


Line 957: Line 1,061:
* See the PS4 [[Syscalls]] list.
* See the PS4 [[Syscalls]] list.


=== Direct Syscall invocation disabled in PS4 Kernel ===
=== Syscall 0 disabled i.e Error Kernel: The application directly issues a syscall instruction (24) ===
 
Between 2.00 and 2.57, SCE has disabled direct system calls by usermode, by adding some checks in the PS4 kernel. An attacker can no longer call any syscall he wants by specifying the call number in the rax register and jump directly to the call instructions part of a syscall stub. Indeed, now the PS4 (but not PS5) implementation of <code>amd64_syscall</code> checks the following:
* The address in the Instruction Pointer (IP) of the call must be within the memory range of the associated libkernel module of the process,
* The code pointed by the Instruction Pointer (IP) must follow the syscall stub format,
* The syscall number passed in argument to <code>amd64_syscall</code> must corresponds to the stub's syscall number. <code>amd64_syscall</code> checks the stub's <code>mov rax, syscall_number</code> instruction.
 
Since PS4 version 3.00, issuing directly a syscall instruction crashes the application and gives error CE-34878-0, (<code>SCE_KERNEL_ABORT_REASON_SYSTEM_ILLEGAL_FUNCTION_CALL</code>), displaying the message "Kernel: The application directly issues a syscall instruction (24)".
 
An attacker is now forced to use wrappers provided from the libkernel / libkernel_web / libkernel_sys modules to trigger system calls.


The PS5 does not enforce the passed syscall number and thus any code can directly issue an arbitrary syscall even if the associated libkernel does not provide it.
* Between 2.00 and 2.57, SCE has removed system call 0, so we can no longer call any syscall we want by specifying the call number in the rax register.
* Doing so now crashes the app and gives error CE-34878-0, SCE_KERNEL_ABORT_REASON_SYSTEM_ILLEGAL_FUNCTION_CALL, with the message "Kernel: The application directly issues a syscall instruction (24)".
* We now have to use wrappers provided to us from the libkernel / libkernel_web / libkernel_sys modules to access system calls.


=== bpf_write function stripped out of the kernel ===
=== bpf_write function stripped out of the kernel ===
Line 1,537: Line 1,634:
* Discovered by yifan lu (2017-02-19), plutoo and Proxima (2018-08-09), Davee (2018-12-29) for PS Vita, by flatz (2021-12-18) for PlayStation 4.
* Discovered by yifan lu (2017-02-19), plutoo and Proxima (2018-08-09), Davee (2018-12-29) for PS Vita, by flatz (2021-12-18) for PlayStation 4.


==== Bug description ====
=== Bug description ===
 
The PS4 Crypto Coprocessor (CCP) interface in Secure Kernel has a bug that allows to dump (or better saying, bruteforce) key rings from SAMU. A crypto flaw was in the ability to issue HMAC operation with key length stricly lower than 16. For example, by setting it to 1 you can bruteforce key bytes one by one by comparing HMAC result with HMAC result with known partial key.
 
This trick may work on other crypto hardware as well if it does not restrict key lengths. Amazingly, Intel Secure Key Storage (SKS) of CSME subsystem also has a bug allowing to brute-force any key slot, but the issue exists at hardware level - insecure design of the keys distribution to crypto engines (AES, SHA, RC4). Intel did not recognize the bug arguing that to access SKS the CSME privileged arbitrary code execution is required, but SKS is exactly designed to protect the ROM generated keys from CSME firmware...
 
This exploit can be used to dump the PFS AES XTS and HMAC keys of a specific PS4 game PKG. Then one can use maxton's LibOrbisPkg or flatz's pkg_pfs_tool to unpack this PKG file.
 
It also lets one retrieve portability master keys. They decrypt blobs (stored in non-secure world, like in [[SceShellcore]]) that contain the portability keys.
 
Below is a sample code to dump some "raw" keys (as named by flatz).
<source lang="C">
unsigned int key_count = 0x160;
unsigned int max_key_size = 0x40;
unsigned int *key_ids = (unsigned int *) malloc (key_count * 4);
unsigned int key_id = 0;
while (key_id < 0x160) {
    key_ids[key_id] = key_id;
    key_id++;
}
uint8_t* key_data = NULL;
size_t key_data_size = 0;
dump_raw_keys(key_ids, key_count, max_key_size, &key_data, &key_data_size);
hexdump(&key_data, &key_data_size);
</source>
 
A sample code to dump portability keys is available on [https://github.com/SiSTR0/ps4-hen-vtx/compare/master...jocover:ps4-hen-vtx:samu_key_dump#diff-e44475b3203baef04439ee15f01629a5752685028fc9118e3d2087dab7379698R908 line 908 of kpayload/source/samu_dump.c]. Note that not all keys are used as some may be deprecated or added with System Software revisions.


Dumped savedata keys would be per-save, as the dumped key ring should only contain the derivated key (XTS) but not the one used to generate it.
The PS4 Crypto Coprocessor (CCP) interface in Secure Kernel has a bug that allows to dump (or better saying, bruteforce) key rings from SAMU.
That is how AES/HMAC keys from PFS, portability keys, VTRM keys, etc can be retrieved. A crypto flaw was in the ability to issue HMAC operation with key length stricly lower than 16. For example, by setting it to 1 you can bruteforce key bytes one by one by comparing HMAC result with HMAC result with known partial key.


Finally, one can retrieve its per-console VTRM keys (which are notably used for per-account securities like for act.dat and [[RIF]]).
This trick may work on other crypto hardware as well if it does not restrict key lengths. Amazingly, Intel Secure Key Storage (SKS) of CSME subsystem also has a bug allowing to brute-force any key slot, but the issue exists at hardware level - insecure design of  the keys distribution to crypto engines (AES, SHA, RC4). Intel did not recognize the bug arguing that to access SKS the CSME privileged arbitrary code execution is required, but SKS is exactly designed to protect the ROM generated keys from CSME firmware...


However, master keyrings are the 0, 1, and 2 ones and cannot be dump them with this trick because they get locked during the [[bootprocess]] and cannot be read nor written nor copied to other keyrings. See also [https://wiki.henkaku.xyz/vita/Cmep_Key_Ring_Base PS Vita keyrings].
This can be used to dump the AES XTS key and HMAC key of a specific PS4 game PKG. Then one can use maxton's LibOrbisPkg or flatz's pkg_pfs_tool to unpack this PKG file.


==== Analysis ====
==== Analysis ====
Line 1,576: Line 1,648:
* https://twitter.com/qlutoo/status/1027691272369262594
* https://twitter.com/qlutoo/status/1027691272369262594
* https://www.lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/
* https://www.lolhax.org/2019/01/02/extracting-keys-f00d-crumbs-raccoon-exploit/
* [https://twitter.com/flat_z/status/1472243592815169546 Short explanation by flatz (2021-12-18)]
* https://twitter.com/flat_z/status/1472243592815169546


==== Implementation ====
==== Implementation ====


* [https://github.com/jocover/ps4-hen-vtx/releases/tag/pfs_dump Compiled payload for PS4 5.05 by jogolden (2023-03-18)]
* [https://github.com/jocover/ps4-hen-vtx/releases/tag/pfs_dump Compiled payload for PS4 5.05 by jogolden]
* [https://github.com/jocover/ps4-hen-vtx/tree/samu_key_dump Implementation for PS4 5.05 by jogolden (2023-03-18)]
* [https://github.com/jocover/ps4-hen-vtx/tree/samu_key_dump Implementation for PS4 5.05 by jogolden]
* [https://github.com/SiSTR0/ps4-hen-vtx/compare/master...jocover:ps4-hen-vtx:samu_key_dump Minimal implementation for PS4 5.05 by jogolden (2023-03-18)]
* [https://gist.github.com/flatz/22215327864d7512e52268f9c9c51cd8 Exploit PoC for PS4 7.55 by flatz]
* [https://gist.github.com/flatz/22215327864d7512e52268f9c9c51cd8 Exploit PoC for PS4 7.55 by flatz (2021-12-18)]


==== Patched ====
==== Patched ====
Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)