Use-After-Free Webkit vulnerability impacts PS4, possibly up to firmware 9.00 included

A Use-After-Free vulnerability in Webkit (CVE-2021-30858) has been identified an patched in September. Early tests and source code investigation indicate that the vulnerability is also present on the PS4 version of webkit, although it is not sure yet up to which firmware, and whether this vulnerability can be turned into a full fledged exploit or not.

CVE-2021-30858 Use-After-Free in Webkit’s removeFromFacesLookupTable

Security researcher Maddie Stone, of the Google Project Zero security team, has reported and disclosed a Use-After-Free vulnerability in Webkit back in September, as part of the team’s efforts looking into Apple’s Webkit.

The issue lies into adding an invalid FontFace object to a FonceFaceSet. The add operation will not work, but the system will then still try to remove the object (which had not been added), leading to a “Use After Free”.

Code with the bug:

void CSSFontFaceSet::removeFromFacesLookupTable(const CSSFontFace& face, const CSSValueList& familiesToSearchFor)
{
    for (auto& item : familiesToSearchFor) {
        String familyName = CSSFontFaceSet::familyNameFromPrimitive(downcast(item.get()));
        if (familyName.isEmpty())
            continue;

        auto iterator = m_facesLookupTable.find(familyName);
        ASSERT(iterator != m_facesLookupTable.end());
        bool found = false;
        for (size_t i = 0; i < iterator->value.size(); ++i) {
            if (iterator->value[i].ptr() == &face) {
                found = true;
                iterator->value.remove(i);
                break;
            }
        }
        ASSERT_UNUSED(found, found);
        if (!iterator->value.size())
            m_facesLookupTable.remove(iterator);
    }
}

Proof of concept javascript:

var fontFace1 = new FontFace("font1", "", {});
var fontFaceSet = new FontFaceSet([fontFace1]);
fontFace1.family = "font2";

Use-After Free Webkit vulnerability impacts the PS4

The issue seems pretty obvious after the fact, and proof of concept code has been easily reproduced to test on the PS4. @NazkyYT has some proof of concept code running at https://nazky.github.io/PS4CVE202130858/. You can point your PS4’s browser to the proof of concept url to see to which extent your console is impacted. (or run you own on a local server if you prefer).

Several people have confirmed that the vulnerability does in fact reproduce on PS4s up to firmware 8.52 included. Some users have reported that the vulnerability is not “working” on their PS4 running 9.00, but analysis of the Webkit version in PS4 9.00 seems to indicate the bug is still present there. In my personal tests, 9.00 reacts with a “not enough memory” error when trying the proof of concept, which to me is a good sign until proven otherwise.

 



 

It’s also worth mentioning that firmware 9.00 was released mere days after this issue was patched in Webkit, meaning it is fairly unlikely Sony had time to import the Webkit patch into firmware 9.00 in time. Everything points to the issue existing in firmware 9.00, if it weren’t for a few early test reports.

Screenshot of the Webkit source code in PS4 9.00 (as shared on Sony’ official page), still has the vulnerability.

I had fears that the proof of concept was void, considering that the FontFaceSet constructor is a Safari specific thing (source):

 

Specifically, if you try the PoC code on a browser such as Chrome, you will get an error in the form: “FontFaceSet is not defined”. Meaning the PoC fails before even reaching the vulnerability on pretty much any browser except for Safari. But I was able to independently verify that the FonceFaceSet constructor does exist on the PS4. In other words, as far as I could tell, there are significant chances that this vulnerability impacts the PS4, up to 9.00 included.

PS4 9.00 Potentially vulnerable to Webkit Use-After-Free, what’s next?

The fact that a new Webkit vulnerability surfaces on the PS4 is potentially big news for the PS4 Scene. But a bunch of things need to happen before this becomes useful to the end user.

First of all, whatever your current firmware might be, do not update if you intend to leverage this opportunity. The lower your firmware is, the higher your chances are for a future hack or exploit.

Secondly, PS4 hackers need to look into this webkit vulnerability to understand 1) if it can actually be turned into a useful exploit (this can take a significant amount of time), and 2) if 9.00 is really impacted or not. Going from a vulnerability to actual exploitable code is not something that will happen instantly.

If this Webkit exploit can be leveraged on the PS4, it could have two main uses:

  1. First, this exploit could potentially be more “stable” than the current Webkit exploit used up to firmwares 7.55, meaning it could be used to improve the stability of existing Jailbreaks, up to firmware 7.55.
  2. Second, if a kernel exploit is revealed in the future for firmwares 8.xx or 9.00, the Webkit exploit and the kernel exploit could be combined to give the scene a Jailbreak for firmwares 8.xx, or, one can dream, up to 9.00. This is a good time to remind everyone that a webkit exploit alone is not enough for a Jailbreak. It is an entry point to running unsigned code, but then needs to be combined with a privilege escalation exploit (a.k.a kernel exploit) in order to get an actual Jailbreak.

There’s of course a long way to go before any of this happens, but this could be the best piece of news the PS4 scene has had in a long time.

Hãy bình luận đầu tiên

Để lại một phản hồi

Thư điện tử của bạn sẽ không được hiện thị công khai.


*