PS4 PS4 6.20 WebKit Exploit Released by @SpecterDev (Patched for System Firmware 6.50)

Discussion in 'PS4 News' started by Roxanne, Mar 9, 2019.

By Roxanne on Mar 9, 2019 at 7:47 AM
  1. 152
    539
    172
    Roxanne

    Roxanne Moderator

    Joined:
    Mar 3, 2018
    Messages:
    152
    Likes Received:
    539
    Trophy Points:
    172
    Gender:
    Female
    Location:
    Germany
    Home Page:
    The PS4 might get some attention again. After the last few weeks, where we saw multiple Homebrew Releases - such as a updated Linux Distribution for your PS4, various Homebrew Games for your PS4, Emulators for playing older Classics on your PS4 and other useful Homebrew Applications, which makes your PS4 more useful for you - today, Developer @SpecterDev released a new WebKit Exploit for a newer System Firmware, namely for System Firmware 6.20. Although this Exploit isn't a complete Kernel Exploit together with the fact that this Remote Code Execution Exploit has been already patched by Sony on the newest System Firmware 6.50 released a few days ago, it is still a useful method to tinker more with this specific System Firmware, as Developer @SpecterDev describes it with his own words, which you can see down below. This can be especially useful for Developers, who wants to tinker with older System Firmwares as well, such as for System Firmware 5.55 for instance. Maybe we can see a newer full Kernel Exploit for a newer System Firmware released sooner or later.​


    6.20.jpg
    It can be useful to update to System Firmware 6.20 sooner or later.


    • PS4 6.20 WebKit Code Execution PoC

      This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js. It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.

      Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.

      Note: It's been patched in the 6.50 firmware update.


      Files - Files in order by name alphabetically;
      • index.html - Contains post-exploit code, going from arb. R/W -> code execution.
      • rop.js - Contains a framework for ROP chains.
      • syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
      • wkexploit.js - Contains the heart of the WebKit exploit.

      Notes
      • This vulnerability was patched in 6.50 firmware!
      • This only gives you code execution in userland. This is not a jailbreak nor a kernel exploit, it is only the first half.
      • This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out.
      • In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why syscalls.js contains only a small number of system calls.

      Usage

      Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
      1. Fake DNS spoofing to redirect the manual page to the exploit page, or
      2. Using the web browser to navigate to the exploit page (not always possible).

      Vulnerability Credit
      • I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.

      Resources


      Thanks
      • lokihardt - The vulnerability
      • st4rk - Help with the exploit
      • qwertyoruiop - WebKit School
      • saelo - Phrack paper

    • Twitter: @SpecterDev (7th March 2019 - 8:29 pm) --> https://twitter.com/SpecterDev/status/1103739416554594304

      Twitter: @SpecterDev (8th March 2019 - 7:26 pm) --> https://twitter.com/SpecterDev/status/1104085876831735808


    Source: GitHub
    Twitter: @SpecterDev
     
    Last edited by a moderator: Mar 10, 2019
    Rommy667, Stayhye, benfrost94 and 9 others like this.

Comments

Discussion in 'PS4 News' started by Roxanne, Mar 9, 2019.

    1. Killer Bunny
      Killer Bunny
      Sony to specterdev: Am I a joke to you?
      Ali888 and RandomDude like this.
    2. amirzaim
      amirzaim
      It's a "cat & mouse" game....Every time the firmware exploited, then the patch update came as fast as lightning!
    3. STLcardsWS
      STLcardsWS
      That is not the PS4 scene though. Its never been that cat and mouse game for the PS4. There is no reaction from Sony needed.
    4. SoJustMe
      SoJustMe
      Wow , after i updated this news comes Lol
    5. SoJustMe
      SoJustMe
      Ok , how can Sony know about this exploit? Do they have a mole inside us lol , i hope you exploit in secret and create a private community only for developers and those who you trust , no info about the exploit till it is ready, and keep telling people to wait or to not update if it is close . But thanks anyway i hope a method will be discovered for downgrading as well
    6. DeViL303
      DeViL303
      The PS4 shares its webkit with other devices, and lots of these exploits originate from disclosed bugs reported by other people on other systems, like ps3xploit, its just Sony had not got around to patching this one yet on PS4, but it will have been on the list. Also sometimes they will patch an exploit by "mistake" that they didnt really know about specifically, in some cases it could be a side effect of increasing security generally or changing the way a process works.
      Zazenora and SoJustMe like this.
    7. benfrost94
      benfrost94
      Does this mean there is a possibility of han on 6.20

      Sent from my MotoG3 using Tapatalk
    8. Zazenora
      Zazenora
      You've never seen a grown man cry as I did yesterday.
      I literally just updated a couple hours before this news dropped.

      I guess my PS4 is destined to stay clean. I've decided to save up and search for a used console that hasn't been updated. Right now would be the time to do so while chances are still high.
      (If you can afford to do so... won't be an easy task on my part either.)
      SoJustMe likes this.
    9. ISAK.M
      ISAK.M
      That's horrible, feel ya pain man :(
    10. Berion
      Berion
      @Zazenora I read few days ago about it... just right after updated to 6.50. :D But to be honest, it is only execution in userland, doesn't allow to much, so it is not big deal (at least for now). Kexploit is still in private...

      Which I hate in such releases is fact they are publishing *after* it is patched. When HENkaku appeared, everyone can decide if stay in "official way" or go to underground because hack was for current firmware. When GH released CFW it was also for current fw. When IPL hacks released for PSP they also was for current fw. But on PS4, You must be damn hamster which waiting for something which You don't even know if there is anything for waiting. So, summary, I know how You feel, but be a man and don't cry. ;p
      DeViL303 and Zazenora like this.
    11. ISAK.M
      ISAK.M
      I cried when I discovered you need a f*cking HW Flasher to be on CFW and then PS3Xploit came around and I started crying of joy instead :D
      DeViL303 and Zazenora like this.
    12. ahmed koke
      ahmed koke
      You are the best at all, but the more you know, the deeper we ask, the more you wish you success:cheerful::cheerful::cheerful::cheerful:
    13. Zazenora
      Zazenora
      @Berion @ISAK.M
      It's fine. It wasn't as emotional as I made it sound xD
      I put my big boy pants back on almost immediately and went on.

      I'm still torn on deciding whether I'd even go through with any kind of exploit or mod on my current console anyway. When I installed HAN on my PS3, I already had another perfectly working console, so if something happened such as a possible brick or ban, I'd be one step ahead.
      I keep falling into the hype of it and crawl my way back out.
      DeViL303 likes this.
    14. DEX357
      DEX357
      I am still waiting for something bigger than JB, more emulators (PSX,PSP, Dolphin....etc.) on gameOS more homebrew.
      Zazenora likes this.
    15. Silk
      Silk
      I decided not to update my firmware after 6.0 as I've been too busy to play anyway, and I felt like an exploit might be showing up in the near future. Fingers crossed this might be the first big step in the direction of a jailbreak for systems <= 6.20!
    16. ahmed koke
      ahmed koke
      I was already waiting to escape from( 5.55) Today I had great hope of escaping from( 6.20)
      that's cool:evil witch:
    17. Benaam433
      Benaam433
      Really liked the information...
    18. oceansoul
      oceansoul
      Can i install games with this exploit and how to ? I up web server install this exploit but doesnt have option for install games like i have in 4.55 ?

Share This Page