PS4 PS4 6.20 WebKit Exploit Released by @SpecterDev (Patched for System Firmware 6.50)

The PS4 might get some attention again. After the last few weeks, where we saw multiple Homebrew Releases - such as a updated Linux Distribution for your PS4, various Homebrew Games for your PS4, Emulators for playing older Classics on your PS4 and other useful Homebrew Applications, which makes your PS4 more useful for you - today, Developer @SpecterDev released a new WebKit Exploit for a newer System Firmware, namely for System Firmware 6.20. Although this Exploit isn't a complete Kernel Exploit together with the fact that this Remote Code Execution Exploit has been already patched by Sony on the newest System Firmware 6.50 released a few days ago, it is still a useful method to tinker more with this specific System Firmware, as Developer @SpecterDev describes it with his own words, which you can see down below. This can be especially useful for Developers, who wants to tinker with older System Firmwares as well, such as for System Firmware 5.55 for instance. Maybe we can see a newer full Kernel Exploit for a newer System Firmware released sooner or later.​

It can be useful to update to System Firmware 6.20 sooner or later.​

Release Notes (via GitHub) Announcements (via Twitter)

• 
  
  PS4 6.20 WebKit Code Execution PoC​
  
  This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js. It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.
  
  Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.
  
  
  Note: It's been patched in the 6.50 firmware update.​
  
  
  Files - Files in order by name alphabetically;
  
  • index.html - Contains post-exploit code, going from arb. R/W -> code execution.
  • rop.js - Contains a framework for ROP chains.
  • syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
  • wkexploit.js - Contains the heart of the WebKit exploit.
  
  Notes
  
  • This vulnerability was patched in 6.50 firmware!
    
  • This only gives you code execution in userland. This is not a jailbreak nor a kernel exploit, it is only the first half.
  • This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out.
  • In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why syscalls.js contains only a small number of system calls.
  
  Usage
  
  Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
  
  1. Fake DNS spoofing to redirect the manual page to the exploit page, or
     
  2. Using the web browser to navigate to the exploit page (not always possible).
  
  Vulnerability Credit
  
  • I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.
  
  Resources
  
  • Chromium Bug Report - The Vulnerability.
  • Phrack: Attacking JavaScript Engines by saelo - A life saver. Exploiting this would have been about 1500x more difficult without this divine paper.
  
  
  Thanks
  
  • lokihardt - The vulnerability
  • st4rk - Help with the exploit
  • qwertyoruiop - WebKit School
  • saelo - Phrack paper
• 
  Twitter: @SpecterDev (7th March 2019 - 8:29 pm) --> https://twitter.com/SpecterDev/status/1103739416554594304
  

  The 6.50 FW update seems to have patched a WebKit exploit I wrote up a month or so ago. I may drop the exploit soon so if you're a dev that wants to play with WebKit don't update

  
  
  Twitter: @SpecterDev (8th March 2019 - 7:26 pm) --> https://twitter.com/SpecterDev/status/1104085876831735808
  

  I'm releasing the WebKit code execution RCE I spoke of yesterday targetting PS4 6.20 firmware. Gadgets and potentially the code execution strategy will need to be adjusted for lower firmwares. Have fun

Source: GitHub
Twitter: @SpecterDev​

 

Sony to specterdev: Am I a joke to you?

 

It's a "cat & mouse" game....Every time the firmware exploited, then the patch update came as fast as lightning!

 

It's a "cat & mouse" game....Every time the firmware exploited, then the patch update came as fast as lightning!

That is not the PS4 scene though. Its never been that cat and mouse game for the PS4. There is no reaction from Sony needed.

 

Wow , after i updated this news comes Lol

 

Ok , how can Sony know about this exploit? Do they have a mole inside us lol , i hope you exploit in secret and create a private community only for developers and those who you trust , no info about the exploit till it is ready, and keep telling people to wait or to not update if it is close . But thanks anyway i hope a method will be discovered for downgrading as well

 

Ok , how can Sony know about this exploit? Do they have a mole inside us lol , i hope you exploit in secret and create a private community only for developers and those who you trust , no info about the exploit till it is ready, and keep telling people to wait or to not update if it is close . But thanks anyway i hope a method will be discovered for downgrading as well

The PS4 shares its webkit with other devices, and lots of these exploits originate from disclosed bugs reported by other people on other systems, like ps3xploit, its just Sony had not got around to patching this one yet on PS4, but it will have been on the list. Also sometimes they will patch an exploit by "mistake" that they didnt really know about specifically, in some cases it could be a side effect of increasing security generally or changing the way a process works.

 

Does this mean there is a possibility of han on 6.20

Sent from my MotoG3 using Tapatalk

 

You've never seen a grown man cry as I did yesterday.
I literally just updated a couple hours before this news dropped.

I guess my PS4 is destined to stay clean. I've decided to save up and search for a used console that hasn't been updated. Right now would be the time to do so while chances are still high.
(If you can afford to do so... won't be an easy task on my part either.)

 

You've never seen a grown man cry as I did yesterday.
I literally just updated a couple hours before this news dropped.

I guess my PS4 is destined to stay clean. I've decided to save up and search for a used console that hasn't been updated. Right now would be the time to do so while chances are still high.
(If you can afford to do so... won't be an easy task on my part either.)

That's horrible, feel ya pain man

 

@Zazenora I read few days ago about it... just right after updated to 6.50. But to be honest, it is only execution in userland, doesn't allow to much, so it is not big deal (at least for now). Kexploit is still in private...

Which I hate in such releases is fact they are publishing *after* it is patched. When HENkaku appeared, everyone can decide if stay in "official way" or go to underground because hack was for current firmware. When GH released CFW it was also for current fw. When IPL hacks released for PSP they also was for current fw. But on PS4, You must be damn hamster which waiting for something which You don't even know if there is anything for waiting. So, summary, I know how You feel, but be a man and don't cry. ;p

 

@ZazenoraSo, summary, I know how You feel, but be a man and don't cry. ;p

I cried when I discovered you need a f*cking HW Flasher to be on CFW and then PS3Xploit came around and I started crying of joy instead

 

You are the best at all, but the more you know, the deeper we ask, the more you wish you success

 

@Berion @ISAK.M
It's fine. It wasn't as emotional as I made it sound xD
I put my big boy pants back on almost immediately and went on.

I'm still torn on deciding whether I'd even go through with any kind of exploit or mod on my current console anyway. When I installed HAN on my PS3, I already had another perfectly working console, so if something happened such as a possible brick or ban, I'd be one step ahead.
I keep falling into the hype of it and crawl my way back out.

 

I am still waiting for something bigger than JB, more emulators (PSX,PSP, Dolphin....etc.) on gameOS more homebrew.

 

I decided not to update my firmware after 6.0 as I've been too busy to play anyway, and I felt like an exploit might be showing up in the near future. Fingers crossed this might be the first big step in the direction of a jailbreak for systems <= 6.20!

 

I was already waiting to escape from( 5.55) Today I had great hope of escaping from( 6.20)
that's cool

 

Really liked the information...

 

Can i install games with this exploit and how to ? I up web server install this exploit but doesnt have option for install games like i have in 4.55 ?