logo

This is for the Pwners : Exploiting a WebKit 0-day in PlayStation 4

Conference:  BlackHat EU 2020

2020-12-10

Summary

The presentation discusses an exploit for the PS4 firmware version 6, which allows for arbitrary read and write access and code execution. The exploit is not stable and could be improved.
  • The exploit uses an arbitrary decrement to get a primitive and find the address of objects in memory.
  • A relatively primitive is used to leak the address of a specific object, which allows for arbitrary data read and write.
  • The exploit uses a GSR buffer view to achieve arbitrary read and write access.
  • The instruction pointer can be controlled to implement the next stages of the exploit.
  • The exploit is not stable and could be improved by improving the ASL brute force step and finding a better exploitation path.
  • The exploit was attempted on PS4 firmware version 7 but did not succeed.
  • A Raspberry Pi was used to attempt to bypass the ASL on firmware version 7 but did not yield any results.
The speaker demonstrated the exploit, which took about 11 seconds to reach arbitrary read and write access. However, the reliability of the exploit could be improved.

Abstract

Despite an active console hacking community, only few public PlayStation 4 exploits have been released. The exposed WebKit-based browser is usually the entrypoint of a fullchain attack: from browser exploitation to kernel exploitation. However, browser-engine hardening techniques together with the total absence of debugging capabilities make it very hard to successfully exploit bugs in the latest PS4 firmwares. In this talk, we will present how we managed to debug then exploit a 0-day WebKit vulnerability on 6.xx firmwares. The bug has been reported by our fuzzers and is currently under the process of responsible disclosure.The bug is a Use-after-Free (UAF) vulnerability in WebKit engine. The exploitation of this bug requires a deep understanding of WebKit's primary heap allocator. The key concepts of the allocator as well as the primitives required to massage the heap will be introduced to the audience.In this talk, we will introduce the root cause of the bug. This bug provides limited exploitation primitives. However, thanks to a weakness we identified in ASLR mechanism, we were able to make this bug exploitable. In this presentation, we will focus on the exploitation strategy we adopted to get code execution in the context of the browser process and how we turned in particular a Use-After-Free into a R/W primitive leading to code execution. We will conclude our talk by outlining some of the hurdles we faced while attempting to port the exploit on the latest PS4 firmware.

Materials:

Tags: