With the PS4 WebKit 0-day BlackHat Europe 2020 presentation tomorrow, recently _Icewall disclosed two advisories via Talos Intelligence vulnerability reports… and while patched, one may be able to bridge the gap between a missing PS4 7.00-7.02 Userland / WebKit Exploit (Mira 7.00-7.02 PS4 Ports) and the previously released PS4 7.02 Kernel Exploit to reignite the PS4 Scene with another full PS4 Jailbreak.
For those who missed it, another Talos Intelligence (CVE-2020-9951) Apple Safari/Webkit aboutBlankURL() code execution vulnerability was reported this past September and following his LogMeIn Hamachi VLAN Client Unofficial PS4 Port developer sleirsgoevy (Twitter) said he would take a look into it in the Github comments with his most recent reply stating, to quote: “It seems that I have a PoC, but nowhere close to a working exploit yet.”
While he has a Proof-of-Concept for the latter, @zecoxao (Twitter) notes in the Github replies that Webkit WebSocket code execution vulnerability (CVE-2020-13543) may be a better route to go, as although there is currently no PoC available it shows where the actual flaw is.
A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
- Webkit WebSocket code execution vulnerability (TALOS-2020-1155/CVE-2020-13543)
Webkit ImageDecoderGStreamer use-after-free vulnerability(TALOS-2020-1195/CVE-2020-13584)
What does this mean?
Remember reading that it was patched above… well, if PlayStation 4 Scene developers can ascertain which commit fixed the bug and reverse-engineer it then the PS4 WebKit (webkit-0700.zip – 683 MB – 7.00-7.02) and even the PS5 WebKit could be examined to verify if the affected code is still present.
According to @Al Azif (Twitter), it was initially reported on September 15th so some time between then and now is where the commit that fixes the websocket issue remains suggesting it may be 5ccce66d9f426cd5390d21a009f124e828fd7fb0 (WebKit Bugzilla Bug #216791): Protect WebSocketChannel before calling client methods
Patch by Carlos Garcia Campos <email@example.com> on 2020-11-19 Reviewed by Youenn Fablet. Ensure we keep a reference to the WebSocketChannel before calling client methods that might close the channel. * WebProcess/Network/WebSocketChannel.cpp: (WebKit::WebSocketChannel::close): (WebKit::WebSocketChannel::fail): (WebKit::WebSocketChannel::didClose): (WebKit::WebSocketChannel::resume): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@270021 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Beyond that, she notes an issue would be sorting out how to trigger the exploit itself. As always, time will tell in which direction this Webkit WebSocket code execution vulnerability leads.