Skip to content

ntfargo/CSSFontFace-Exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
public
public
 
 
README.md
README.md
 
 
host.py
host.py
 
 
localhost.pem
localhost.pem
 
 

Repository files navigation

WebKit CSSFontFace Exploit for PS4/PS5

Vulnerability Scope

CSSFontFace
PlayStation 4 6.00-13.52
PlayStation 5 1.00-13.40

Exploitable In

CSSFontFace
PlayStation 4 6.00-11.50
PlayStation 5 1.00-8.60
  • PS5 is also exploitable if ASLR can be defeated, either through a heap-shaping trick or a separate leak bug, and the expected vtable pointer can be recovered before the native crash path.

Supported by This Repository

CSSFontFace
PlayStation 4 9.00
PlayStation 5 N/A

Limitations

  • Newer WebKit versions on PlayStation 4 [11.5x-latest] and PlayStation 5 [9.00-latest] redesigned CSSFontFace get/set property handling and introduced m_propertiesOrCSSConnection. Because of this and other layout changes, the m_featureSettings read/write primitive used by this repository is no longer usable on firmware versions above the ranges listed here.
  • On PlayStation 5, vtable checks and WebKit ASLR prevent this repository's chain from working unless a separate ASLR defeat and vtable recovery workaround is found.

Technical writeup: https://linearfox.com/blog/cssfontface-uaf-playstation

Collaborators / Research References

ufm42: Bug Research, Full Chain Exploit Development.
Nathan Fargo aka @ntfargo: Bug Research, Writeup, Exploit Development.
Dr.Yenyen: Testing.
Hacking the PS4 by CTurt (2015) https://cturt.github.io/ps4.html
Old PS5 Webkit contributors. (2022) https://github.com/ChendoChap/PS5-Webkit-Execution

About

WebKit CSSFontFace UAF exploit for PlayStation 4/5

Resources

Readme
Activity

Stars

49 stars

Watchers

0 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages