The WebKit sandbox can be abused to launch a remote attack to steal data or piracy
Sony has awarded a researcher $10,000 for disclosing a critical bug in the PlayStation 4 console that takes advantage of the WebKit browser engine.
The vulnerability, issued a severity score of 7-8.9, was disclosed on July 6 via the HackerOne bug bounty platform.
Sony launched a public bug bounty program for the PlayStation 4 console in June, ahead of the anticipated rollout of the next-generation PlayStation 5 console over this year’s holiday season.
The gaming giant is willing to pay up to $50,000 for bug reports. The average bounty paid out so far is $400, and Sony has awarded researchers a total of $177,500 at the time of writing.
Sony has included PlayStation web domains, the wallet API, PSN, PlayStation Store, and the PlayStation 4, including the operating system – in current or beta versions – and accessories.
Reported by information security engineer Andy Nguyen, the bug in question impacts the PS4 kernel when paired with a WebKit exploit such as CVE-2018-4386 – a memory corruption issue which not only could be used to exploit the PS4, but other systems using the browser engine, including iOS, Safari, iTunes, and iCloud.
The use-after-free vulnerability discovered by Nguyen affects PS4 firmware versions 7.02 and below when used with the WebKit exploit, dubbed “bad_hoist”, which exists in versions of the software 6.72 and earlier.
Nguyen says the security flaw was caused by missing locks in the IPV6_2292PKTOPTIONS option of setsockopt, which allows attackers to “race and free the struct ip6_pktopts buffer, while it is being handled by ip6_setpktopt”.
The structure contains pointers that can be hijacked for kernel code execution, and when paired in an attack chain with a suitable WebKit vulnerability via the engine’s sandbox, it is possible to access and steal user data as well as fully compromise a machine.
When queried over the use of the WebKit exploit, Nguyen said:
I have chained the kernel exploit with a public WebKit exploit on FW 6.72, hence I know that it is reachable from WebKit sandbox. For 7.02, I don't have a WebKit exploit myself. I have obtained a kernel dump from an anonymous person and reverse engineered the affected component and verified that it was still unpatched.
Closing the loophole
Sony was likely keen to patch this particular bug, as console owners could also potentially utilize it to homebrew their machines in order to run or emulate pirated games.
Even with older machines, such as the PS Vita – which has its own dedicated hacking community – the company is often quick to close any loophole potentially leading to piracy.
The vulnerability has now been patched by Sony in the PS4 system’s software version 7.50, released earlier this month.
Nguyen was awarded a bug bounty of $10,000.
The Daily Swig has reached out to Sony and Nguyen with additional queries and will update when we hear back.