Since his 4.05 PS4 Exploit, related Documentation, release of the full 4.55 PS4 Jailbreak and 4.55 PS4 Holy Grail homebrew enabler today PlayStation 4 developer @SpecterDev made available via Twitter his 4.55 WebKit exploit write-up for the "setAttributeNodeNS()" bug so other scene devs and enthusiasts can learn from it.
Here's an excerpt from the complete setAttributeNodeNS UAF Write-up.md file, to quote: Conclusion
For a seasoned webkit attacker, this bug is trivial to exploit. For non-seasoned ones such as myself however, working with WebKit to leverage a read/write primitive from WebCore heap corruption can be confusing and challenging.
I hope through this write-up that it can help other researchers new to webkit to understand a bit of the magic that happens behind webkit exploitation, as without understanding fundamental data structures such as JSObjects and JSValues, it can be difficult to make sense of what's happening.
This is why I focused the core of the write-up on going from heap corruption to obtaining a read/write primitive, and how type confusion with internal objects can be used to achieve it.
In the next section (yet to be published), we will cover the kernel exploit portion of the 4.55 jailbreak chain. While this WebKit exploit will work on 5.02 and lower, the kernel exploit will only work on firmware 4.55 and lower.
Credits
Here's an excerpt from the complete setAttributeNodeNS UAF Write-up.md file, to quote: Conclusion
For a seasoned webkit attacker, this bug is trivial to exploit. For non-seasoned ones such as myself however, working with WebKit to leverage a read/write primitive from WebCore heap corruption can be confusing and challenging.
I hope through this write-up that it can help other researchers new to webkit to understand a bit of the magic that happens behind webkit exploitation, as without understanding fundamental data structures such as JSObjects and JSValues, it can be difficult to make sense of what's happening.
This is why I focused the core of the write-up on going from heap corruption to obtaining a read/write primitive, and how type confusion with internal objects can be used to achieve it.
In the next section (yet to be published), we will cover the kernel exploit portion of the 4.55 jailbreak chain. While this WebKit exploit will work on 5.02 and lower, the kernel exploit will only work on firmware 4.55 and lower.
Credits
- qwertyoruiopz
- Lokihardt
- Chromium Bug #169685 reported by [email protected]
- Attacking Javascript Engines by sealo
- Technical Analysis of the Pegasus Exploits on iOS by Lookout