
Scene veteran Zecoxao has published a PoC (Proof of Concept) file for a webkit vulnerability, as initially reported by Kameleon (link to test the PoC on your console below). It appears the vulnerability impacts PS4 on Firmwares 10.00 to 11.02 included, and PS5 on Firmwares 6.00 to 8.60 included. Those results are based on early tests from the scene and need to be confirmed though. Also, more importantly, it still remains to be seen if such a vulnerability can actually be leveraged into a working exploit on either PS4, PS5, or both.
What are Webkit Vulnerabilities in the context of PS4/PS5, and why they’re useful
Webkit is the engine that powers most web browsers nowadays. Its code is open source, and like all pieces of software, it sometimes has bugs. These bugs are often discovered by security researchers on platforms such as Safari or Google Chrome, but since Webkit is also running under the hood on the PS4 and PS5 web browsers, a Webkit bug will often have an impact on the PS4 and the PS5.
A bug is typically the starting point to work on a exploit, which, combined with privilege escalation attacks (aka kernel exploit), can lead to a Jailbreak on the console. In other words, generally speaking, we need both a “user” vulnerability such as a Webkit exploit, AND a Kernel exploit, to work on a Jailbreak for the PlayStation consoles. (This is not always true though, TheFloW‘s recent PPPwn hack instantly goes to kernel exploitation without needing a usermode entrypoint. But such an exploit is very rare in my experience).
Furthermore, PPPwn in itself has proven to “not be enough” to hack the PS5. SpecterDev has stated that a usermode exploit, in addition to PPPwn, could be required to provide a new “workable” exploit on the PS5. In other words, this particular Webkit exploit might open some doors for the PS5. It’s of course not necessarily that easy though, in particular because the webkit exploit needs to run in the context of the console’s Web Browser, while the PPPwn exploit is triggered during the internet connection step. Those are quite disconnected from each other and it might not be easy (or even possible) to run them in an appropriate sequence.
But generally speaking, Webkit exploits on the PS4 and PS5 are usually some good news for the scene.
So let’s look a bit deeper into this particular one:
Endless side effect issue in Safari/Webkit
The vulnerability was initially reported by here. According to the authors, it doesn’t appear to have a CVE associated to it, but was patched recently in Safari. A few specific quotes from that vulnerability writeup :
Attacker can break JS engine’s assumption that some properties like above things are unconfigurable. But through the bug, we can make them configurable.
[…]
So, normally prototype property is unconfigurable, but through this way, we make prototype property as OOL property which is configurable.
[…]
But the main question is still unclear. why is this exploitable?
To answer this question, we should find out what happens if something that was assumed to be non-configurable is now actually configurable.
Basically, since prototype is an unconfigurable property, it shouldn’t have a valid property offset, but due to the bug, it has.
Searching for a while, it seems that Spread opcode [note from wololo: Spread opcode is “…”, as seen in the poc below] is quite interesting as it can access to all elements when it creates JSImmutableButterfly. Also Spread opcode is used in AI analysis phase, and it will be determined as safe node.Following is type confusion poc for this bug. Tested on WebKit commit c7d1888949f94118612536ffc3b7f58cf102114b.
class Base extends Function { constructor() { super(); super.prototype = 1; } } let victim = [1.1, 2.2, 3.3]; victim[0] = 1.1; const b = new Base(); function opt(flag) { victim[0] = 13.37; victim[1] = 13.37; if (flag) [...arr]; victim[1] = 3.54484805889626e-310; } Object.defineProperty(arr, 0, {value:1.1, configurable:false, writable:true}); b.__defineGetter__("prototype", function() { victim[1] = {}; }); for (let i = 0; i < 0x100000; i++) { opt(false); } arr[0] = b.prototype; opt(true); victim[1] + 1;
Testing the vulnerability on your PS4/PS5 console
Again, this vulnerability appears to work on PS4 on Firmwares 10.00 to 11.02 included, and PS5 on Firmwares 6.00 to 8.60 included. Keep in mind that none of this is “useful” for end users at this point, but you might still want to give it a try.
You can point your PS4/PS5’s browser (using DNS redirection and accessing the “user’s guide”) to this url: https://zecoxao.github.io/cve/index.html
According to Zecoxao, if you get an “Out of Memory” or “Not enough system memory” message, this means your firmware is impacted by the vulnerability.

The PoC currently used:
<script>
class MyFunction extends Function {
constructor() {
super();
super.prototype = 1;
}
}
function test1() {
const f = new MyFunction();
f.__defineGetter__(“prototype”, () => {}); // should throw
}
function test2(i) {
const f = new MyFunction();
try { f.__defineGetter__(“prototype”, () => {}); } catch {}
f.prototype.x = i; // should not crash
}
test1();
test2(0);
</script>
Source: Zecoxao