Webbrowser: Difference between revisions

From Vita Developer wiki
Jump to navigation Jump to search
Line 129: Line 129:
1.50-1.81 (CVE-2010-1807 and CVE-2010-4577)
1.50-1.81 (CVE-2010-1807 and CVE-2010-4577)
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
* http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577
* https://code.google.com/p/chromium/issues/detail?id=63866


2.00-3.20 (CVE-2013-0903-1)
2.00-3.20 (CVE-2013-0903-1)
* [http://acez.re/ps-vita-level-1-webkitties-3 Acama's write-up]
* [http://acez.re/ps-vita-level-1-webkitties-3 Acama's write-up]
* http://packetstormsecurity.com/files/123088/
* http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html
* http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html
* related to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748
* related to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748
Line 139: Line 143:
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1303
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1303
* http://wololo.net/2015/04/22/new-webkit-exploit-found-vita-maybe-playstation-4
* http://wololo.net/2015/04/22/new-webkit-exploit-found-vita-maybe-playstation-4
* https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF
* https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf
* https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf


3.50-3.60 (no CVE at the time it was written, credits to xyz)
3.50-3.60 (no CVE at the time it was written, credits to xyz)

Revision as of 14:39, 15 June 2018

Web Content Guidelines

Supports

  • Cookies
  • Javascript 1.7
  • partial HTML 5
  • Partial Video support (added from 2.10 update)

Not supported

  • Flash
  • Youtube (no HTML5: video)

Known Useragents

PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita)
PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita)

Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier):

Table below indicates known and unknown. "YES" = known vulnerability in use, "NO" = unknown if vulnerability in use.

useragent version vulnerability
Mozilla/5.0 (PlayStation Vita 1.00) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.000.000 Yes
Mozilla/5.0 (PlayStation Vita 1.03) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.030.010 Yes
Mozilla/5.0 (PlayStation Vita 1.04) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.040.000 Yes
Mozilla/5.0 (PlayStation Vita 1.05) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.050.000 Yes
Mozilla/5.0 (PlayStation Vita 1.06) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.060.010 Yes
Mozilla/5.0 (Playstation Vita 1.50) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.500.000 Yes
Mozilla/5.0 (PlayStation Vita 1.51) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.510.000 Yes
Mozilla/5.0 (PlayStation Vita 1.52) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.520.000 Yes
Mozilla/5.0 (PlayStation Vita 1.60) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.600.000 Yes
Mozilla/5.0 (Playstation Vita 1.61) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.610.000 Yes
Mozilla/5.0 (PlayStation Vita 1.65) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.650.000 Yes
Mozilla/5.0 (PlayStation Vita 1.66) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.660.000 Yes
Mozilla/5.0 (PlayStation Vita 1.67) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.670.000 Yes
Mozilla/5.0 (PlayStation Vita 1.69) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.690.000 Yes
Mozilla/5.0 (PlayStation Vita 1.80) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.800.000 Yes
Mozilla/5.0 (PlayStation Vita 1.81) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.810.000 Yes
Mozilla/5.0 (PlayStation Vita 2.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.000.000 Yes
Mozilla/5.0 (PlayStation Vita 2.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.010.000 Yes
Mozilla/5.0 (PlayStation Vita 2.02) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.020.000 Yes
Mozilla/5.0 (PlayStation Vita 2.05) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.050.000 Yes
Mozilla/5.0 (PlayStation Vita 2.06) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.060.000 Yes
Mozilla/5.0 (PlayStation Vita 2.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.100.000 Yes
Mozilla/5.0 (PlayStation Vita 2.11) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.110.000 Yes
Mozilla/5.0 (PlayStation Vita 2.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.120.000 Yes
Mozilla/5.0 (PlayStation Vita 2.50) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.500.000 Yes
Mozilla/5.0 (PlayStation Vita 2.60) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.600.000 Yes
Mozilla/5.0 (PlayStation Vita 2.61) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.610.000 Yes
Mozilla/5.0 (PlayStation Vita 3.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.000.000 Yes
Mozilla/5.0 (PlayStation Vita 3.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.010.000 Yes
Mozilla/5.0 (PlayStation Vita 3.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.100.000 Yes
Mozilla/5.0 (PlayStation Vita 3.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.120.000 Yes
Mozilla/5.0 (PlayStation Vita 3.15) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.150.000 Yes
Mozilla/5.0 (PlayStation Vita 3.18) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.180.000 Yes
Mozilla/5.0 (PlayStation Vita 3.20) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.200.000 Yes
Mozilla/5.0 (PlayStation Vita 3.30) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.300.000 Yes
Mozilla/5.0 (PlayStation Vita 3.35) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.350.000 Yes
Mozilla/5.0 (PlayStation Vita 3.36) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.360.000 Yes
Mozilla/5.0 (PlayStation Vita 3.50) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.500.000 Yes
Mozilla/5.0 (PlayStation Vita 3.52) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.520.000 Yes
Mozilla/5.0 (PlayStation Vita 3.55) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.550.000 Yes
Mozilla/5.0 (PlayStation Vita 3.57) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.570.000 Yes
Mozilla/5.0 (PlayStation Vita 3.60) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.600.000 Yes
Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.610.000 No

Webkit exploits

Terminology

An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.
An information security exposure is a system configuration issue or a mistake in software that allows access to information or 
capabilities that can be used by a hacker as a stepping-stone into a system or network.

Common Vulnerabilities and Exposures list

1.50-1.81 (CVE-2010-1807 and CVE-2010-4577)

2.00-3.20 (CVE-2013-0903-1)

3.30-3.36 (CVE-2014-1303)

3.50-3.60 (no CVE at the time it was written, credits to xyz)

Repositories

<=1.81 webkit exploit PoC:

1.50-1.69-1.80 HTMLit:

ROPtool:

1.61 files for HTMLit and ROPtool:

1.80 files for ROPtool:

1.81 ROP:

2.60 webkit exploit PoC:

3.18 webkit exploit PoC:

3.01-3.15-3.18 memory dumping:

3.15-3.18 webkitties:

3.00-3.15-3.18 vitasploit:

2.02-2.12-3.00-3.01-3.18 vitasploit:

3.36 webkit exploit:

2.00-2.01-2.02-2.05-2.10-2.11-2.12-2.50-2.60-2.61-3.00-3.01-3.10-3.12-3.18-3.20 + 3.30-3.35-3.36 vitasploit:

Other tools:

Online Tests

Webkit Modules

Module Remark
SceAacenc
SceActivityDb
SceAppUtil
SceAtrac
SceAudiocodec
SceAvcodecUser
SceAvPlayer
SceBeisobmf
SceBemp2sys
ScebXCe
SceCheckoutDialogPlugin
SceClipboard
SceCommonDialog
SceCommonGuiDialog
SceDbrecoveryUtility
SceDbutil
SceDriverUser
SceDrmPsmKdc
SceFiber
SceFriendListDialogPlugin
SceGpuEs4User
SceGxm
SceHafnium
SceHandwriting
SceIme
SceImeDialogPlugin
SceIniFileProcessor
SceJpegArm
SceJpegEncArm
SceLibc
ScelibDbg
SceLibFios2
SceLibft2
SceLibG729
SceLibGameUpdate
SceLibHttp
SceLibJson
SceLibKernel
SceLibLocation
SceLibLocationExtension
SceLibMp4Recorder
SceLibNetCtl
SceLibPgf
SceLibPspnetAdhoc
SceLibPvf
SceLibRudp
SceLibSsl
SceLibVitaJSExtObj
SceLibXml
SceLiveAreaUtil
SceMp4
SceMsgDialogPlugin
SceMusicExport
SceNearDialogUtil
SceNearProfile
SceNearUtil
SceNet
SceNetAdhocMatching
SceNetCheckDialogPlugin
SceNgsUser
SceNotificationUtil
SceNpActivity
SceNpActivityNet
SceNpBasic
SceNpCommerce2
SceNpCommon
SceNpCommonPs4
SceNpFriendPrivacyLevel
SceNpKdc
SceNpManager
SceNpMatching2
SceNpMessage
SceNpMessageContactsPlugin
SceNpMessageDialogPlugin
SceNpMessageDlgImplPlugin
SceNpPartyGameUtil
SceNpScore
SceNpSignaling
SceNpSnsFacebook
SceNpTrophy
SceNpTus
SceNpUtility
SceNpWebApi
ScePaf
ScePartyMemberListPlugin
ScePhotoExport
ScePhotoImportDialogPlugin
ScePhotoReviewDialogPlugin
ScePromoterUtil
ScePsp2Compat
SceSasUser
SceSaveDataDialogPlugin
SceScreenShot
SceShellSvc
SceShutterSound
SceSqlite
SceSqliteVsh
SceStoreCheckoutPlugin
SceSystemGesture
SceTeleportClient
SceTeleportServer
SceTrophySetupDialogPlugin
SceUlt
SceVideoExport
SceVoice
SceVoiceQoS
SceWebFiltering
SceWebKit
SceWebKitProcess

Browsertests

Access to the PS3 Store and get content in Vita

Video

[2]

PS Vita's browser has some secrets function, such as enter in ps store or open an app.

For example:

psns:browse?category=PN.P3.US-PN.P3.GAME.US-BASE opens PS3 store US region
psns:browse?product=IP9100-PCSI00002_00-MUSICUNLIMITED00 opens Music Unlimited product

How it works

 psns:browse

This command supports several arguments, the most usables are:

 psns:browse?category=
 
 psns:browse?product=

By defining a category or product ID, this command will redirect you to the PSN Store and show you the chosen category/product. A few examples:

The syntax for categories works as follows:

 PN + CONSOLE ID + REGION ID + PN + CONSOLE ID + STORE ID + REGION ID + PAGE

Common Console ID's are:

 P3 --> PS3
 
 VT --> PS VITA
 
 PC --> MEDIA GO / PSP

Common Store ID's are:

 GAME or VIDEO

Redeem Comand

 psns:redeem?code1=123&code2=456&code3=789

This command will immediantly prompt you to the PSN Stores' redeem function, taking the arguments with it.