Webbrowser: Difference between revisions
Jump to navigation
Jump to search
m (→Webkit exploit) |
|||
| Line 110: | Line 110: | ||
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577 | ||
*http://acez.re/ps-vita-level-1-webkitties-3/ | |||
== | http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html related to | ||
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 / https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748) | |||
=== Repositories === | |||
* | |||
* https://github.com/Hykem/vitasploit/ by '''Hykem''' | |||
* [https://github.com/BrianBTB/codelion_poc repo] | * [https://github.com/BrianBTB/codelion_poc repo] | ||
* [https://github.com/joshaxey/badnanna181/tree/master discarded repro reduction for <=1.81] | * [https://github.com/joshaxey/badnanna181/tree/master discarded repro reduction for <=1.81] | ||
* https://github.com/xyzz/vitadump | |||
* https://bitbucket.org/Archaemic/memory-splicer | |||
* [https://bitbucket.org/DaveeFTW/psvita-260-webkit/ repo] | |||
* https://github.com/acama/webkitties | |||
=== Code, Test & Tool === | |||
* [http://www.lolhax.org/vita.htm live test] [http://wololo.net/v/webkit/vita.htm live test (miror)], [http://wololo.net/v/260.htm live test (old)] | |||
* [http://wololo.net/downloads/index.php/download/8231 memtools_vita] https://github.com/BrianBTB/memtools_vita/ | * [http://wololo.net/downloads/index.php/download/8231 memtools_vita] https://github.com/BrianBTB/memtools_vita/ | ||
* [http://wololo.net/downloads/index.php/download/8233 ROPTool] | * [http://wololo.net/downloads/index.php/download/8233 ROPTool] | ||
* [http://wololo.net/downloads/index.php/download/8234 HTMLIt] | * [http://wololo.net/downloads/index.php/download/8234 HTMLIt] | ||
** http://pastie.org/private/ugchhaqctvmw5rrg5w37ka <- load more modules for the JSoS module dumper :) | ** http://pastie.org/private/ugchhaqctvmw5rrg5w37ka <- load more modules for the JSoS module dumper :) | ||
* [http://pastebin.com/XNeALEbC SMOKE's Support_Uri Rop script] | * [http://pastebin.com/XNeALEbC SMOKE's Support_Uri Rop script] | ||
Revision as of 23:35, 13 April 2015
Web Content Guidelines
- PS Vita Web Content Guidelines v3.00
- PS3 Web Content Guidelines v3.10
- PS4 Web Content Guidelines v1.50
Supports
- Cookies
- Javascript 1.7
- partial HTML 5
- Partial Video support (added from 2.10 update)
Not supported
- Flash
- Youtube (no HTML5: video)
Known Useragents
PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita) PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita)
Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier):
Table below indicates known and unknown. "YES" = known vulnerability in use, "NO" = unknown if vulnerability in use.
| useragent | version | vulnerability |
|---|---|---|
| Mozilla/5.0 (PlayStation Vita 1.00) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.000.000 | Yes |
| Mozilla/5.0 (Playstation Vita 1.50) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.500.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.51) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.510.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.52) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.520.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.60) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.600.000 | Yes |
| Mozilla/5.0 (Playstation Vita 1.61) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.610.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.65) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.650.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.66) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.660.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.67) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.670.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.69) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.690.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.80) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.800.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 1.81) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.810.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.000.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.010.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.02) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.020.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.05) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.050.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.06) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.060.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.100.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.11) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.110.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.120.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.50) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.500.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.60) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.600.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 2.61) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.610.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.000.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.010.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.100.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.120.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.15) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.150.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.18) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.180.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.20) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.200.000 | Yes |
| Mozilla/5.0 (PlayStation Vita 3.30) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.300.000 | No |
| Mozilla/5.0 (PlayStation Vita 3.35) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.350.000 | No |
| Mozilla/5.0 (PlayStation Vita 3.36) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.360.000 | No |
Webkit exploit
Terminology
An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.
An information security exposure is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.
Common Vulnerabilities and Exposures list
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577
http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html related to (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 / https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748)
Repositories
- https://github.com/Hykem/vitasploit/ by Hykem
- repo
- discarded repro reduction for <=1.81
- https://github.com/xyzz/vitadump
- https://bitbucket.org/Archaemic/memory-splicer
- repo
- https://github.com/acama/webkitties
Code, Test & Tool
- live test live test (miror), live test (old)
- memtools_vita https://github.com/BrianBTB/memtools_vita/
- ROPTool
- HTMLIt
- http://pastie.org/private/ugchhaqctvmw5rrg5w37ka <- load more modules for the JSoS module dumper :)
- SMOKE's Support_Uri Rop script
Webkit Modules
| Module | Remark |
|---|---|
| SceAacenc | |
| SceActivityDb | |
| SceAppUtil | |
| SceAtrac | |
| SceAudiocodec | |
| SceAvcodecUser | |
| SceAvPlayer | |
| SceBeisobmf | |
| SceBemp2sys | |
| ScebXCe | |
| SceCheckoutDialogPlugin | |
| SceClipboard | |
| SceCommonDialog | |
| SceCommonGuiDialog | |
| SceDbrecoveryUtility | |
| SceDbutil | |
| SceDriverUser | |
| SceDrmPsmKdc | |
| SceFiber | |
| SceFriendListDialogPlugin | |
| SceGpuEs4User | |
| SceGxm | |
| SceHafnium | |
| SceHandwriting | |
| SceIme | |
| SceImeDialogPlugin | |
| SceIniFileProcessor | |
| SceJpegArm | |
| SceJpegEncArm | |
| SceLibc | |
| ScelibDbg | |
| SceLibFios2 | |
| SceLibft2 | |
| SceLibG729 | |
| SceLibGameUpdate | |
| SceLibHttp | |
| SceLibJson | |
| SceLibKernel | |
| SceLibLocation | |
| SceLibLocationExtension | |
| SceLibMp4Recorder | |
| SceLibNetCtl | |
| SceLibPgf | |
| SceLibPspnetAdhoc | |
| SceLibPvf | |
| SceLibRudp | |
| SceLibSsl | |
| SceLibVitaJSExtObj | |
| SceLibXml | |
| SceLiveAreaUtil | |
| SceMp4 | |
| SceMsgDialogPlugin | |
| SceMusicExport | |
| SceNearDialogUtil | |
| SceNearProfile | |
| SceNearUtil | |
| SceNet | |
| SceNetAdhocMatching | |
| SceNetCheckDialogPlugin | |
| SceNgsUser | |
| SceNotificationUtil | |
| SceNpActivity | |
| SceNpActivityNet | |
| SceNpBasic | |
| SceNpCommerce2 | |
| SceNpCommon | |
| SceNpCommonPs4 | |
| SceNpFriendPrivacyLevel | |
| SceNpKdc | |
| SceNpManager | |
| SceNpMatching2 | |
| SceNpMessage | |
| SceNpMessageContactsPlugin | |
| SceNpMessageDialogPlugin | |
| SceNpMessageDlgImplPlugin | |
| SceNpPartyGameUtil | |
| SceNpScore | |
| SceNpSignaling | |
| SceNpSnsFacebook | |
| SceNpTrophy | |
| SceNpTus | |
| SceNpUtility | |
| SceNpWebApi | |
| ScePaf | |
| ScePartyMemberListPlugin | |
| ScePhotoExport | |
| ScePhotoImportDialogPlugin | |
| ScePhotoReviewDialogPlugin | |
| ScePromoterUtil | |
| ScePsp2Compat | |
| SceSasUser | |
| SceSaveDataDialogPlugin | |
| SceScreenShot | |
| SceShellSvc | |
| SceShutterSound | |
| SceSqlite | |
| SceSqliteVsh | |
| SceStoreCheckoutPlugin | |
| SceSystemGesture | |
| SceTeleportClient | |
| SceTeleportServer | |
| SceTrophySetupDialogPlugin | |
| SceUlt | |
| SceVideoExport | |
| SceVoice | |
| SceVoiceQoS | |
| SceWebFiltering | |
| SceWebKit | |
| SceWebKitProcess |
Browsertests
Access to the PS3 Store and get content in Vita
Video
PS Vita's browser has some secrets function, such as enter in ps store or open an app.
For example:
| psns:browse?category=PN.P3.US-PN.P3.GAME.US-BASE | opens PS3 store US region |
|---|---|
| psns:browse?product=IP9100-PCSI00002_00-MUSICUNLIMITED00 | opens Music Unlimited product |
How it works
psns:browse
This command supports several arguments, the most usables are:
psns:browse?category= psns:browse?product=
By defining a category or product ID, this command will redirect you to the PSN Store and show you the chosen category/product. A few examples:
The syntax for categories works as follows:
PN + CONSOLE ID + REGION ID + PN + CONSOLE ID + STORE ID + REGION ID + PAGE
Common Console ID's are:
P3 --> PS3 VT --> PS VITA PC --> MEDIA GO / PSP
Common Store ID's are:
GAME or VIDEO
Redeem Comand
psns:redeem?code1=123&code2=456&code3=789
This command will immediantly prompt you to the PSN Stores' redeem function, taking the arguments with it.