Webbrowser: Difference between revisions
CelesteBlue (talk | contribs) |
CelesteBlue (talk | contribs) |
||
Line 114: | Line 114: | ||
|} | |} | ||
== Webkit | == Webkit exploits == | ||
=== Terminology === | === Terminology === | ||
<div style="color: #000000; background-color: #e5e4e2; border: 1px solid #808000; padding: 5px; {{box-shadow|4px|4px|8px|#b0b090}}"> | <div style="color: #000000; background-color: #e5e4e2; border: 1px solid #808000; padding: 5px; {{box-shadow|4px|4px|8px|#b0b090}}"> | ||
An information security '''vulnerability''' is a mistake in software that can be directly used by a hacker to gain access to a system or network. | An information security '''vulnerability''' is a mistake in software that can be directly used by a hacker to gain access to a system or network. | ||
Line 124: | Line 126: | ||
=== '''C'''ommon '''V'''ulnerabilities and '''E'''xposures list === | === '''C'''ommon '''V'''ulnerabilities and '''E'''xposures list === | ||
1.50-1.81 (CVE-2010-1807 and CVE-2010-4577) | |||
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807 | |||
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577 | |||
2.00-3.20 (CVE-2013-0903-1) | |||
* [http://acez.re/ps-vita-level-1-webkitties-3 Acama's write-up] | |||
* http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html | |||
* related to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748 | |||
*http:// | 3.30-3.36 (CVE-2014-1303) | ||
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1303 | |||
* http://wololo.net/2015/04/22/new-webkit-exploit-found-vita-maybe-playstation-4 | |||
3.50-3.60 (no CVE at the time it was written, credits to xyz) | |||
* https://blog.xyz.is/2016/webkit-360.html | |||
* [https://pastebin.com/Av2YCR5Q Mike H.'s write-up] | |||
*https:// | * [https://pastebin.com/aSJQbJyd Mike H.'s write-up #2] | ||
=== Repositories === | === Repositories === | ||
<=1.81 webkit exploit PoC: | <=1.81 webkit exploit PoC: | ||
* [https://github.com/joshaxey/badnanna181/tree/master discarded repro reduction for <=1.81] by ''' | * [http://www.lolhax.org/2014/10/28/psvita-webkit-for-2-00 article] by '''Davee''' | ||
* [https://github.com/joshaxey/badnanna181/tree/master discarded repro reduction for <=1.81] by '''Josh Axey''' | |||
1.50-1.69-1.80 HTMLit: | 1.50-1.69-1.80 HTMLit: | ||
Line 146: | Line 155: | ||
ROPtool: | ROPtool: | ||
* [https://www.lolhax.org/2014/10/04/roptool roptool article] by '''Davee''' | |||
* [https://github.com/xyzz/roptool-legacy old version] by '''Davee''' | * [https://github.com/xyzz/roptool-legacy old version] by '''Davee''' | ||
* [http://wololo.net/downloads/index.php/download/8233 first release] by '''Davee''' | |||
* [https://bitbucket.org/DaveeFTW/roptool new version] by '''Davee''' | * [https://bitbucket.org/DaveeFTW/roptool new version] by '''Davee''' | ||
Line 156: | Line 167: | ||
1.81 ROP: | 1.81 ROP: | ||
* [https://web.archive.org/web/20150811215153/http://pastebin.com/XNeALEbC Support_Uri ROP script] by '''SMOKE''' | |||
* [https://github.com/SMOKE5/VitaROP VitaROP] by '''SMOKE''' | * [https://github.com/SMOKE5/VitaROP VitaROP] by '''SMOKE''' | ||
2.60 webkit exploit PoC: | 2.60 webkit exploit PoC: | ||
* [https://www.lolhax.org/2014/10/19/psvita-webkit-exploit-information-and-credits credits article] | |||
* [https://bitbucket.org/DaveeFTW/psvita-260-webkit psvita-260-webkit] by '''Davee''' | * [https://bitbucket.org/DaveeFTW/psvita-260-webkit psvita-260-webkit] by '''Davee''' | ||
* [https://github.com/173210/psvita-webkit psvita-webkit] by '''Davee''' | |||
3.18 webkit exploit PoC: | 3.18 webkit exploit PoC: | ||
* [https://github.com/BrianBTB/codelion_poc codelion_poc] by '''Codelion''' and '''BrianBTB''' | * [https://github.com/BrianBTB/codelion_poc codelion_poc] by '''Codelion''' and '''BrianBTB''' | ||
3.15-3.18 memory dumping: | 3.01-3.15-3.18 memory dumping: | ||
* [https://bitbucket.org/Archaemic/memory-splicer memory-splicer] by '''Archaemic''' | |||
* [https://github.com/BrianBTB/JSoS-Module-Dump-Release JSoS-Module-Dump-Release] by '''BrianBTB''' | * [https://github.com/BrianBTB/JSoS-Module-Dump-Release JSoS-Module-Dump-Release] by '''BrianBTB''' | ||
** http://pastie.org/private/ugchhaqctvmw5rrg5w37ka <- load more modules for the JSoS module dumper :) | |||
* [https://github.com/BrianBTB/memtools_vita memtools_vita] by '''BrianBTB''' | |||
3.15-3.18 webkitties: | 3.15-3.18 webkitties: | ||
Line 185: | Line 202: | ||
Other tools: | Other tools: | ||
* [https://github.com/xyzz/vitadump vitadump IDA plugin] by '''xyz''' | * [https://github.com/xyzz/vitadump vitadump IDA plugin] by '''xyz''' | ||
=== | === Online Tests === | ||
* [http://www.lolhax.org/vita.htm live test] [http://wololo.net/v/webkit/vita.htm live test (miror)] | * [http://www.lolhax.org/vita.htm live test] | ||
* [http://wololo.net/v/webkit/vita.htm live test (miror)] | |||
* [http://wololo.net/v/260.htm live test 2.60 (old)] | |||
=== Webkit Modules === | === Webkit Modules === | ||
* http://rghost.net/private/59665268/46690bd89ae7f298e4df145059c0d3e2 (3.18 dump) | |||
* [http://rghost.net/private/59665268/46690bd89ae7f298e4df145059c0d3e2 (3.18 dump)] dead link | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
Line 420: | Line 434: | ||
|- | |- | ||
| SceWebKitProcess || | | SceWebKitProcess || | ||
|} | |} | ||
Revision as of 14:22, 15 June 2018
Web Content Guidelines
- PS Vita Web Content Guidelines v3.00
- PS3 Web Content Guidelines v3.10
- PS4 Web Content Guidelines v1.50
Supports
- Cookies
- Javascript 1.7
- partial HTML 5
- Partial Video support (added from 2.10 update)
Not supported
- Flash
- Youtube (no HTML5: video)
Known Useragents
PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita) PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita)
Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier):
Table below indicates known and unknown. "YES" = known vulnerability in use, "NO" = unknown if vulnerability in use.
useragent | version | vulnerability |
---|---|---|
Mozilla/5.0 (PlayStation Vita 1.00) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.000.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.03) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.030.010 | Yes |
Mozilla/5.0 (PlayStation Vita 1.04) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.040.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.05) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.050.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.06) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.060.010 | Yes |
Mozilla/5.0 (Playstation Vita 1.50) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.500.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.51) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.510.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.52) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.520.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.60) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.600.000 | Yes |
Mozilla/5.0 (Playstation Vita 1.61) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.610.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.65) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.650.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.66) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.660.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.67) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.670.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.69) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.690.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.80) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.800.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.81) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.810.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.000.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.010.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.02) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.020.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.05) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.050.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.06) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.060.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.100.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.11) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.110.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.120.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.50) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.500.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.60) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.600.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.61) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.610.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.000.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.010.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.100.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.120.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.15) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.150.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.18) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.180.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.20) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.200.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.30) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.300.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.35) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.350.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.36) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.360.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.50) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.500.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.52) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.520.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.55) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.550.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.57) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.570.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.60) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.600.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.610.000 | No |
Webkit exploits
Terminology
An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.
An information security exposure is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.
Common Vulnerabilities and Exposures list
1.50-1.81 (CVE-2010-1807 and CVE-2010-4577)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577
2.00-3.20 (CVE-2013-0903-1)
- Acama's write-up
- http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html
- related to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748
3.30-3.36 (CVE-2014-1303)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1303
- http://wololo.net/2015/04/22/new-webkit-exploit-found-vita-maybe-playstation-4
3.50-3.60 (no CVE at the time it was written, credits to xyz)
Repositories
<=1.81 webkit exploit PoC:
- article by Davee
- discarded repro reduction for <=1.81 by Josh Axey
1.50-1.69-1.80 HTMLit:
- htmlit by Davee
ROPtool:
- roptool article by Davee
- old version by Davee
- first release by Davee
- new version by Davee
1.61 files for HTMLit and ROPtool:
- wk161by xyz
1.80 files for ROPtool:
- [1] by Davee
1.81 ROP:
- Support_Uri ROP script by SMOKE
- VitaROP by SMOKE
2.60 webkit exploit PoC:
- credits article
- psvita-260-webkit by Davee
- psvita-webkit by Davee
3.18 webkit exploit PoC:
- codelion_poc by Codelion and BrianBTB
3.01-3.15-3.18 memory dumping:
- memory-splicer by Archaemic
- JSoS-Module-Dump-Release by BrianBTB
- http://pastie.org/private/ugchhaqctvmw5rrg5w37ka <- load more modules for the JSoS module dumper :)
- memtools_vita by BrianBTB
3.15-3.18 webkitties:
- webkitties by Acama
3.00-3.15-3.18 vitasploit:
- vitasploit (dead link) by Hykem
- vitasploit (mirror) by Hykem
2.02-2.12-3.00-3.01-3.18 vitasploit:
- vitasploit by xyz
3.36 webkit exploit:
- 3.36 webkit exploit by xyz
2.00-2.01-2.02-2.05-2.10-2.11-2.12-2.50-2.60-2.61-3.00-3.01-3.10-3.12-3.18-3.20 + 3.30-3.35-3.36 vitasploit:
- vitasploit by Sorvigolova
Other tools:
- vitadump IDA plugin by xyz
Online Tests
Webkit Modules
- (3.18 dump) dead link
Module | Remark |
---|---|
SceAacenc | |
SceActivityDb | |
SceAppUtil | |
SceAtrac | |
SceAudiocodec | |
SceAvcodecUser | |
SceAvPlayer | |
SceBeisobmf | |
SceBemp2sys | |
ScebXCe | |
SceCheckoutDialogPlugin | |
SceClipboard | |
SceCommonDialog | |
SceCommonGuiDialog | |
SceDbrecoveryUtility | |
SceDbutil | |
SceDriverUser | |
SceDrmPsmKdc | |
SceFiber | |
SceFriendListDialogPlugin | |
SceGpuEs4User | |
SceGxm | |
SceHafnium | |
SceHandwriting | |
SceIme | |
SceImeDialogPlugin | |
SceIniFileProcessor | |
SceJpegArm | |
SceJpegEncArm | |
SceLibc | |
ScelibDbg | |
SceLibFios2 | |
SceLibft2 | |
SceLibG729 | |
SceLibGameUpdate | |
SceLibHttp | |
SceLibJson | |
SceLibKernel | |
SceLibLocation | |
SceLibLocationExtension | |
SceLibMp4Recorder | |
SceLibNetCtl | |
SceLibPgf | |
SceLibPspnetAdhoc | |
SceLibPvf | |
SceLibRudp | |
SceLibSsl | |
SceLibVitaJSExtObj | |
SceLibXml | |
SceLiveAreaUtil | |
SceMp4 | |
SceMsgDialogPlugin | |
SceMusicExport | |
SceNearDialogUtil | |
SceNearProfile | |
SceNearUtil | |
SceNet | |
SceNetAdhocMatching | |
SceNetCheckDialogPlugin | |
SceNgsUser | |
SceNotificationUtil | |
SceNpActivity | |
SceNpActivityNet | |
SceNpBasic | |
SceNpCommerce2 | |
SceNpCommon | |
SceNpCommonPs4 | |
SceNpFriendPrivacyLevel | |
SceNpKdc | |
SceNpManager | |
SceNpMatching2 | |
SceNpMessage | |
SceNpMessageContactsPlugin | |
SceNpMessageDialogPlugin | |
SceNpMessageDlgImplPlugin | |
SceNpPartyGameUtil | |
SceNpScore | |
SceNpSignaling | |
SceNpSnsFacebook | |
SceNpTrophy | |
SceNpTus | |
SceNpUtility | |
SceNpWebApi | |
ScePaf | |
ScePartyMemberListPlugin | |
ScePhotoExport | |
ScePhotoImportDialogPlugin | |
ScePhotoReviewDialogPlugin | |
ScePromoterUtil | |
ScePsp2Compat | |
SceSasUser | |
SceSaveDataDialogPlugin | |
SceScreenShot | |
SceShellSvc | |
SceShutterSound | |
SceSqlite | |
SceSqliteVsh | |
SceStoreCheckoutPlugin | |
SceSystemGesture | |
SceTeleportClient | |
SceTeleportServer | |
SceTrophySetupDialogPlugin | |
SceUlt | |
SceVideoExport | |
SceVoice | |
SceVoiceQoS | |
SceWebFiltering | |
SceWebKit | |
SceWebKitProcess |
Browsertests
Access to the PS3 Store and get content in Vita
Video
PS Vita's browser has some secrets function, such as enter in ps store or open an app.
For example:
psns:browse?category=PN.P3.US-PN.P3.GAME.US-BASE | opens PS3 store US region |
---|---|
psns:browse?product=IP9100-PCSI00002_00-MUSICUNLIMITED00 | opens Music Unlimited product |
How it works
psns:browse
This command supports several arguments, the most usables are:
psns:browse?category= psns:browse?product=
By defining a category or product ID, this command will redirect you to the PSN Store and show you the chosen category/product. A few examples:
The syntax for categories works as follows:
PN + CONSOLE ID + REGION ID + PN + CONSOLE ID + STORE ID + REGION ID + PAGE
Common Console ID's are:
P3 --> PS3 VT --> PS VITA PC --> MEDIA GO / PSP
Common Store ID's are:
GAME or VIDEO
Redeem Comand
psns:redeem?code1=123&code2=456&code3=789
This command will immediantly prompt you to the PSN Stores' redeem function, taking the arguments with it.