Webbrowser: Difference between revisions

From Vita Developer wiki
Jump to navigation Jump to search
 
(4 intermediate revisions by the same user not shown)
Line 15: Line 15:


== Known Useragents ==
== Known Useragents ==
=== YouTube ===
  PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita)
  PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita)
  PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita)
  PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita)
=== WebBrowser ===
   
   
Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier):
Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier):
Line 111: Line 116:
|-
|-
| Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.610.000_CEX|03.610.000]] || {{no}}
| Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.610.000_CEX|03.610.000]] || {{no}}
|-
| Mozilla/5.0 (PlayStation Vita 3.63) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.630.000_CEX|03.630.000]] || {{no}}
|-
| Mozilla/5.0 (PlayStation Vita 3.65) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.650.000_CEX|03.650.000]] || {{no}}
|-
| ? || [[03.670.000_CEX|03.670.000]] || {{no}}
|-
| ? || [[03.680.000_CEX|03.680.000]] || {{no}}
|-
| ? || [[03.690.000_CEX|03.690.000]] || {{no}}
|-
|-
|}
|}


== Webkit exploit ==
== Webkit exploits ==
 
=== Terminology ===
=== Terminology ===
<div style="color: #000000; background-color: #e5e4e2; border: 1px solid #808000; padding: 5px; {{box-shadow|4px|4px|8px|#b0b090}}">
<div style="color: #000000; background-color: #e5e4e2; border: 1px solid #808000; padding: 5px; {{box-shadow|4px|4px|8px|#b0b090}}">
  An information security '''vulnerability''' is a mistake in software that can be directly used by a hacker to gain access to a system or network.
  An information security '''vulnerability''' is a mistake in software that can be directly used by a hacker to gain access to a system or network.
Line 124: Line 141:


=== '''C'''ommon '''V'''ulnerabilities and '''E'''xposures list ===
=== '''C'''ommon '''V'''ulnerabilities and '''E'''xposures list ===
*http://www.lolhax.org/2014/10/28/psvita-webkit-for-2-00/


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
1.50-1.81 (CVE-2010-1807 and CVE-2010-4577)
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
* http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577
* https://code.google.com/p/chromium/issues/detail?id=63866


*http://acez.re/ps-vita-level-1-webkitties-3/  
2.00-3.20 (CVE-2013-0903-1)
* [http://acez.re/ps-vita-level-1-webkitties-3 Acama's write-up]
* http://packetstormsecurity.com/files/123088/
* http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html
* related to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748


http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html (related to
3.30-3.36 (CVE-2014-1303)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 / https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748)
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1303
* http://wololo.net/2015/04/22/new-webkit-exploit-found-vita-maybe-playstation-4
* https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF
* https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf
* https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf


*https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1303 http://wololo.net/2015/04/22/new-webkit-exploit-found-vita-maybe-playstation-4/ (up to FW [[03.360.000_CEX|3.36]])
3.50-3.60 (no CVE at the time it was written, credits to xyz)
* https://blog.xyz.is/2016/webkit-360.html
* [https://pastebin.com/Av2YCR5Q Mike H.'s write-up]
* [https://pastebin.com/aSJQbJyd Mike H.'s write-up #2]


=== Repositories ===
=== Repositories ===


<=1.81 webkit exploit PoC:
<=1.81 webkit exploit PoC:
* [https://github.com/joshaxey/badnanna181/tree/master discarded repro reduction for <=1.81] by '''joshaxey'''
* [http://www.lolhax.org/2014/10/28/psvita-webkit-for-2-00 article] by '''Davee'''
* [https://github.com/joshaxey/badnanna181/tree/master discarded repro reduction for <=1.81] by '''Josh Axey'''


1.50-1.69-1.80 HTMLit:
1.50-1.69-1.80 HTMLit:
Line 146: Line 177:


ROPtool:
ROPtool:
* [https://www.lolhax.org/2014/10/04/roptool roptool article] by '''Davee'''
* [https://github.com/xyzz/roptool-legacy old version] by '''Davee'''
* [https://github.com/xyzz/roptool-legacy old version] by '''Davee'''
* [http://wololo.net/downloads/index.php/download/8233 first release] by '''Davee'''
* [https://bitbucket.org/DaveeFTW/roptool new version] by '''Davee'''
* [https://bitbucket.org/DaveeFTW/roptool new version] by '''Davee'''


1.61 files for HTMLit and ROPtool:
1.61 files for HTMLit and ROPtool:
* [https://github.com/xyzz/wk161 wk161]by '''xyz'''
* [https://github.com/xyzz/wk161 files+webkit]by '''xyz'''


1.80 files for ROPtool:
1.80 files for ROPtool:
* [https://bitbucket.org/DaveeFTW/wk180-roptool-target] by '''Davee'''
* [https://bitbucket.org/DaveeFTW/wk180-roptool-target files] by '''Davee'''


1.81 ROP:
1.81 ROP:
* [https://web.archive.org/web/20150811215153/http://pastebin.com/XNeALEbC Support_Uri ROP script] by '''SMOKE'''
* [https://github.com/SMOKE5/VitaROP VitaROP] by '''SMOKE'''
* [https://github.com/SMOKE5/VitaROP VitaROP] by '''SMOKE'''


2.60 webkit exploit PoC:
2.60 webkit exploit PoC:
* [https://www.lolhax.org/2014/10/19/psvita-webkit-exploit-information-and-credits credits article]
* [https://bitbucket.org/DaveeFTW/psvita-260-webkit psvita-260-webkit] by '''Davee'''
* [https://bitbucket.org/DaveeFTW/psvita-260-webkit psvita-260-webkit] by '''Davee'''
* [https://github.com/173210/psvita-webkit psvita-webkit] by '''Davee'''


3.18 webkit exploit PoC:
3.18 webkit exploit PoC:
* [https://github.com/BrianBTB/codelion_poc codelion_poc] by '''Codelion''' and '''BrianBTB'''
* [https://github.com/BrianBTB/codelion_poc codelion_poc] by '''Codelion''' and '''BrianBTB'''


3.15-3.18 memory dumping:
3.01-3.15-3.18 memory dumping:
* [https://bitbucket.org/Archaemic/memory-splicer memory-splicer] by '''Archaemic'''
* [https://github.com/BrianBTB/JSoS-Module-Dump-Release JSoS-Module-Dump-Release] by '''BrianBTB'''
* [https://github.com/BrianBTB/JSoS-Module-Dump-Release JSoS-Module-Dump-Release] by '''BrianBTB'''
** http://pastie.org/private/ugchhaqctvmw5rrg5w37ka <- load more modules for the JSoS module dumper :)
* [https://github.com/BrianBTB/memtools_vita memtools_vita] by '''BrianBTB'''


3.15-3.18 webkitties:
3.15-3.18 webkitties:
Line 185: Line 224:
Other tools:
Other tools:
* [https://github.com/xyzz/vitadump vitadump IDA plugin] by '''xyz'''
* [https://github.com/xyzz/vitadump vitadump IDA plugin] by '''xyz'''
* [https://bitbucket.org/Archaemic/memory-splicer memory-splicer] by '''Archaemic'''


=== Code, Test & Tool ===
=== Online Tests ===


* [http://www.lolhax.org/vita.htm live test] [http://wololo.net/v/webkit/vita.htm live test (miror)], [http://wololo.net/v/260.htm live test (old)]
* [http://www.lolhax.org/vita.htm live test]
* [http://wololo.net/downloads/index.php/download/8231 memtools_vita] https://github.com/BrianBTB/memtools_vita/
* [http://wololo.net/v/webkit/vita.htm live test (miror)]
* [http://wololo.net/downloads/index.php/download/8233 ROPTool]
* [http://wololo.net/v/260.htm live test 2.60 (old)]
* [http://wololo.net/downloads/index.php/download/8234 HTMLIt]
** http://pastie.org/private/ugchhaqctvmw5rrg5w37ka <- load more modules for the JSoS module dumper :)
* [http://pastebin.com/XNeALEbC SMOKE's Support_Uri Rop script]


=== Webkit Modules ===
=== Webkit Modules ===
* http://rghost.net/private/59665268/46690bd89ae7f298e4df145059c0d3e2 (3.18 dump)
 
* [http://rghost.net/private/59665268/46690bd89ae7f298e4df145059c0d3e2 (3.18 dump)] dead link


{| class="wikitable sortable"
{| class="wikitable sortable"
Line 420: Line 456:
|-
|-
| SceWebKitProcess ||  
| SceWebKitProcess ||  
|-
|}
|}


Latest revision as of 23:54, 12 December 2018

Web Content Guidelines[edit | edit source]

Supports[edit | edit source]

  • Cookies
  • Javascript 1.7
  • partial HTML 5
  • Partial Video support (added from 2.10 update)

Not supported[edit | edit source]

  • Flash
  • Youtube (no HTML5: video)

Known Useragents[edit | edit source]

YouTube[edit | edit source]

PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita)
PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita)

WebBrowser[edit | edit source]

Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier):

Table below indicates known and unknown. "YES" = known vulnerability in use, "NO" = unknown if vulnerability in use.

useragent version vulnerability
Mozilla/5.0 (PlayStation Vita 1.00) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.000.000 Yes
Mozilla/5.0 (PlayStation Vita 1.03) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.030.010 Yes
Mozilla/5.0 (PlayStation Vita 1.04) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.040.000 Yes
Mozilla/5.0 (PlayStation Vita 1.05) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.050.000 Yes
Mozilla/5.0 (PlayStation Vita 1.06) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.060.010 Yes
Mozilla/5.0 (Playstation Vita 1.50) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.500.000 Yes
Mozilla/5.0 (PlayStation Vita 1.51) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.510.000 Yes
Mozilla/5.0 (PlayStation Vita 1.52) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.520.000 Yes
Mozilla/5.0 (PlayStation Vita 1.60) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.600.000 Yes
Mozilla/5.0 (Playstation Vita 1.61) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.610.000 Yes
Mozilla/5.0 (PlayStation Vita 1.65) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.650.000 Yes
Mozilla/5.0 (PlayStation Vita 1.66) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.660.000 Yes
Mozilla/5.0 (PlayStation Vita 1.67) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.670.000 Yes
Mozilla/5.0 (PlayStation Vita 1.69) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.690.000 Yes
Mozilla/5.0 (PlayStation Vita 1.80) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.800.000 Yes
Mozilla/5.0 (PlayStation Vita 1.81) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.810.000 Yes
Mozilla/5.0 (PlayStation Vita 2.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.000.000 Yes
Mozilla/5.0 (PlayStation Vita 2.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.010.000 Yes
Mozilla/5.0 (PlayStation Vita 2.02) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.020.000 Yes
Mozilla/5.0 (PlayStation Vita 2.05) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.050.000 Yes
Mozilla/5.0 (PlayStation Vita 2.06) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.060.000 Yes
Mozilla/5.0 (PlayStation Vita 2.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.100.000 Yes
Mozilla/5.0 (PlayStation Vita 2.11) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.110.000 Yes
Mozilla/5.0 (PlayStation Vita 2.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.120.000 Yes
Mozilla/5.0 (PlayStation Vita 2.50) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.500.000 Yes
Mozilla/5.0 (PlayStation Vita 2.60) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.600.000 Yes
Mozilla/5.0 (PlayStation Vita 2.61) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.610.000 Yes
Mozilla/5.0 (PlayStation Vita 3.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.000.000 Yes
Mozilla/5.0 (PlayStation Vita 3.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.010.000 Yes
Mozilla/5.0 (PlayStation Vita 3.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.100.000 Yes
Mozilla/5.0 (PlayStation Vita 3.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.120.000 Yes
Mozilla/5.0 (PlayStation Vita 3.15) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.150.000 Yes
Mozilla/5.0 (PlayStation Vita 3.18) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.180.000 Yes
Mozilla/5.0 (PlayStation Vita 3.20) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.200.000 Yes
Mozilla/5.0 (PlayStation Vita 3.30) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.300.000 Yes
Mozilla/5.0 (PlayStation Vita 3.35) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.350.000 Yes
Mozilla/5.0 (PlayStation Vita 3.36) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.360.000 Yes
Mozilla/5.0 (PlayStation Vita 3.50) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.500.000 Yes
Mozilla/5.0 (PlayStation Vita 3.52) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.520.000 Yes
Mozilla/5.0 (PlayStation Vita 3.55) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.550.000 Yes
Mozilla/5.0 (PlayStation Vita 3.57) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.570.000 Yes
Mozilla/5.0 (PlayStation Vita 3.60) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.600.000 Yes
Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.610.000 No
Mozilla/5.0 (PlayStation Vita 3.63) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.630.000 No
Mozilla/5.0 (PlayStation Vita 3.65) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.650.000 No
? 03.670.000 No
? 03.680.000 No
? 03.690.000 No

Webkit exploits[edit | edit source]

Terminology[edit | edit source]

An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.

An information security exposure is a system configuration issue or a mistake in software that allows access to information or 
capabilities that can be used by a hacker as a stepping-stone into a system or network.

Common Vulnerabilities and Exposures list[edit | edit source]

1.50-1.81 (CVE-2010-1807 and CVE-2010-4577)

2.00-3.20 (CVE-2013-0903-1)

3.30-3.36 (CVE-2014-1303)

3.50-3.60 (no CVE at the time it was written, credits to xyz)

Repositories[edit | edit source]

<=1.81 webkit exploit PoC:

1.50-1.69-1.80 HTMLit:

ROPtool:

1.61 files for HTMLit and ROPtool:

1.80 files for ROPtool:

1.81 ROP:

2.60 webkit exploit PoC:

3.18 webkit exploit PoC:

3.01-3.15-3.18 memory dumping:

3.15-3.18 webkitties:

3.00-3.15-3.18 vitasploit:

2.02-2.12-3.00-3.01-3.18 vitasploit:

3.36 webkit exploit:

2.00-2.01-2.02-2.05-2.10-2.11-2.12-2.50-2.60-2.61-3.00-3.01-3.10-3.12-3.18-3.20 + 3.30-3.35-3.36 vitasploit:

Other tools:

Online Tests[edit | edit source]

Webkit Modules[edit | edit source]

Module Remark
SceAacenc
SceActivityDb
SceAppUtil
SceAtrac
SceAudiocodec
SceAvcodecUser
SceAvPlayer
SceBeisobmf
SceBemp2sys
ScebXCe
SceCheckoutDialogPlugin
SceClipboard
SceCommonDialog
SceCommonGuiDialog
SceDbrecoveryUtility
SceDbutil
SceDriverUser
SceDrmPsmKdc
SceFiber
SceFriendListDialogPlugin
SceGpuEs4User
SceGxm
SceHafnium
SceHandwriting
SceIme
SceImeDialogPlugin
SceIniFileProcessor
SceJpegArm
SceJpegEncArm
SceLibc
ScelibDbg
SceLibFios2
SceLibft2
SceLibG729
SceLibGameUpdate
SceLibHttp
SceLibJson
SceLibKernel
SceLibLocation
SceLibLocationExtension
SceLibMp4Recorder
SceLibNetCtl
SceLibPgf
SceLibPspnetAdhoc
SceLibPvf
SceLibRudp
SceLibSsl
SceLibVitaJSExtObj
SceLibXml
SceLiveAreaUtil
SceMp4
SceMsgDialogPlugin
SceMusicExport
SceNearDialogUtil
SceNearProfile
SceNearUtil
SceNet
SceNetAdhocMatching
SceNetCheckDialogPlugin
SceNgsUser
SceNotificationUtil
SceNpActivity
SceNpActivityNet
SceNpBasic
SceNpCommerce2
SceNpCommon
SceNpCommonPs4
SceNpFriendPrivacyLevel
SceNpKdc
SceNpManager
SceNpMatching2
SceNpMessage
SceNpMessageContactsPlugin
SceNpMessageDialogPlugin
SceNpMessageDlgImplPlugin
SceNpPartyGameUtil
SceNpScore
SceNpSignaling
SceNpSnsFacebook
SceNpTrophy
SceNpTus
SceNpUtility
SceNpWebApi
ScePaf
ScePartyMemberListPlugin
ScePhotoExport
ScePhotoImportDialogPlugin
ScePhotoReviewDialogPlugin
ScePromoterUtil
ScePsp2Compat
SceSasUser
SceSaveDataDialogPlugin
SceScreenShot
SceShellSvc
SceShutterSound
SceSqlite
SceSqliteVsh
SceStoreCheckoutPlugin
SceSystemGesture
SceTeleportClient
SceTeleportServer
SceTrophySetupDialogPlugin
SceUlt
SceVideoExport
SceVoice
SceVoiceQoS
SceWebFiltering
SceWebKit
SceWebKitProcess

Browsertests[edit | edit source]

Access to the PS3 Store and get content in Vita[edit | edit source]

Video

[1]

PS Vita's browser has some secrets function, such as enter in ps store or open an app.

For example:

psns:browse?category=PN.P3.US-PN.P3.GAME.US-BASE opens PS3 store US region
psns:browse?product=IP9100-PCSI00002_00-MUSICUNLIMITED00 opens Music Unlimited product

How it works 

 psns:browse

This command supports several arguments, the most usables are: 

 psns:browse?category=
 
 psns:browse?product=

By defining a category or product ID, this command will redirect you to the PSN Store and show you the chosen category/product. A few examples:

The syntax for categories works as follows: 

 PN + CONSOLE ID + REGION ID + PN + CONSOLE ID + STORE ID + REGION ID + PAGE

Common Console ID's are: 

 P3 --> PS3
 
 VT --> PS VITA
 
 PC --> MEDIA GO / PSP

Common Store ID's are: 

 GAME or VIDEO

Redeem Comand 

 psns:redeem?code1=123&code2=456&code3=789

This command will immediantly prompt you to the PSN Stores' redeem function, taking the arguments with it.

Retrieved from "http://www.psdevwiki.com/vita/index.php?title=Webbrowser&oldid=6517"