Webbrowser: Difference between revisions
m (→Webkit exploit) |
CelesteBlue (talk | contribs) |
||
(32 intermediate revisions by 7 users not shown) | |||
Line 15: | Line 15: | ||
== Known Useragents == | == Known Useragents == | ||
=== YouTube === | |||
PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita) | PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita) | ||
PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita) | PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita) | ||
=== WebBrowser === | |||
Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier): | Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier): | ||
Line 27: | Line 32: | ||
|- | |- | ||
| Mozilla/5.0 (PlayStation Vita 1.00) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.000.000_CEX|01.000.000]] || {{yes}} | | Mozilla/5.0 (PlayStation Vita 1.00) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.000.000_CEX|01.000.000]] || {{yes}} | ||
|- | |||
| Mozilla/5.0 (PlayStation Vita 1.03) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.030.010_CEX|01.030.010]] || {{yes}} | |||
|- | |||
| Mozilla/5.0 (PlayStation Vita 1.04) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.040.000_CEX|01.040.000]] || {{yes}} | |||
|- | |||
| Mozilla/5.0 (PlayStation Vita 1.05) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.050.000_CEX|01.050.000]] || {{yes}} | |||
|- | |||
| Mozilla/5.0 (PlayStation Vita 1.06) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.060.010_CEX|01.060.010]] || {{yes}} | |||
|- | |- | ||
| Mozilla/5.0 (Playstation Vita 1.50) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.500.000_CEX|01.500.000]] || {{yes}} | | Mozilla/5.0 (Playstation Vita 1.50) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.500.000_CEX|01.500.000]] || {{yes}} | ||
Line 86: | Line 99: | ||
| Mozilla/5.0 (PlayStation Vita 3.20) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 || [[03.200.000_CEX|03.200.000]] || {{yes}} | | Mozilla/5.0 (PlayStation Vita 3.20) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 || [[03.200.000_CEX|03.200.000]] || {{yes}} | ||
|- | |- | ||
| Mozilla/5.0 (PlayStation Vita 3.30) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.300.000_CEX|03.300.000]] || {{no}} | | Mozilla/5.0 (PlayStation Vita 3.30) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.300.000_CEX|03.300.000]] || {{yes}} | ||
|- | |||
| Mozilla/5.0 (PlayStation Vita 3.35) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.350.000_CEX|03.350.000]] || {{yes}} | |||
|- | |||
| Mozilla/5.0 (PlayStation Vita 3.36) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.360.000_CEX|03.360.000]] || {{yes}} | |||
|- | |||
| Mozilla/5.0 (PlayStation Vita 3.50) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.500.000_CEX|03.500.000]] || {{yes}} | |||
|- | |||
| Mozilla/5.0 (PlayStation Vita 3.52) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.520.000_CEX|03.520.000]] || {{yes}} | |||
|- | |||
| Mozilla/5.0 (PlayStation Vita 3.55) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.550.000_CEX|03.550.000]] || {{yes}} | |||
|- | |||
| Mozilla/5.0 (PlayStation Vita 3.57) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.570.000_CEX|03.570.000]] || {{yes}} | |||
|- | |||
| Mozilla/5.0 (PlayStation Vita 3.60) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.600.000_CEX|03.600.000]] || {{yes}} | |||
|- | |||
| Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.610.000_CEX|03.610.000]] || {{no}} | |||
|- | |||
| Mozilla/5.0 (PlayStation Vita 3.63) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.630.000_CEX|03.630.000]] || {{no}} | |||
|- | |||
| Mozilla/5.0 (PlayStation Vita 3.65) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.650.000_CEX|03.650.000]] || {{no}} | |||
|- | |||
| ? || [[03.670.000_CEX|03.670.000]] || {{no}} | |||
|- | |||
| ? || [[03.680.000_CEX|03.680.000]] || {{no}} | |||
|- | |||
| ? || [[03.690.000_CEX|03.690.000]] || {{no}} | |||
|- | |- | ||
|} | |} | ||
== Webkit exploit == | == Webkit exploits == | ||
* [http://www.lolhax.org/ | |||
* [https://bitbucket.org/DaveeFTW/psvita-260-webkit/ | === Terminology === | ||
* [https://github.com/BrianBTB/codelion_poc | |||
* [https://bitbucket.org/Archaemic/memory-splicer | <div style="color: #000000; background-color: #e5e4e2; border: 1px solid #808000; padding: 5px; {{box-shadow|4px|4px|8px|#b0b090}}"> | ||
* [https://github.com/ | An information security '''vulnerability''' is a mistake in software that can be directly used by a hacker to gain access to a system or network. | ||
* [http://wololo.net/ | |||
An information security '''exposure''' is a system configuration issue or a mistake in software that allows access to information or | |||
capabilities that can be used by a hacker as a stepping-stone into a system or network. | |||
</div> | |||
=== '''C'''ommon '''V'''ulnerabilities and '''E'''xposures list === | |||
1.50-1.81 (CVE-2010-1807 and CVE-2010-4577) | |||
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807 | |||
* http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html | |||
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577 | |||
* https://code.google.com/p/chromium/issues/detail?id=63866 | |||
2.00-3.20 (CVE-2013-0903-1) | |||
* [http://acez.re/ps-vita-level-1-webkitties-3 Acama's write-up] | |||
* http://packetstormsecurity.com/files/123088/ | |||
* http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html | |||
* related to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748 | |||
3.30-3.36 (CVE-2014-1303) | |||
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1303 | |||
* http://wololo.net/2015/04/22/new-webkit-exploit-found-vita-maybe-playstation-4 | |||
* https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF | |||
* https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf | |||
* https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf | |||
3.50-3.60 (no CVE at the time it was written, credits to xyz) | |||
* https://blog.xyz.is/2016/webkit-360.html | |||
* [https://pastebin.com/Av2YCR5Q Mike H.'s write-up] | |||
* [https://pastebin.com/aSJQbJyd Mike H.'s write-up #2] | |||
=== Repositories === | |||
<=1.81 webkit exploit PoC: | |||
* [http://www.lolhax.org/2014/10/28/psvita-webkit-for-2-00 article] by '''Davee''' | |||
* [https://github.com/joshaxey/badnanna181/tree/master discarded repro reduction for <=1.81] by '''Josh Axey''' | |||
1.50-1.69-1.80 HTMLit: | |||
* [https://bitbucket.org/DaveeFTW/htmlit htmlit] by '''Davee''' | |||
ROPtool: | |||
* [https://www.lolhax.org/2014/10/04/roptool roptool article] by '''Davee''' | |||
* [https://github.com/xyzz/roptool-legacy old version] by '''Davee''' | |||
* [http://wololo.net/downloads/index.php/download/8233 first release] by '''Davee''' | |||
* [https://bitbucket.org/DaveeFTW/roptool new version] by '''Davee''' | |||
1.61 files for HTMLit and ROPtool: | |||
* [https://github.com/xyzz/wk161 files+webkit]by '''xyz''' | |||
1.80 files for ROPtool: | |||
* [https://bitbucket.org/DaveeFTW/wk180-roptool-target files] by '''Davee''' | |||
1.81 ROP: | |||
* [https://web.archive.org/web/20150811215153/http://pastebin.com/XNeALEbC Support_Uri ROP script] by '''SMOKE''' | |||
* [https://github.com/SMOKE5/VitaROP VitaROP] by '''SMOKE''' | |||
2.60 webkit exploit PoC: | |||
* [https://www.lolhax.org/2014/10/19/psvita-webkit-exploit-information-and-credits credits article] | |||
* [https://bitbucket.org/DaveeFTW/psvita-260-webkit psvita-260-webkit] by '''Davee''' | |||
* [https://github.com/173210/psvita-webkit psvita-webkit] by '''Davee''' | |||
3.18 webkit exploit PoC: | |||
* [https://github.com/BrianBTB/codelion_poc codelion_poc] by '''Codelion''' and '''BrianBTB''' | |||
3.01-3.15-3.18 memory dumping: | |||
* [https://bitbucket.org/Archaemic/memory-splicer memory-splicer] by '''Archaemic''' | |||
* [https://github.com/BrianBTB/JSoS-Module-Dump-Release JSoS-Module-Dump-Release] by '''BrianBTB''' | |||
** http://pastie.org/private/ugchhaqctvmw5rrg5w37ka <- load more modules for the JSoS module dumper :) | |||
* [https://github.com/BrianBTB/memtools_vita memtools_vita] by '''BrianBTB''' | |||
3.15-3.18 webkitties: | |||
* [https://github.com/acama/webkitties webkitties] by '''Acama''' | |||
3.00-3.15-3.18 vitasploit: | |||
* [https://github.com/Hykem/vitasploit vitasploit] (dead link) by '''Hykem''' | |||
* [https://github.com/wargio/vitasploit vitasploit] (mirror) by '''Hykem''' | |||
2.02-2.12-3.00-3.01-3.18 vitasploit: | |||
* [https://github.com/xyzz/vitasploit vitasploit] by '''xyz''' | |||
3.36 webkit exploit: | |||
* [http://wololo.net/talk/viewtopic.php?f=54&t=42501 3.36 webkit exploit] by '''xyz''' | |||
2.00-2.01-2.02-2.05-2.10-2.11-2.12-2.50-2.60-2.61-3.00-3.01-3.10-3.12-3.18-3.20 + 3.30-3.35-3.36 vitasploit: | |||
* [https://github.com/Sorvigolova/vitasploit vitasploit] by '''Sorvigolova''' | |||
Other tools: | |||
* [https://github.com/xyzz/vitadump vitadump IDA plugin] by '''xyz''' | |||
=== Online Tests === | |||
* [http://www.lolhax.org/vita.htm live test] | |||
* [http://wololo.net/v/webkit/vita.htm live test (miror)] | |||
* [http://wololo.net/v/260.htm live test 2.60 (old)] | |||
=== Webkit Modules === | |||
* [http://rghost.net/private/59665268/46690bd89ae7f298e4df145059c0d3e2 (3.18 dump)] dead link | |||
{| class="wikitable sortable" | |||
|- | |||
! Module !! Remark | |||
|- | |||
| SceAacenc || | |||
|- | |||
| SceActivityDb || | |||
|- | |||
| SceAppUtil || | |||
|- | |||
| SceAtrac || | |||
|- | |||
| SceAudiocodec || | |||
|- | |||
| SceAvcodecUser || | |||
|- | |||
| SceAvPlayer || | |||
|- | |||
| SceBeisobmf || | |||
|- | |||
| SceBemp2sys || | |||
|- | |||
| ScebXCe || | |||
|- | |||
| SceCheckoutDialogPlugin || | |||
|- | |||
| SceClipboard || | |||
|- | |||
| SceCommonDialog || | |||
|- | |||
| SceCommonGuiDialog || | |||
|- | |||
| SceDbrecoveryUtility || | |||
|- | |||
| SceDbutil || | |||
|- | |||
| SceDriverUser || | |||
|- | |||
| SceDrmPsmKdc || | |||
|- | |||
| SceFiber || | |||
|- | |||
| SceFriendListDialogPlugin || | |||
|- | |||
| SceGpuEs4User || | |||
|- | |||
| SceGxm || | |||
|- | |||
| SceHafnium || | |||
|- | |||
| SceHandwriting || | |||
|- | |||
| SceIme || | |||
|- | |||
| SceImeDialogPlugin || | |||
|- | |||
| SceIniFileProcessor || | |||
|- | |||
| SceJpegArm || | |||
|- | |||
| SceJpegEncArm || | |||
|- | |||
| SceLibc || | |||
|- | |||
| ScelibDbg || | |||
|- | |||
| SceLibFios2 || | |||
|- | |||
| SceLibft2 || | |||
|- | |||
| SceLibG729 || | |||
|- | |||
| SceLibGameUpdate || | |||
|- | |||
| SceLibHttp || | |||
|- | |||
| SceLibJson || | |||
|- | |||
| SceLibKernel || | |||
|- | |||
| SceLibLocation || | |||
|- | |||
| SceLibLocationExtension || | |||
|- | |||
| SceLibMp4Recorder || | |||
|- | |||
| SceLibNetCtl || | |||
|- | |||
| SceLibPgf || | |||
|- | |||
| SceLibPspnetAdhoc || | |||
|- | |||
| SceLibPvf || | |||
|- | |||
| SceLibRudp || | |||
|- | |||
| SceLibSsl || | |||
|- | |||
| SceLibVitaJSExtObj || | |||
|- | |||
| SceLibXml || | |||
|- | |||
| SceLiveAreaUtil || | |||
|- | |||
| SceMp4 || | |||
|- | |||
| SceMsgDialogPlugin || | |||
|- | |||
| SceMusicExport || | |||
|- | |||
| SceNearDialogUtil || | |||
|- | |||
| SceNearProfile || | |||
|- | |||
| SceNearUtil || | |||
|- | |||
| SceNet || | |||
|- | |||
| SceNetAdhocMatching || | |||
|- | |||
| SceNetCheckDialogPlugin || | |||
|- | |||
| SceNgsUser || | |||
|- | |||
| SceNotificationUtil || | |||
|- | |||
| SceNpActivity || | |||
|- | |||
| SceNpActivityNet || | |||
|- | |||
| SceNpBasic || | |||
|- | |||
| SceNpCommerce2 || | |||
|- | |||
| SceNpCommon || | |||
|- | |||
| SceNpCommonPs4 || | |||
|- | |||
| SceNpFriendPrivacyLevel || | |||
|- | |||
| SceNpKdc || | |||
|- | |||
| SceNpManager || | |||
|- | |||
| SceNpMatching2 || | |||
|- | |||
| SceNpMessage || | |||
|- | |||
| SceNpMessageContactsPlugin || | |||
|- | |||
| SceNpMessageDialogPlugin || | |||
|- | |||
| SceNpMessageDlgImplPlugin || | |||
|- | |||
| SceNpPartyGameUtil || | |||
|- | |||
| SceNpScore || | |||
|- | |||
| SceNpSignaling || | |||
|- | |||
| SceNpSnsFacebook || | |||
|- | |||
| SceNpTrophy || | |||
|- | |||
| SceNpTus || | |||
|- | |||
| SceNpUtility || | |||
|- | |||
| SceNpWebApi || | |||
|- | |||
| ScePaf || | |||
|- | |||
| ScePartyMemberListPlugin || | |||
|- | |||
| ScePhotoExport || | |||
|- | |||
| ScePhotoImportDialogPlugin || | |||
|- | |||
| ScePhotoReviewDialogPlugin || | |||
|- | |||
| ScePromoterUtil || | |||
|- | |||
| ScePsp2Compat || | |||
|- | |||
| SceSasUser || | |||
|- | |||
| SceSaveDataDialogPlugin || | |||
|- | |||
| SceScreenShot || | |||
|- | |||
| SceShellSvc || | |||
|- | |||
| SceShutterSound || | |||
|- | |||
| SceSqlite || | |||
|- | |||
| SceSqliteVsh || | |||
|- | |||
| SceStoreCheckoutPlugin || | |||
|- | |||
| SceSystemGesture || | |||
|- | |||
| SceTeleportClient || | |||
|- | |||
| SceTeleportServer || | |||
|- | |||
| SceTrophySetupDialogPlugin || | |||
|- | |||
| SceUlt || | |||
|- | |||
| SceVideoExport || | |||
|- | |||
| SceVoice || | |||
|- | |||
| SceVoiceQoS || | |||
|- | |||
| SceWebFiltering || | |||
|- | |||
| SceWebKit || | |||
|- | |||
| SceWebKitProcess || | |||
|} | |||
== Browsertests == | == Browsertests == |
Latest revision as of 22:54, 12 December 2018
Web Content Guidelines[edit | edit source]
- PS Vita Web Content Guidelines v3.00
- PS3 Web Content Guidelines v3.10
- PS4 Web Content Guidelines v1.50
Supports[edit | edit source]
- Cookies
- Javascript 1.7
- partial HTML 5
- Partial Video support (added from 2.10 update)
Not supported[edit | edit source]
- Flash
- Youtube (no HTML5: video)
Known Useragents[edit | edit source]
YouTube[edit | edit source]
PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita) PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita)
WebBrowser[edit | edit source]
Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier):
Table below indicates known and unknown. "YES" = known vulnerability in use, "NO" = unknown if vulnerability in use.
useragent | version | vulnerability |
---|---|---|
Mozilla/5.0 (PlayStation Vita 1.00) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.000.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.03) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.030.010 | Yes |
Mozilla/5.0 (PlayStation Vita 1.04) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.040.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.05) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.050.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.06) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.060.010 | Yes |
Mozilla/5.0 (Playstation Vita 1.50) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.500.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.51) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.510.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.52) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.520.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.60) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.600.000 | Yes |
Mozilla/5.0 (Playstation Vita 1.61) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.610.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.65) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.650.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.66) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.660.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.67) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.670.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.69) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.690.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.80) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.800.000 | Yes |
Mozilla/5.0 (PlayStation Vita 1.81) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 | 01.810.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.000.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.010.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.02) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.020.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.05) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.050.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.06) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.060.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.100.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.11) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.110.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.120.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.50) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.500.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.60) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.600.000 | Yes |
Mozilla/5.0 (PlayStation Vita 2.61) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 02.610.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.000.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.010.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.100.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.120.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.15) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.150.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.18) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.180.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.20) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 | 03.200.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.30) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.300.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.35) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.350.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.36) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.360.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.50) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.500.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.52) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.520.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.55) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.550.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.57) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.570.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.60) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.600.000 | Yes |
Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.610.000 | No |
Mozilla/5.0 (PlayStation Vita 3.63) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.630.000 | No |
Mozilla/5.0 (PlayStation Vita 3.65) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 | 03.650.000 | No |
? | 03.670.000 | No |
? | 03.680.000 | No |
? | 03.690.000 | No |
Webkit exploits[edit | edit source]
Terminology[edit | edit source]
An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.
An information security exposure is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.
Common Vulnerabilities and Exposures list[edit | edit source]
1.50-1.81 (CVE-2010-1807 and CVE-2010-4577)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
- http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577
- https://code.google.com/p/chromium/issues/detail?id=63866
2.00-3.20 (CVE-2013-0903-1)
- Acama's write-up
- http://packetstormsecurity.com/files/123088/
- http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html
- related to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748
3.30-3.36 (CVE-2014-1303)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1303
- http://wololo.net/2015/04/22/new-webkit-exploit-found-vita-maybe-playstation-4
- https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF
- https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf
- https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf
3.50-3.60 (no CVE at the time it was written, credits to xyz)
Repositories[edit | edit source]
<=1.81 webkit exploit PoC:
- article by Davee
- discarded repro reduction for <=1.81 by Josh Axey
1.50-1.69-1.80 HTMLit:
- htmlit by Davee
ROPtool:
- roptool article by Davee
- old version by Davee
- first release by Davee
- new version by Davee
1.61 files for HTMLit and ROPtool:
- files+webkitby xyz
1.80 files for ROPtool:
- files by Davee
1.81 ROP:
- Support_Uri ROP script by SMOKE
- VitaROP by SMOKE
2.60 webkit exploit PoC:
- credits article
- psvita-260-webkit by Davee
- psvita-webkit by Davee
3.18 webkit exploit PoC:
- codelion_poc by Codelion and BrianBTB
3.01-3.15-3.18 memory dumping:
- memory-splicer by Archaemic
- JSoS-Module-Dump-Release by BrianBTB
- http://pastie.org/private/ugchhaqctvmw5rrg5w37ka <- load more modules for the JSoS module dumper :)
- memtools_vita by BrianBTB
3.15-3.18 webkitties:
- webkitties by Acama
3.00-3.15-3.18 vitasploit:
- vitasploit (dead link) by Hykem
- vitasploit (mirror) by Hykem
2.02-2.12-3.00-3.01-3.18 vitasploit:
- vitasploit by xyz
3.36 webkit exploit:
- 3.36 webkit exploit by xyz
2.00-2.01-2.02-2.05-2.10-2.11-2.12-2.50-2.60-2.61-3.00-3.01-3.10-3.12-3.18-3.20 + 3.30-3.35-3.36 vitasploit:
- vitasploit by Sorvigolova
Other tools:
- vitadump IDA plugin by xyz
Online Tests[edit | edit source]
Webkit Modules[edit | edit source]
- (3.18 dump) dead link
Module | Remark |
---|---|
SceAacenc | |
SceActivityDb | |
SceAppUtil | |
SceAtrac | |
SceAudiocodec | |
SceAvcodecUser | |
SceAvPlayer | |
SceBeisobmf | |
SceBemp2sys | |
ScebXCe | |
SceCheckoutDialogPlugin | |
SceClipboard | |
SceCommonDialog | |
SceCommonGuiDialog | |
SceDbrecoveryUtility | |
SceDbutil | |
SceDriverUser | |
SceDrmPsmKdc | |
SceFiber | |
SceFriendListDialogPlugin | |
SceGpuEs4User | |
SceGxm | |
SceHafnium | |
SceHandwriting | |
SceIme | |
SceImeDialogPlugin | |
SceIniFileProcessor | |
SceJpegArm | |
SceJpegEncArm | |
SceLibc | |
ScelibDbg | |
SceLibFios2 | |
SceLibft2 | |
SceLibG729 | |
SceLibGameUpdate | |
SceLibHttp | |
SceLibJson | |
SceLibKernel | |
SceLibLocation | |
SceLibLocationExtension | |
SceLibMp4Recorder | |
SceLibNetCtl | |
SceLibPgf | |
SceLibPspnetAdhoc | |
SceLibPvf | |
SceLibRudp | |
SceLibSsl | |
SceLibVitaJSExtObj | |
SceLibXml | |
SceLiveAreaUtil | |
SceMp4 | |
SceMsgDialogPlugin | |
SceMusicExport | |
SceNearDialogUtil | |
SceNearProfile | |
SceNearUtil | |
SceNet | |
SceNetAdhocMatching | |
SceNetCheckDialogPlugin | |
SceNgsUser | |
SceNotificationUtil | |
SceNpActivity | |
SceNpActivityNet | |
SceNpBasic | |
SceNpCommerce2 | |
SceNpCommon | |
SceNpCommonPs4 | |
SceNpFriendPrivacyLevel | |
SceNpKdc | |
SceNpManager | |
SceNpMatching2 | |
SceNpMessage | |
SceNpMessageContactsPlugin | |
SceNpMessageDialogPlugin | |
SceNpMessageDlgImplPlugin | |
SceNpPartyGameUtil | |
SceNpScore | |
SceNpSignaling | |
SceNpSnsFacebook | |
SceNpTrophy | |
SceNpTus | |
SceNpUtility | |
SceNpWebApi | |
ScePaf | |
ScePartyMemberListPlugin | |
ScePhotoExport | |
ScePhotoImportDialogPlugin | |
ScePhotoReviewDialogPlugin | |
ScePromoterUtil | |
ScePsp2Compat | |
SceSasUser | |
SceSaveDataDialogPlugin | |
SceScreenShot | |
SceShellSvc | |
SceShutterSound | |
SceSqlite | |
SceSqliteVsh | |
SceStoreCheckoutPlugin | |
SceSystemGesture | |
SceTeleportClient | |
SceTeleportServer | |
SceTrophySetupDialogPlugin | |
SceUlt | |
SceVideoExport | |
SceVoice | |
SceVoiceQoS | |
SceWebFiltering | |
SceWebKit | |
SceWebKitProcess |
Browsertests[edit | edit source]
Access to the PS3 Store and get content in Vita[edit | edit source]
Video
PS Vita's browser has some secrets function, such as enter in ps store or open an app.
For example:
psns:browse?category=PN.P3.US-PN.P3.GAME.US-BASE | opens PS3 store US region |
---|---|
psns:browse?product=IP9100-PCSI00002_00-MUSICUNLIMITED00 | opens Music Unlimited product |
How it works
psns:browse
This command supports several arguments, the most usables are:
psns:browse?category= psns:browse?product=
By defining a category or product ID, this command will redirect you to the PSN Store and show you the chosen category/product. A few examples:
The syntax for categories works as follows:
PN + CONSOLE ID + REGION ID + PN + CONSOLE ID + STORE ID + REGION ID + PAGE
Common Console ID's are:
P3 --> PS3 VT --> PS VITA PC --> MEDIA GO / PSP
Common Store ID's are:
GAME or VIDEO
Redeem Comand
psns:redeem?code1=123&code2=456&code3=789
This command will immediantly prompt you to the PSN Stores' redeem function, taking the arguments with it.