Hacking Restricted Webkit bug finder

[yahoo]

For whatever reason, Nintendo does not want to update WebKit as a whole. They're left to fix bugs individually, so they need to find them. We shouldn't make it easier for Nintendo to find them. At least make them do the work, and don't just hand it to them on a silver platter.

this method is way more complicated then just using the one line bash script comex shared in his presentation

 

[Marionumber1]

this method is way more complicated then just using the one line bash script comex shared in his presentation

A restricted-access bug isn't necessarily causing a crash, and even if it does, isn't necessarily exploitable.

 

[FPSRussi4]

This answers the question guys. No public list. The community needs to somehow create a private pool of bugs to give to developers who can find which ones are exploitable. I'm thinking the devs probably don't want to be spammed every time a bug is found that crashes the browser either so probably create a private pool and then pass on the information.

There should be a guide on whether the bug is worth reporting. Oh wait...

 

[Marionumber1]

There should be a guide on whether the bug is worth reporting. Oh wait...

If a bug crashes the system, it is worth reporting so it can be evaluated. And there shouldn't be any problem keeping a public list of definitively ruled out bugs.

 

[FPSRussi4]

If a bug crashes the system, it is worth reporting so it can be evaluated. And there shouldn't be any problem keeping a public list of definitively ruled out bugs.

What's the point of reporting a handled exception? All I agree with you on is keeping a public list of ruled-out bugs. Unless you want to tell us how we can see if the bug can allow code injection, or allows you to execute an exploit.

 

[Marionumber1]

What's the point of reporting a handled exception? All I agree with you on is keeping a public list of ruled-out bugs. Unless you want to tell us how we can see if the bug can allow code injection, or allows you to execute an exploit.

There isn't really a guide I can write to explain that. We investigate what actually causes the bug, see what parts of memory we can control, and find out whether that control could lead to code execution. It all depends on the bug, and requires understanding of exploit principles.

 

[FPSRussi4]

There isn't really a guide I can write to explain that. We investigate what actually causes the bug, see what parts of memory we can control, and find out whether that control could lead to code execution. It all depends on the bug, and requires understanding of exploit principles.

Gotcha. So just keep reporting unhandled exceptions?

 

[Marionumber1]

Gotcha. So just keep reporting unhandled exceptions?

Yeah, and we'll debunk them if we're sure they won't work.

 

[IbbyPlays]

Yeah, and we'll debunk them if we're sure they won't work.

So how do we tell the difference between a handled exception and an unhandled one?

 

[Marionumber1]

So how do we tell the difference between a handled exception and an unhandled one?

Unhandled ones will crash, handled ones won't.

 

[endoverend]

A "handled exception" would be if the Wii U forces you to quit the browser without shutting off, or really any error that doesn't make the system freeze without warning. Just because a bug doesn't cause a crash doesn't exactly mean it's a "handled exception" but rather that the Wii U build of webkit isn't vulnerable to that bug. It's nitpicky but I feel it's especially important to use correct terminology in this situation.

 

[IbbyPlays]

Two things that I think should be added to the script (I understand if you don't have time, I may even try to do it myself):
(1.) Being able to detect https urls
(2.) Some code that prints the number of tests done in the command line output
Three things that may be a bit harder:
(1.) Being able to use the gui while searching for restricted bugs
(2.) A mac package
(3.) Hosting that works with files in LayoutTests that depend on other files (unless if the files just change to index.html and stay in the same directory)

 

[dojafoja]

Two things that I think should be added to the script (I understand if you don't have time, I may even try to do it myself):
(1.) Being able to detect https urls
(2.) Some code that prints the number of tests done in the command line output
Three things that may be a bit harder:
(1.) Being able to use the gui while searching for restricted bugs
(2.) A mac package
(3.) Hosting that works with files in LayoutTests that depend on other files (unless if the files just change to index.html and stay in the same directory)

1. Not sure what you mean exactly. The program does detect https urls. If you are referring to the failed attempts during bug scanning Most of them are commits without a url link to a bug, the others are url links that fail are the extracted links that start with something like <<https://blablabla.com>> or have other leading or trailing characters or commits with multilple bug links because of the sloppy fashion in which I extracted url's. It would be an easy fix really. The code is sloppy because I was always in a huge hurry to get as much done in as little time as I could.
2. Easy to add if I have time.
3. I wrote the parser before I learned about the threading module in python. It would be really easy to not lose control of the gui using threading. I just didn't think many people were really going to create their own database so I haven't re-written it. I could create a thread daemon and do 5-10 scans at once reducing the scan time dramatically, again, not much time man.
4.Nah!
5. The hosting does work with files that depend on other files. It looks for the file that you paste into the entry field, if it finds the file it starts the server in THAT directory. It makes a copy of the file and then renames that file to index.html. If index.html already exists it is simply overwritten each time.

 

[IbbyPlays]

1. Not sure what you mean exactly. The program does detect https urls. If you are referring to the failed attempts during bug scanning Most of them are commits without a url link to a bug, the others are url links that fail are the extracted links that start with something like <<https://blablabla.com>> or have other leading or trailing characters or commits with multilple bug links because of the sloppy fashion in which I extracted url's. It would be an easy fix really. The code is sloppy because I was always in a huge hurry to get as much done in as little time as I could.
2. Easy to add if I have time.
3. I wrote the parser before I learned about the threading module in python. It would be really easy to not lose control of the gui using threading. I just didn't think many people were really going to create their own database so I haven't re-written it. I could create a thread daemon and do 5-10 scans at once reducing the scan time dramatically, again, not much time man.
4.Nah!
5. The hosting does work with files that depend on other files. It looks for the file that you paste into the entry field, if it finds the file it starts the server in THAT directory. It makes a copy of the file and then renames that file to index.html. If index.html already exists it is simply overwritten each time.

1. I dun goofed
2, 3 and 5. GR8
4. I may try to make it myself

 

[IbbyPlays]

If I finally run the program long enough to finish checking for restricted bugs, will all that progress be gone if I quit and restart the program?

 

[dojafoja]

If I finally run the program long enough to finish checking for restricted bugs, will all that progress be gone if I quit and restart the program?

After the scan operation completes it saves it's findings to the commits.db file so they are preserved if you exit the program. It does not write to the database until it is complete though, not as it finds them. Did you parse a new log? If so report back if you are able to find more than the 427 restricted bugs I came up with. The more the merrier. Remember that commits prior to 10/16/2012 are useless to us, even then they are patching stuff from 2013.

 

[IbbyPlays]

Exception in Tkinter callback
Traceback (most recent call last):
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-tk/Tkinter.py", line 1470, in __call__
    return self.func(*args)
  File "/Users/kallencunningham/Downloads/bugfinder/test_parser.py", line 368, in commit_selected
    cursor.execute("SELECT * FROM logs WHERE revision = ?",(self.commit_track_list[get_selection],))
 
TypeError: list indices must be integers, not str

When I select an entry in the results area, no text appears and the console throws me this error.

 

[dojafoja]

Exception in Tkinter callback
Traceback (most recent call last):
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-tk/Tkinter.py", line 1470, in __call__
    return self.func(*args)
  File "/Users/kallencunningham/Downloads/bugfinder/test_parser.py", line 368, in commit_selected
    cursor.execute("SELECT * FROM logs WHERE revision = ?",(self.commit_track_list[get_selection],))
 
TypeError: list indices must be integers, not str

When I select an entry in the results area, no text appears and the console throws me this error.

I've never had it fail on my linux or windows machine, weird. Anyway, I assumed calling .curselection() on a listbox instance would return an integer. Try changing line 369 to look like this: get_selection = int(current[0]) and see if it works. are you on Windows or Linux?

 

[IbbyPlays]

I've never had it fail on my linux or windows machine, weird. Anyway, I assumed calling .curselection() on a listbox instance would return an integer. Try changing line 369 to look like this: get_selection = int(current[0]) and see if it works. are you on Windows or Linux?

Mac OSX so kinda Linux.

 

[IbbyPlays]

So using int() worked.