Exploiting the 3DS browsers - Part 1: Finding flaws
Intro
This post starts a series of a few ones dedicated to web browsers exploitation on the (New) Nintendo 3DS system.
Browsers were - a few years ago - quite popular entrypoints for gaining code execution and launch the homebrew launcher. Back then yellows8 regularly updated his browserhax to support new browser versions and/or gain in stability, thus to try to limit the use of such exploits, Nintendo introduced in firmware version 9.9.0 a version check preventing anyone to use the browser without having the latest firmware version installed.
Since there had not been any browser exploit for quite a while and I had never exploited such applications, I thought it was a good challenge.
Anyway, let’s dive in!
First look
There are two different browsers, SPIDER for O3DS and SKATER for N3DS.
Let’s take a look at their User-Agents (firmware version 11.8):
-
SPIDER:
Mozilla/5.0 (Nintendo 3DS; U; ; fr) Version/1.7630.EU
-
SKATER:
Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.9.10160.EU
They are based on two different old revisions of WebKit, they were probably just updated to apply security patches.
Finding flaws
The webkit source repository provides many tests (“LayoutTests”) specifically crafted to check browsers behavior, of course among those tests are critical vulnerability tests (Use-After-Free for example).
The strategy is quite simple here, run tests until you find an exploitable crash.
There is still an issue though… there is a bunch of tests! It is inconceivable to run several thousand tests all by hand, although some people already tried to find bugs this way and succeeded…
I decided to use a more efficient method, I first cloned all the LayoutTests (it’s huge!) and then wrote a small python server to iterate through all the tests. The idea is simple: load a test every second.
There are however some downsides:
- this is still quite slow (but faster than by hand);
- the iteration might stop sometimes;
- it does not detect crashes involving user interactions (it would not find sliderhax for example).
But anyway since this is an automatic tester you don’t need to look at your 3DS all the time.
Another idea was to build those old revisions of webkit… but well building old revisions is clearly a pain so let’s use the auto tester.
Results
The auto tester revealed to be quite a good solution, I found a bunch of useless nullptr bugs but also more interesting bugs such as Use-After-Free vulnerabilities. Since the two browsers are not based on the same webkit revision, the critical bugs affecting one of them are unlikely to affect the other one.
Thus, the next posts of this series will be dedicated to two different vulnerabilities I exploited in SPIDER and SKATER.