Developer LiveOverflow has published a Proof of Concept file to confirm the iOS 9.3 webkit exploit is working on the Nintendo Switch. The exploit had been announced earlier by qwertyoruiop, the hacker behind the iOS 9.3 Jailbreak which used the same vulnerability as its starting point (CVE-2016-4657).
Nintendo Switch webkit exploit confirmed with PoC
Along with the Proof of Concept, LiveOverflow has published a detailed explanation on how the exploit works (video below), as well as a summary on how to launch the Nintendo Switch browser (a feature that most Switch owners still ignore exists – check out DNSwitch for details)
With LiveOverflow’s work, Nintendo Switch owners can now confirm that their console is vulnerable to the webkit exploit. This is the first exploit released for the console, only a few days after the Switch was released to the public. It is still unclear why the Switch shipped with known exploits unpatched in its browser.
Nintendo Switch hack – What next?
What’s been released is just a proof of concept: it confirms that the browser is vulnerable to the attack. To the end user, this brings pretty much nothing at this point. For hackers, however, this is an entry point to start analyzing the internals of the Nintendo Switch OS: it is now possible to start looking at the RAM and understand a bit more about the device’s firmware. Typically this kind of exploit then leads to the possibility to dump a few libraries, which is then followed by a hunt for a privilege escalation vulnerability (basically, a kernel exploit), which would give full access to the device.
Nintendo switch Webkit exploit – Download and test
You can test the exploit on your Nintendo Switch by getting the files from LiveOverflow’s github, and host it locally on your server. Using DNSwitch or a proxy (following LiveOverflow’s video below), you should be able to point the Switch’s browser to the file in order to test.
If you run into issues confirming the exploit, this thread on GBATemp has some troubleshooting steps, in particular:
If I set up my server with his exact files freshly unzipped from his github master (not just poc1.html but also his index.html which redirects to it), then I am able to get to the end of the PoC reliably.