6,264
edits
Changes
Jump to navigation
Jump to search
Line 17:
Line 17: − + Line 31:
Line 31: − + + + + + + + + + + Line 86:
Line 95: − + Line 93:
Line 102: − + − + + +
no edit summary
| See [[Ninjhax|here]] regarding Ninjhax.
| See [[Ninjhax|here]] regarding Ninjhax.
| None
| None
| App: Initial version. System: [[9.8.0-25]].
| App: Initial version. System: [[10.2.0-28]].
| Ninjhax release
| Ninjhax release
| July 2014
| July 2014
On March 11, 2015, an exploit using this vuln was released, that one was intended for warez/etc. The following exploit wasn't released before then mainly because doing so would (presumably) result in the vuln being fixed. The following old exploit was released on March 14, 2015: [https://github.com/yellows8/oot3dhax].
On March 11, 2015, an exploit using this vuln was released, that one was intended for warez/etc. The following exploit wasn't released before then mainly because doing so would (presumably) result in the vuln being fixed. The following old exploit was released on March 14, 2015: [https://github.com/yellows8/oot3dhax].
| None
| None
| App: Initial version. System: [[9.8.0-25]].
| App: Initial version. System: [[10.2.0-28]].
| March 11, 2015
| March 11, 2015
| Around October 22, 2012
| Around October 22, 2012
| [[User:Yellows8|Yellows8]]
|-
| Super Smash Bros 3DS
| Buffer overflow in local-multiplayer beacon handling.
| See [[smashbroshax|here]].
| None
| See [[smashbroshax|here]]. System: [[10.2.0-28]].
| Time of exploit release.
| See [[smashbroshax|here]].
| [[User:Yellows8|Yellows8]]
| [[User:Yellows8|Yellows8]]
|}
|}
|-
|-
| [[Home Menu]] theme-data decompression buffer overflow ([[themehax]])
| [[Home Menu]] theme-data decompression buffer overflow ([[themehax]])
| The only size parameter used by the theme decompression function is one for the compressed size. There is zero checks / code using the decompressed-size. The code calling this function does not check or even use the decompressed size from the header either.
| The only func-call size parameter used by the theme decompression function is one for the compressed size, none for the decompressed size. The decompressed-size value from the LZ header is used by this function to check when to stop decompressing, but this function itself has nothing to verify the decompressed_size with. The code calling this function does not check or even use the decompressed size from the header either.
This function is separate from the rest of the Home Menu code: the function used for decompressing themes is *only* used for decompressing themes, nothing else. There's a separate decompression function in Home Menu used for decompressing everything else.
This function is separate from the rest of the Home Menu code: the function used for decompressing themes is *only* used for decompressing themes, nothing else. There's a separate decompression function in Home Menu used for decompressing everything else.
See also [[themehax|here]].
See also [[themehax|here]].
| None
| [[10.1.0-27|10.1.0-X]]
With [[10.2.0-28|10.2.0-X]] Home Menu, the only code change was that the following was added right after theme-load and before actual decompression: "if(<get_lzheader_decompressed_size>(compressed_buf) > 0x150000)<exit>;". This fixed the vuln.
| [[10.2.0-28|10.2.0-X]]
| [[10.2.0-28|10.2.0-X]]
| December 22, 2014
| December 22, 2014
| [[User:Yellows8|Yellows8]]
| [[User:Yellows8|Yellows8]]