3DS System Flaws: Difference between revisions

Motezazer (talk | contribs)
They just forgot to set the bit in SYSPROT9. They wouldn't create a hardware lock to not use it.
Line 621: Line 621:
| February 23, 2016 (Unknown if it was noticed before then)
| February 23, 2016 (Unknown if it was noticed before then)
| February 23, 2016
| February 23, 2016
| [[User:Yellows8|Yellows8]]
|-
| [[HTTP_Services|HTTP]]: Using CTRSDK heap with sharedmem from the user-process.
| The data from httpcAddPostDataAscii and other commands is stored under a CTRSDK heap. That heap is the sharedmem specified by the user-process via the HTTPC Initialize command.
Normally this sharedmem isn't accessible to the user-process once the sysmodule maps it, hence using it is supposed to be "safe".
This isn't the case due to gspwn however. Since CTRSDK heap code is so insecure in general, one can use gspwn to locate the HTTPC sharedmem + read/write it, then trigger a mem-write under the sysmodule. This can then be used to get ROP going under HTTP-sysmodule.
This is exploited by [https://github.com/yellows8/ctr-httpwn/ctr-httpwn ctr-httpwn].
| ROP under HTTP sysmdule.
| None
| [[9.6.0-24|9.6.0-X]] (Latest sysmodule version as of [[10.7.0-32|10.7.0-32]])
| Late 2015
| March 22, 2016
| [[User:Yellows8|Yellows8]]
| [[User:Yellows8|Yellows8]]
|-
|-