3DS System Flaws: Difference between revisions
They just forgot to set the bit in SYSPROT9. They wouldn't create a hardware lock to not use it. |
|||
Line 621: | Line 621: | ||
| February 23, 2016 (Unknown if it was noticed before then) | | February 23, 2016 (Unknown if it was noticed before then) | ||
| February 23, 2016 | | February 23, 2016 | ||
| [[User:Yellows8|Yellows8]] | |||
|- | |||
| [[HTTP_Services|HTTP]]: Using CTRSDK heap with sharedmem from the user-process. | |||
| The data from httpcAddPostDataAscii and other commands is stored under a CTRSDK heap. That heap is the sharedmem specified by the user-process via the HTTPC Initialize command. | |||
Normally this sharedmem isn't accessible to the user-process once the sysmodule maps it, hence using it is supposed to be "safe". | |||
This isn't the case due to gspwn however. Since CTRSDK heap code is so insecure in general, one can use gspwn to locate the HTTPC sharedmem + read/write it, then trigger a mem-write under the sysmodule. This can then be used to get ROP going under HTTP-sysmodule. | |||
This is exploited by [https://github.com/yellows8/ctr-httpwn/ctr-httpwn ctr-httpwn]. | |||
| ROP under HTTP sysmdule. | |||
| None | |||
| [[9.6.0-24|9.6.0-X]] (Latest sysmodule version as of [[10.7.0-32|10.7.0-32]]) | |||
| Late 2015 | |||
| March 22, 2016 | |||
| [[User:Yellows8|Yellows8]] | | [[User:Yellows8|Yellows8]] | ||
|- | |- |