3DS Userland Flaws: Difference between revisions
EvilFlight (talk | contribs) |
|||
| Line 301: | Line 301: | ||
| 2012 | | 2012 | ||
| [[User:Ichfly|Ichfly]] | | [[User:Ichfly|Ichfly]] | ||
|- | |||
| 3DS [[System Settings]] stack smash via title strings in [[DSiWare_Exports]] | |||
| DSiWare export banners contain 16 consecutive 0x100 byte, utf-16 game title strings for different languages. Nintendo correctly limits the string's max length by placing a NULL at str[127] before it's copied to the stack. However, they didn't allocate enough space for all 128 wchars (char/wchar type confusion?), so an attacker can craft a valid full-length string that will crash the stack at about str+0xEC. ROP execution can then be obtained from this crash in DSiWare Data Management as demonstrated [https://github.com/zoogie/Bannerbomb3 here]. | |||
Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring. | |||
| None | |||
| [[11.10.0-43]] | |||
| Dec. 2018 | |||
| Zoogie | |||
|- | |- | ||
| [[Nintendo 3DS Sound]] | | [[Nintendo 3DS Sound]] | ||