Line 82: |
Line 82: |
| | slackerSnail, 12Me12, incvoid | | | slackerSnail, 12Me12, incvoid |
| Exploited by MrNbaYoh and [[User:Plutooo|plutoo]]. | | Exploited by MrNbaYoh and [[User:Plutooo|plutoo]]. |
| + | |- |
| + | | SmileBASIC 3.x |
| + | | Subscripted TIME$/DATE$ allow write access to DATA/BSS |
| + | | Utf-16 characters can be assigned to subscripted TIME$/DATE$ interpreter sysvars which results in write-only access to all of DATA and some BSS in userland. |
| + | TIME$[0]/DATE$[0] actually point to somewhere in rodata, and an overly large subscript can be used to write well past it and into the aforementioned areas. Demo [https://github.com/zoogie/smilehax-IIe here.] |
| + | | App: 3.6.2 (3.6.0 latest for US/EU, JP appvers. can be downgraded) |
| + | | System: [[11.13.0-45]]. |
| + | | April 2020 |
| + | | February 2020 |
| + | | bug publicly documented [https://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fsmilebasic.com%2Fdebug%2Farchive%2F here.] |
| + | Exploited by Zoogie |
| |- | | |- |
| | The Legend of Zelda: Tri Force Heroes | | | The Legend of Zelda: Tri Force Heroes |
Line 168: |
Line 179: |
| | August 29, 2017 | | | August 29, 2017 |
| | August, 2017 | | | August, 2017 |
| + | | [[User:Nba_Yoh|MrNbaYoh]], [[User: ChampionLeake|ChampionLeake]] |
| + | |- |
| + | | Pokemon Omega Ruby/Alpha Sapphire |
| + | | PSS data heap/stack overflow |
| + | | When launching the game, multiple chunks from the save file are parsed and copied to a large heap buffer. When parsing PSS data (acquaintances, passerby) the game copies each entry to the heap buffer, the number of entries to copy is read from the end of the multiple pss data chunks and is not checked, leading to an overflow. The "PSS data - friends" chunk is vulnerable too, but the overflow occurs on the stack and unfortunately this isn't exploitable because of a 4 bytes uncontrolled value (in each entry) that gets written on sensitive data. |
| + | | None |
| + | | App: 1.4. System: [[11.6.0]]. |
| + | | October 1, 2017 |
| + | | June, 2016 |
| | [[User:Nba_Yoh|MrNbaYoh]] | | | [[User:Nba_Yoh|MrNbaYoh]] |
| + | |- |
| + | | RPG Maker Fes/Player |
| + | | OOB write |
| + | | When handling events in a map, the indices of "buttons" are not checked. This results in an out of bound bit write, one can thus write a rop directly on the stack (bit by bit). |
| + | | None? |
| + | | App: ? |
| + | | August 5, 2018 |
| + | | |
| + | | [[User:Nba_Yoh|MrNbaYoh]] |
| + | |- |
| + | | Unholy Heights |
| + | | Buffer overflow via unchecked string size |
| + | | The game stores some utf-16 messages in the savefile. Right before the message is the length(u32) for the string, the game uses this size to memcpy the message from the savefile to the stack without checking the length. This allows one to overwrite some function addresses on the stack and form a rop chain. |
| + | | None |
| + | | App: Initial Version |
| + | | September 13, 2018 |
| + | | August, 2018 |
| + | | Kartik |
| + | |- |
| + | | Mononoke Forest |
| + | | String Buffer Overflow via unchecked string length |
| + | | The game stores plaintext profile names in the savefile. The profile names are strcpy/memcpy to different areas of the game's functions in the stack. Using a large extensive profile name, a user can overwrite some stack-registers and point to stack buffer addresses to eventually gain control of the stack to lead and form a rop-chain. |
| + | | None |
| + | | App: v1.0.0 |
| + | | August 14, 2019 |
| + | | February 8, 2019 |
| + | | [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]] |
| + | |- |
| + | | Picross 3D: Round 2 |
| + | | Out of bounds array access allowing to point to fabricated objects and vtable |
| + | | Game only checks save header. With the last interacted save slot index at +0xb270 in the save data unchecked we can achieve a predictable out of bounds access, as well inserting ROP data without detecting save corruption. Game references an object from an array of 3 elements and passes it to a function that will read object pointers and hit a vtable call. With a copy save data left in memory and a properly calculated index, we can point to a fake object position in the save, vtable jump to a stack pivot and start the ROP chain. |
| + | | None |
| + | | App: Initial version |
| + | | September 10, 2020 |
| + | | August 24, 2020 |
| + | | [[User: Luigoalma|Luigoalma]] and [[User: Kartik|Kartik]] |
| + | |- |
| + | | Me and My Pets 3D |
| + | | String buffer overflow |
| + | | The game stores some strings in the savegame. Using a large enough string, once can overwrite addresses on the stack and form a ropchain. |
| + | | None |
| + | | App: Initial Version |
| + | | June 24, 2022 |
| + | | June 12, 2022 |
| + | | [[User: Kartik|Kartik]] |
| + | |- |
| + | | trl CGB emulator (GBC Virtual Console) |
| + | | HDMA heap buffer overflow |
| + | | trl's CGB emulation implements normal mode HDMA by a straight memcpy, failing to correctly bounds check the provided pointers/length. (hblank mode HDMA does perform proper bounds checks after each 0x10 byte memcpy) |
| + | In addition, each area of memory (ROM, SRAM, VRAM, WRAM, SRAM, OAM, MMIO+HRAM) are allocated seperately, from the CTR-SDK heap. |
| + | |
| + | Thus, doing HDMA to an area past the end of VRAM (VRAM bank 1 must be set here) would cause heap overflow. The maximum possible memcpy here would be 0x800 bytes to the end of VRAM less 0x10 bytes. |
| + | |
| + | This is hard to exploit. The heap buffers get freed when choosing to close the game from the Home Menu, with the Home Menu holding the GPU. It may be possible to make calls to APT in ROP in this state to get Home Menu to release the GPU. |
| + | |
| + | To exploit this, SM83 code execution inside the emulator would need to be obtained. This could be done by human-viable or remote (emulated link-cable) code execution exploits (for example Pokémon Yellow (non-JP)/Gold/Silver/Crystal); by crafting SRAM (where the game itself has a savegame exploit); or by crafting an emulator save-state (for games where save-states are enabled). |
| + | |
| + | DMG (mono Game Boy) games are not exploitable; the bug is in CGB-specific functionality which is disabled in mono Game Boy games (determined by ROM header). |
| + | | None |
| + | | trl as included in Pokémon Crystal VC |
| + | | January 2024 |
| + | | ~2017 |
| + | | [[User:Riley|Riley]] |
| |} | | |} |
| | | |
Line 240: |
Line 323: |
| | | |
| * "Mutant Mudds": Overwriting the savefile with random data results in a crash | | * "Mutant Mudds": Overwriting the savefile with random data results in a crash |
| + | |
| + | * "Worcle Worlds": Overwriting the savefile with 0xFF results in a crash due to an out of bound read |
| | | |
| * "Animal Crossing: New Leaf": Creating a QR code from random data results in a valid QR code and a random design. In some very rare cases(which aren't always reproducible?) a crash/etc may occur, but this isn't known to be useful. | | * "Animal Crossing: New Leaf": Creating a QR code from random data results in a valid QR code and a random design. In some very rare cases(which aren't always reproducible?) a crash/etc may occur, but this isn't known to be useful. |
| + | |
| + | * "Angry Birds Star Wars": Strings in the savefile are preceded by their lengths. These strings are never stored on the stack and are memcpy'd into heap memory. If the size is invalid the alloc will fail and thus the memcpy will operate on a nullptr resulting in a useless data abort. |
| + | |
| + | * "Gem Smashers": Overwriting the savefile with random bytes results in useless crashes. |
| + | |
| + | * "Luxor:" Strings/plaintext in the savefile are present and these's no checks. Overwriting the whole save (excluding the header), with /dev/random cause a useless crash. |
| + | |
| + | * "Luv Me Buddies Wonderland:" Doesn't crash at all with the entire savedata overwritten. Overwriting some areas, points to useless nulls |
| | | |
| ==Crashes needing investigation== | | ==Crashes needing investigation== |
Line 264: |
Line 357: |
| | 2012 | | | 2012 |
| | [[User:Ichfly|Ichfly]] | | | [[User:Ichfly|Ichfly]] |
| + | |- |
| + | | 3DS [[System Settings]] stack smash via title strings in [[DSiWare_Exports]] |
| + | | DSiWare export banners contain 16 consecutive 0x100 byte, utf-16 game title strings for different languages. Nintendo correctly limits the string's max length by placing a NULL at str[127] before it's copied to the stack. However, they didn't allocate enough space for all 128 wchars (char/wchar type confusion?), so an attacker can craft a valid full-length string that will crash the stack at about str+0xEC. ROP execution can then be obtained from this crash in DSiWare Data Management as demonstrated [https://github.com/zoogie/Bannerbomb3 here]. |
| + | |
| + | Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring. |
| + | | [[11.17.0-50]] |
| + | | [[11.13.0-45]] |
| + | | Dec. 2018 |
| + | | Zoogie |
| + | |- |
| + | | 3DS SAFE_MODE [https://www.3dbrew.org/wiki/System_Settings#System_Updater System Updater] stack smash from proxy-url string |
| + | | During [[Recovery Mode]] and after all 3 wifi slots fail to find an access point for sysupdate, a user is permitted to access the wifi settings mode to make changes. Here, if the proxy-url field string's NULL terminator had been altered beforehand, a stack smash can occur when the user selects Proxy Settings -> Detailed Setup and the corrupted url string is displayed. |
| + | |
| + | This is a difficult crash to control because the url string is converted from ascii to utf-16 between the slot and stack, effectively reducing the available gadgets to 0.4% of the normal amount. It's possible to improvise an "escape" using an eoreq pc w/shift gadget to combine registers and form a jump that can access 1/2 of all available gadgets. |
| + | |
| + | Because this exploit runs *under* SAFE_MODE, it's possible to run safehax with one's choice of k11 and arm9 hax. Prerequisite: a userland exploit with cfg:s/i access to modify the wifi slot. A demonstration can be viewed [https://github.com/zoogie/unSAFE_MODE here]. |
| + | | None |
| + | | [[11.13.0-45]] |
| + | | Jan. 2020 |
| + | | Zoogie |
| |- | | |- |
| | [[Nintendo 3DS Sound]] | | | [[Nintendo 3DS Sound]] |
Line 271: |
Line 384: |
| | June/July 2016 | | | June/July 2016 |
| | [[User:nedwill|nedwill]] | | | [[User:nedwill|nedwill]] |
| + | |- |
| + | | [[EShop]] |
| + | | When creating an audio decoder object for the moflex movie player, if the audio codec is PCM16, the application uses an uninitialized value as a pointer. One can spray the heap to get control of that pointer and achieve ROP. |
| + | | None |
| + | | [[11.14.0-46]] |
| + | | 2020 |
| + | | [[User:Nba_Yoh|MrNbaYoh]] |
| |} | | |} |
| | | |
Line 307: |
Line 427: |
| | November 2, 2015 (Exactly one week after the browser version pages were initially updated server-side) | | | November 2, 2015 (Exactly one week after the browser version pages were initially updated server-side) |
| | [[User:Yellows8|Yellows8]] | | | [[User:Yellows8|Yellows8]] |
| + | |- |
| + | | Skater - Bookmark OOB write |
| + | | Each bookmark has an id that should not exceed 0x63 (99), however ids are not checked, this results in an OOB write on the stack, but only the value 0x01 can be written. |
| + | | |
| + | | [[11.6.0-39|11.6.0-39]] |
| + | | |
| + | | May 21, 2018 |
| + | | May 20, 2018 |
| + | | [[User:Nba_Yoh|MrNbaYoh]] |
| + | |- |
| + | | MicroSD Management - malformed security blob causes stack buffer overflow (mhax) |
| + | | The MicroSD Management application's parsing of Windows NTLM security blobs in the SMB/CIFS protocol doesn't verify that the client's specified NT domain name is less than 32 UTF-16 characters. When it's longer, a stack buffer overrun occurs, leading to a ROP chain and complete control of the mcopy application. |
| + | |
| + | The malformed security blob can be sent by an attacker within the SMB_COM_SESSION_SETUP_ANDX (0x73) packet. |
| + | | [[11.8.0-41|11.8.0-41]] |
| + | | [[11.8.0-41|11.8.0-41]] |
| + | | [[9.0.0-20|9.0.0-20]] |
| + | | August 12, 2018 |
| + | | 2018 |
| + | | smea |
| |} | | |} |
| | | |
Line 320: |
Line 460: |
| ! Timeframe this was discovered | | ! Timeframe this was discovered |
| ! Discovered by | | ! Discovered by |
| + | |- |
| + | | u8 brightness setting OOB index (menuhax67) |
| + | | Config block 0x50001, which contains a u8 brightness setting that indexes a table of u32 addresses, can be set to an out-of-bounds index (it's normally 1-5). Located within cfg block 0x50009, there exists a single controllable u32 that's located within the u8's range. With these set properly, one can eventually redirect a function pointer to an address of their choice. This is triggered after the Home Menu quick launch tab is activated. POC [https://github.com/zoogie/menuhax67 here]. |
| + | | None |
| + | | [[11.13.0-45]] |
| + | | |
| + | | October 4, 2020 |
| + | | September, 2020 |
| + | | Zoogie |
| |- | | |- |
| | bossbannerhax | | | bossbannerhax |