3DS System Flaws: Difference between revisions

Line 199:

! Summary

! Description

! Successful exploitation result

! Fixed in system version

! Last FIRM version this flaw was checked for

! Timeframe this was discovered

|-

| gspwn

| GSP module does not validate addresses given to the GPU. This allows a user-mode game to read/write to a large part of physical FCRAM using GPU DMA. From this, you can overwrite the .text segment of the game you're running under, and gain real code-execution from a ROP-chain.

| User-mode code execution.

| None

| [[9.4.0-21]]

|

|-

| ropwn

| Using gspwn, it is possible to overwrite a loaded [[CRO0]]/[[CRR0]] after its RSA-signature has been validated. Badly validated [[CRO0]] header leads to arbitrary read/write of memory in the ro-process. This gives code-execution in the ro module, who has access to [[SVC|syscalls]] 0x70-0x72, 0x7D.

This was fixed after [[ninjhax]] release by adding checks on [[CRO0]]-based pointers before writing to them.

| Memory-mapping syscalls.

| [[9.3.0-21]]

| [[9.4.0-21]]

|

|-

| 3DS [[System Settings]] DS profile string stack-smash

| Too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) cause it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid). TWL_FIRM also resets the NVRAM user-settings when the string-length(s) are too long.

| ROP in mset.

| [[7.0.0-13]]

| 2012

|}

@@ Line 199: / Line 199: @@
 !  Summary
 !  Description
+!  Successful exploitation result
 !  Fixed in system version
+!  Last FIRM version this flaw was checked for
+!  Timeframe this was discovered
+|-
+| gspwn
+| GSP module does not validate addresses given to the GPU. This allows a user-mode game to read/write to a large part of physical FCRAM using GPU DMA. From this, you can overwrite the .text segment of the game you're running under, and gain real code-execution from a ROP-chain.
+| User-mode code execution.
+| None
+| [[9.4.0-21]]
+|
+|-
+| ropwn
+| Using gspwn, it is possible to overwrite a loaded [[CRO0]]/[[CRR0]] after its RSA-signature has been validated. Badly validated [[CRO0]] header leads to arbitrary read/write of memory in the ro-process. This gives code-execution in the ro module, who has access to [[SVC|syscalls]] 0x70-0x72, 0x7D.
+This was fixed after [[ninjhax]] release by adding checks on [[CRO0]]-based pointers before writing to them.
+| Memory-mapping syscalls.
+| [[9.3.0-21]]
+| [[9.4.0-21]]
+|
 |-
 | 3DS [[System Settings]] DS profile string stack-smash
 | Too long or corrupted strings (01Ah  2   Nickname length in characters     050h  2   Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) cause it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid). TWL_FIRM also resets the NVRAM user-settings when the string-length(s) are too long.
+| ROP in mset.
+| [[7.0.0-13]]
 | [[7.0.0-13]]
+| 2012
 |}