3DS System Flaws: Difference between revisions
No edit summary |
|||
| Line 193: | Line 193: | ||
=== ARM11 system modules === | === ARM11 system modules === | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
| Line 201: | Line 199: | ||
! Successful exploitation result | ! Successful exploitation result | ||
! Fixed in system version | ! Fixed in system version | ||
! Last | ! Last system version this flaw was checked for | ||
! Timeframe this was discovered | ! Timeframe this was discovered | ||
|- | |- | ||
| gspwn | | gspwn | ||
| GSP module does not validate addresses given to the GPU. This allows a user-mode | | GSP module does not validate addresses given to the GPU. This allows a user-mode application/applet to read/write to a large part of physical FCRAM using GPU DMA. From this, you can overwrite the .text segment of the application you're running under, and gain real code-execution from a ROP-chain. Normally applets' .text([[Home Menu]], [[Internet Browser]], etc) is located beyond the area accessible by the GPU, except for [[RO_Services|CROs]] used by applets([[Internet Browser]] for example). | ||
| User-mode code execution. | | User-mode code execution. | ||
| None | | None | ||
| Line 220: | Line 217: | ||
| [[9.4.0-21]] | | [[9.4.0-21]] | ||
| | | | ||
|} | |||
=== ARM11 system applications and applets === | |||
{| class="wikitable" border="1" | |||
|- | |||
! Summary | |||
! Description | |||
! Successful exploitation result | |||
! Fixed in system version | |||
! Last system version this flaw was checked for | |||
! Timeframe this was discovered | |||
|- | |- | ||
| 3DS [[System Settings]] DS profile string stack-smash | | 3DS [[System Settings]] DS profile string stack-smash | ||