3DS System Flaws: Difference between revisions
No edit summary |
|||
| Line 286: | Line 286: | ||
| 2012 | | 2012 | ||
| [[User:Ichfly|Ichfly]] | | [[User:Ichfly|Ichfly]] | ||
|} | |||
=== General/CTRSDK === | |||
{| class="wikitable" border="1" | |||
|- | |||
! Summary | |||
! Description | |||
! Successful exploitation result | |||
! Fixed in version | |||
! Last version this flaw was checked for | |||
! Timeframe this was discovered | |||
! Discovered by | |||
|- | |||
| [[NWM_Services|UDS]] beacon additional-data buffer overflow | |||
| Originally CTRSDK did not validate the UDS additional-data size before using that size to copy the additional-data to a [[NWM_Services|networkstruct]]. This was eventually fixed. | |||
This was discovered while doing code RE with an old dlp-module version. It's unknown in what specific CTRSDK version this was fixed, or even what system-version updated titles with a fixed version. | |||
It's unknown if there's any titles using a vulnerable CTRSDK version which are also exploitable with this(dlp module can't be exploited with this). | |||
The maximum number of bytes that can be written beyond the end of the outbuf is 0x37-bytes, with additionaldata_size=0xFF. | |||
| Perhaps ROP, very difficult if possible with anything at all | |||
| ? | |||
| | |||
| September(?) 2014 | |||
| [[User:Yellows8|Yellows8]] | |||
|} | |} | ||