3DS Userland Flaws: Difference between revisions

Line 9:

! Fixed in version

! Last version this flaw was checked for

! Timeframe this was discovered

! Timeframe info related to this was added to wiki

! ~~Discovered~~ by

! Timeframe this vuln was discovered

! Vuln discovered by

|-

| Cubic Ninja

| Map-data stack smash

| See [[Ninjhax|here]] regarding Ninjhax.

| None

|

| Ninjhax release

| July 2014

| [[User:smea|smea]]

|-

| The Legend of Zelda: Ocarina of Time 3D

Line 16:

Line 26:

| The u8 at offset 0x2C in the savefile is the character-length of the UTF-16 string at offset 0x1C. When copying this string, it's essentially a memory-copy with lenval*2, not a string-copy. This can be used to trigger buffer overflows at various locations depending on the string length.

Length value>=0xCD causes a crash while loading the saveslot, via a heap buffer overflow. When value is >=0x6E it crashes when saving the saveslot, this causes a stack-smash however it normally crashes before it returns from the function which had the stack-frame overwritten. With value >=0x9A, it crashes via stack-smash in-game once any dialogs are opened(touching buttons on the touch-screen to enter certain menu(s) can trigger it too).

On March 11, 2015, an exploit using this vuln was released, that one was intended for warez/etc. The following exploit wasn't released before then mainly because doing so would (presumably) result in the vuln being fixed. The following old exploit was released on March 14, 2015: [https://github.com/yellows8/oot3dhax].

| None

|

| March 11, 2015

| Around October 22, 2012

| [[User:Yellows8|Yellows8]]

|-

~~| Cubic Ninja~~

~~| Map-data stack smash~~

~~| See [[Ninjhax|here]] regarding Ninjhax.~~

~~| None~~

|

~~| July 2014~~

~~| [[User:smea|smea]]~~

|}

@@ Line 9: / Line 9: @@
 !  Fixed in version
 !  Last version this flaw was checked for
-!  Timeframe this was discovered
+!  Timeframe info related to this was added to wiki
-!  Discovered by
+!  Timeframe this vuln was discovered
+!  Vuln discovered by
+|-
+| Cubic Ninja
+| Map-data stack smash
+| See [[Ninjhax|here]] regarding Ninjhax.
+| None
+|
+| Ninjhax release
+| July 2014
+| [[User:smea|smea]]
 |-
 | The Legend of Zelda: Ocarina of Time 3D
@@ Line 16: / Line 26: @@
 | The u8 at offset 0x2C in the savefile is the character-length of the UTF-16 string at offset 0x1C. When copying this string, it's essentially a memory-copy with lenval*2, not a string-copy. This can be used to trigger buffer overflows at various locations depending on the string length.
 Length value>=0xCD causes a crash while loading the saveslot, via a heap buffer overflow. When value is >=0x6E it crashes when saving the saveslot, this causes a stack-smash however it normally crashes before it returns from the function which had the stack-frame overwritten. With value >=0x9A, it crashes via stack-smash in-game once any dialogs are opened(touching buttons on the touch-screen to enter certain menu(s) can trigger it too).
+On March 11, 2015, an exploit using this vuln was released, that one was intended for warez/etc. The following exploit wasn't released before then mainly because doing so would (presumably) result in the vuln being fixed. The following old exploit was released on March 14, 2015: [https://github.com/yellows8/oot3dhax].
 | None
 |
+| March 11, 2015
 | Around October 22, 2012
 | [[User:Yellows8|Yellows8]]
-|-
-| Cubic Ninja
-| Map-data stack smash
-| See [[Ninjhax|here]] regarding Ninjhax.
-| None
-|
-| July 2014
-| [[User:smea|smea]]
 |}