|
|
| Line 5: |
Line 5: |
|
| |
|
| * Someone (who will remain unnamed) has released CFW and CIA installers, all of which is copied from the work of others, or copyrighted material. | | * Someone (who will remain unnamed) has released CFW and CIA installers, all of which is copied from the work of others, or copyrighted material. |
|
| |
| ==Failed attempts==
| |
| Here are listed all attempts at exploiting 3DS software that have failed so far.
| |
|
| |
| * Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds array index values, these crashes are not exploitable.
| |
|
| |
|
| |
| * Pyramids (3DSWare), QR codes: no strings. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.
| |
|
| |
|
| |
| * 3DS browser, 2^32 characters long string: this is similar to the vulnerability fixed [http://git.chromium.org/gitweb/?p=external/Webkit.git;a=commitdiff;h=ec471f16fbd1f879cb631f9b022fd16acd75f4d4 here], concat-large-strings-crash2.html triggers a crash which is about the same as the one triggered by a 2^32 string. Most of the time this vulnerability will cause a memory page permissions fault, since the WebKit code attempts to copy the string text data to the output buffer located in read-only [[CRO0|CRO]] heap memory. The only difference between a crash triggered by a 2^32 string and the concat-large-strings-crash2.html crash is at the former copies the string data using the original string length(like 1 text character for "x", 4 for "xxxx") while the latter attempts to copy >12MB. In some ''very'' rare cases a thread separate from the string data-copy thread will crash, this might be exploitable. However, this is mostly useless since it rarely crashes this way.
| |
|
| |
|
| ==Tips and info== | | ==Tips and info== |