3DS System Flaws: Difference between revisions
| Line 611: | Line 611: | ||
! Timeframe this was added to wiki | ! Timeframe this was added to wiki | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[NWM_Services|NWM]]: Using CTRSDK heap with UDS sharedmem from the user-process. | |||
| See the HTTP-sysmodule section below. | |||
CTRSDK heap is used with the sharedmem from [[NWMUDS:InitializeWithVersion]]. Buffers are allocated/freed under this heap using [[NWMUDS:Bind]] and [[NWMUDS:Unbind]]. | |||
Hence, overwriting sharedmem with gspwn then using [[NWMUDS:Unbind]] results in the usual controlled CTRSDK memchunk-header write, similar to HTTP-sysmodule. | |||
This could be done by creating an UDS network, without any other nodes on the network. | |||
Besides CTRSDK memchunk-headers, there are no addresses stored under this sharedmem. | |||
| ROP under NWM-module. | |||
| None | |||
| [[9.0.0-20|9.0.0-X]] | |||
| April 10, 2016 | |||
| April 16, 2016 | |||
| [[User:Yellows8|Yellows8]] | |||
|- | |- | ||
| [[DLP_Services|DLP]]: Out-of-bounds memory access during spectator [[Download_Play|data-frame]] checksum calculation | | [[DLP_Services|DLP]]: Out-of-bounds memory access during spectator [[Download_Play|data-frame]] checksum calculation | ||