3DS System Flaws: Difference between revisions

Line 9:

* Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds values, these crashes are caused by the application attempting to load a ptr from a buffer located at NULL.

* Pyramids (3DSWare), QR codes: no strings. The LZ10 compression can't be exploited either. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.

* 3DS browser, 2^32 characters long string: ~~The behavior of~~ this crash is ~~not well understood~~. ~~The crash may or may not be done on purpose (Webkit contains~~ code ~~that triggers 'crashes' on purpose)~~. ~~Anyway any~~ attempt at exploiting this has failed so far.

* 3DS browser, 2^32 characters long string: this is the same vuln fixed [http://git.chromium.org/gitweb/?p=external/Webkit.git;a=commitdiff;h=ec471f16fbd1f879cb631f9b022fd16acd75f4d4 here], concat-large-strings-crash2.html triggers a crash which is basically the same as the one triggered by a 2^32 string. Most of the time this vuln will cause a memory page permissions fault, since the webkit code attempts to copy the string text data to the output buffer located in read-only heap memory. Any attempt at exploiting this on 3DS has failed so far.

==Current efforts==

@@ Line 9: / Line 9: @@
 * Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds values, these crashes are caused by the application attempting to load a ptr from a buffer located at NULL.
 * Pyramids (3DSWare), QR codes: no strings. The LZ10 compression can't be exploited either. Only crashes are from out-of-bounds values (like background ID) and are not exploitable.
-* 3DS browser, 2^32 characters long string: The behavior of this crash is not well understood. The crash may or may not be done on purpose (Webkit contains code that triggers 'crashes' on purpose). Anyway any attempt at exploiting this has failed so far.
+* 3DS browser, 2^32 characters long string: this is the same vuln fixed [http://git.chromium.org/gitweb/?p=external/Webkit.git;a=commitdiff;h=ec471f16fbd1f879cb631f9b022fd16acd75f4d4 here], concat-large-strings-crash2.html triggers a crash which is basically the same as the one triggered by a 2^32 string. Most of the time this vuln will cause a memory page permissions fault, since the webkit code attempts to copy the string text data to the output buffer located in read-only heap memory. Any attempt at exploiting this on 3DS has failed so far.
 ==Current efforts==