3DS System Flaws: Difference between revisions
No edit summary |
|||
| Line 50: | Line 50: | ||
| Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs. | | Originally the kernel only checked the first page(0x1000-bytes) of the src/dst buffers, for svcReadProcessMemory and svcWriteProcessMemory. There is no known retail processes which have access to these SVCs. | ||
| [[4.0.0-7]] | | [[4.0.0-7]] | ||
|} | |||
=== FIRM ARM11 modules === | |||
{| class="wikitable" border="1" | |||
|- | |||
! Summary | |||
! Description | |||
! Fixed in system version | |||
|- | |||
| [[Services|"srv:pm"]] process registration | |||
| Originally the service-manager didn't restrict the number of sessions for "srv:pm". The processIDs used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", which therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list. This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] the service-manager will execute [[SVC|svcBreak]] when another session for "srv:pm" is attempting to be opened after the [[Process_Manager_Services|initial]] session. This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s). | |||
| [[7.0.0-13]] | |||
|} | |} | ||