3DS System Flaws: Difference between revisions

Line 14:

* A loser (who will remain unnamed) has released CFW and CIA installers along with other stolen and illegal stuff.

~~== Fixed vulnerabilities ==~~

* The following was fixed with [[7.0.0-13]], see here for [[7.0.0-13|details]]. Too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) causing it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid).

==Failed attempts==

Here are listed all attempts at exploiting 3DS software that have failed so far.

* Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds values, these crashes are ~~caused by the application attempting to load a ptr from a buffer located at NULL~~.

* Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds array index values, these crashes are not exploitable.

Line 37:

Line 34:

==System flaws==

=== [[FIRM]] Process9 ===

=== ARM11 kernel ===

{| class="wikitable" border="1"

Line 151:

|}

=== FIRM ARM11 modules ===

=== [[FIRM]] ARM11 modules ===

{| class="wikitable" border="1"

|-

Line 164:

This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).

| [[7.0.0-13]]

|}

=== ARM11 system modules ===

=== ARM11 system applications and applets ===

{| class="wikitable" border="1"

|-

! Summary

! Description

! Fixed in system version

|-

| 3DS [[System Settings]] DS profile string stack-smash

| Too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) cause it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid). TWL_FIRM also resets the NVRAM user-settings when the string-length(s) are too long.

| [[7.0.0-13]]

|}

@@ Line 14: / Line 14: @@
 * A loser (who will remain unnamed) has released CFW and CIA installers along with other stolen and illegal stuff.
-== Fixed vulnerabilities ==
-* The following was fixed with [[7.0.0-13]], see here for [[7.0.0-13|details]]. Too long or corrupted strings (01Ah  2   Nickname length in characters     050h  2   Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) causing it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid).
 ==Failed attempts==
 Here are listed all attempts at exploiting 3DS software that have failed so far.
-* Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds values, these crashes are caused by the application attempting to load a ptr from a buffer located at NULL.
+* Pushmo (3DSWare), QR codes: level name is properly limited to 16 characters, game doesn't crash with a longer name. The only possible crashes are triggered by out-of-bounds array index values, these crashes are not exploitable.
@@ Line 37: / Line 34: @@
 ==System flaws==
+=== [[FIRM]] Process9 ===
 === ARM11 kernel ===
 {| class="wikitable" border="1"
@@ Line 151: / Line 151: @@
 |}
-=== FIRM ARM11 modules ===
+=== [[FIRM]] ARM11 modules ===
 {| class="wikitable" border="1"
 |-
@@ Line 164: / Line 164: @@
 This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
+| [[7.0.0-13]]
+|}
+=== ARM11 system modules ===
+=== ARM11 system applications and applets  ===
+{| class="wikitable" border="1"
+|-
+!  Summary
+!  Description
+!  Fixed in system version
+|-
+| 3DS [[System Settings]] DS profile string stack-smash
+| Too long or corrupted strings (01Ah  2   Nickname length in characters     050h  2   Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) cause it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid). TWL_FIRM also resets the NVRAM user-settings when the string-length(s) are too long.
 | [[7.0.0-13]]
 |}