3dbrew

3DS System Flaws: Difference between revisions

← Older editNewer edit →
No edit summary
No edit summary
Line 41: Line 41:
!  Description
!  Description
!  Successful exploitation result
!  Successful exploitation result
!  Fixed in system version
!  Fixed in [[FIRM]] system version
!  Last FIRM version this flaw was checked for
!  Last [[FIRM]] system version this flaw was checked for
!  Timeframe this was discovered
!  Timeframe this was discovered
!  Discovered by
|-
|-
|  
|  
Line 50: Line 51:
| None
| None
| [[9.3.0-21|9.3.0-X]]
| [[9.3.0-21|9.3.0-X]]
| 2012
| 2012  
| [[User:Yellows8|Yellows8]]
|-
|-
| [[Process_Services_PXI|ps:VerifyRsaSha256]] buffer overflow
| [[Process_Services_PXI|PS RSA]] commands buffer overflows
| Unchecked copy to a buffer in Process9's .bss. The buffer is located before the pxi cmdhandler threads' stacks.
| pxips9 cmd1(not accessible via ps:ps) and VerifyRsaSha256: unchecked copy to a buffer in Process9's .bss, from the input FCRAM buffer. The buffer is located before the pxi cmdhandler threads' stacks. SignRsaSha256 also has a buf overflow, but this isn't exploitable.
The buffer for this is the buffer for the signature data. With v5.0, the signature buffer was moved to stack, with a check for the signature data size. When the signature data size is too large, Process9 uses [[SVC|svcBreak]].
| ARM9 code execution
| ARM9 code execution
| [[5.0.0-11]]
| [[5.0.0-11|5.0.0-X]]
|  
|  
| 2012
| 2012
| [[User:Yellows8|Yellows8]]
|}
|}


Line 66: Line 70:
!  Description
!  Description
!  Successful exploitation result
!  Successful exploitation result
!  Fixed in system version
!  Fixed in [[FIRM]] system version
!  Last FIRM version this flaw was checked for
!  Last [[FIRM]] system version this flaw was checked for
!  Timeframe this was discovered
!  Timeframe this was discovered
!  Discovered by
|-
|-
|  [[SVC]] table too small
|  [[SVC]] table too small
Line 78: Line 83:
| [[9.3.0-21|9.3.0-21]]
| [[9.3.0-21|9.3.0-21]]
| 2012
| 2012
|
|-
|-
|  [[SVC|svcBackdoor (0x7B)]]
|  [[SVC|svcBackdoor (0x7B)]]
Line 85: Line 91:
| [[9.3.0-21|9.3.0-21]]
| [[9.3.0-21|9.3.0-21]]
|
|
|
|-
|-
| [[Memory_layout#ARM11_Detailed_virtual_memory_map|0xEFF00000]] / 0xDFF00000 ARM11 kernel virtual-memory
| [[Memory_layout#ARM11_Detailed_virtual_memory_map|0xEFF00000]] / 0xDFF00000 ARM11 kernel virtual-memory
Line 91: Line 98:
| None
| None
| [[9.3.0-21|9.3.0-21]]
| [[9.3.0-21|9.3.0-21]]
|
|  
|  
|-
|-
Line 99: Line 107:
|  
|  
| February 2014
| February 2014
| [[User:Yellows8|Yellows8]]
|-
|-
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions
Line 106: Line 115:
|  
|  
| 2012
| 2012
| [[User:Yellows8|Yellows8]]
|-
|-
| [[SVC|svcStartInterProcessDma]]
| [[SVC|svcStartInterProcessDma]]
Line 119: Line 129:
|  
|  
| DmaConfig issue: unknown. The rest: 2014
| DmaConfig issue: unknown. The rest: 2014
|
|-
|-
| [[SVC|svcControlMemory]] Parameter checks
| [[SVC|svcControlMemory]] Parameter checks
Line 131: Line 142:
|  
|  
|
|
|
|-
|-
| [[RPC_Command_Structure|Command]] request/response buffer overflow
| [[RPC_Command_Structure|Command]] request/response buffer overflow
Line 140: Line 152:
|  
|  
| v4.1 FIRM -> v5.0 code diff
| v4.1 FIRM -> v5.0 code diff
|
|-
|-
| [[SVC|SVC stack allocation overflows]]
| [[SVC|SVC stack allocation overflows]]
Line 153: Line 166:
|  
|  
| v4.1 FIRM -> v5.0 code diff
| v4.1 FIRM -> v5.0 code diff
|
|-
|-
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
Line 160: Line 174:
|  
|  
| 2012
| 2012
| [[User:Yellows8|Yellows8]]
|-
|-
| [[RPC_Command_Structure|Command]] input/output buffer permissions
| [[RPC_Command_Structure|Command]] input/output buffer permissions
Line 167: Line 182:
|  
|  
| 2012
| 2012
| [[User:Yellows8|Yellows8]]
|-
|-
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
Line 174: Line 190:
|  
|  
| 2012?
| 2012?
| [[User:Yellows8|Yellows8]]
|}
|}


Line 181: Line 198:
!  Summary
!  Summary
!  Description
!  Description
!  Fixed in system version
!  Successful exploitation result
!  Fixed in [[FIRM]] system version
!  Last [[FIRM]] system version this flaw was checked for
!  Timeframe this was discovered
!  Discovered by
|-
|-
| [[Services|"srv:pm"]] process registration
| [[Services|"srv:pm"]] process registration
Line 189: Line 210:


This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
| Access to arbitrary services
| [[7.0.0-13]]
| [[7.0.0-13]]
|
| 2012
| [[User:Yellows8|Yellows8]]
|}
|}


Line 201: Line 226:
!  Last system version this flaw was checked for
!  Last system version this flaw was checked for
!  Timeframe this was discovered
!  Timeframe this was discovered
!  Discovered by
|-
|-
| gspwn
| gspwn
Line 207: Line 233:
| None
| None
| [[9.4.0-21]]
| [[9.4.0-21]]
|
|  
|  
|-
|-
Line 216: Line 243:
| [[9.3.0-21]]
| [[9.3.0-21]]
| [[9.4.0-21]]
| [[9.4.0-21]]
|
|  
|  
|}
|}
Line 228: Line 256:
!  Last system version this flaw was checked for
!  Last system version this flaw was checked for
!  Timeframe this was discovered
!  Timeframe this was discovered
!  Discovered by
|-
|-
| 3DS [[System Settings]] DS profile string stack-smash
| 3DS [[System Settings]] DS profile string stack-smash
Line 235: Line 264:
| [[7.0.0-13]]
| [[7.0.0-13]]
| 2012
| 2012
| Whoever originally added the vuln info for this to 3dbrew.
|}
|}
Retrieved from "https://www.3dbrew.org/wiki/3DS_System_Flaws"