3DS System Flaws: Difference between revisions
| Line 291: | Line 291: | ||
! Timeframe this was discovered | ! Timeframe this was discovered | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[News_Services|NEWSS]] service command notificationID validation failure | |||
| This module does not validate the input notificationID for <nowiki>"news:s"</nowiki> service commands. This is an out-of-bounds array index bug. For example, [[NEWSS:SetNotificationHeader]] could be used to exploit news module: this copies the input data(size is properly checked) to: out = newsdb_savedata+0x10 + (someu32array[notificationID]*0x70). | |||
| ROP under news module. | |||
| None | |||
| [[9.0.0-20]] | |||
| December 2014 | |||
| [[User:Yellows8|Yellows8]] | |||
|- | |- | ||
| [[HID_Services|HID]] module shared-mem | | [[HID_Services|HID]] module shared-mem | ||