3DS Userland Flaws: Difference between revisions

Line 17:

| See [[Ninjhax|here]] regarding Ninjhax.

| None

| App: Initial version. System: [[9.8.0-25]].

| App: Initial version. System: [[10.2.0-28]].

| Ninjhax release

| July 2014

Line 31:

On March 11, 2015, an exploit using this vuln was released, that one was intended for warez/etc. The following exploit wasn't released before then mainly because doing so would (presumably) result in the vuln being fixed. The following old exploit was released on March 14, 2015: [https://github.com/yellows8/oot3dhax].

| None

| App: Initial version. System: [[9.8.0-25]].

| App: Initial version. System: [[10.2.0-28]].

| March 11, 2015

| Around October 22, 2012

| [[User:Yellows8|Yellows8]]

|-

| Super Smash Bros 3DS

| Buffer overflow in local-multiplayer beacon handling.

| See [[smashbroshax|here]].

| None

| See [[smashbroshax|here]]. System: [[10.2.0-28]].

| Time of exploit release.

| See [[smashbroshax|here]].

| [[User:Yellows8|Yellows8]]

|}

Line 86:

Line 95:

|-

| [[Home Menu]] theme-data decompression buffer overflow ([[themehax]])

| The only size parameter used by the theme decompression function is one for the compressed size. ~~There is zero checks / code using the~~ decompressed-size. The code calling this function does not check or even use the decompressed size from the header either.

| The only func-call size parameter used by the theme decompression function is one for the compressed size, none for the decompressed size. The decompressed-size value from the LZ header is used by this function to check when to stop decompressing, but this function itself has nothing to verify the decompressed_size with. The code calling this function does not check or even use the decompressed size from the header either.

This function is separate from the rest of the Home Menu code: the function used for decompressing themes is *only* used for decompressing themes, nothing else. There's a separate decompression function in Home Menu used for decompressing everything else.

Line 93:

Line 102:

@@ Line 17: / Line 17: @@
 | See [[Ninjhax|here]] regarding Ninjhax.
 | None
-| App: Initial version. System: [[9.8.0-25]].
+| App: Initial version. System: [[10.2.0-28]].
 | Ninjhax release
 | July 2014
@@ Line 31: / Line 31: @@
 On March 11, 2015, an exploit using this vuln was released, that one was intended for warez/etc. The following exploit wasn't released before then mainly because doing so would (presumably) result in the vuln being fixed. The following old exploit was released on March 14, 2015: [https://github.com/yellows8/oot3dhax].
 | None
-| App: Initial version. System: [[9.8.0-25]].
+| App: Initial version. System: [[10.2.0-28]].
 | March 11, 2015
 | Around October 22, 2012
+| [[User:Yellows8|Yellows8]]
+|-
+| Super Smash Bros 3DS
+| Buffer overflow in local-multiplayer beacon handling.
+| See [[smashbroshax|here]].
+| None
+| See [[smashbroshax|here]]. System: [[10.2.0-28]].
+| Time of exploit release.
+| See [[smashbroshax|here]].
 | [[User:Yellows8|Yellows8]]
 |}
@@ Line 86: / Line 95: @@
 |-
 | [[Home Menu]] theme-data decompression buffer overflow ([[themehax]])
-| The only size parameter used by the theme decompression function is one for the compressed size. There is zero checks / code using the decompressed-size. The code calling this function does not check or even use the decompressed size from the header either.
+| The only func-call size parameter used by the theme decompression function is one for the compressed size, none for the decompressed size. The decompressed-size value from the LZ header is used by this function to check when to stop decompressing, but this function itself has nothing to verify the decompressed_size with. The code calling this function does not check or even use the decompressed size from the header either.
 This function is separate from the rest of the Home Menu code: the function used for decompressing themes is *only* used for decompressing themes, nothing else. There's a separate decompression function in Home Menu used for decompressing everything else.
@@ Line 93: / Line 102: @@
 See also [[themehax|here]].
-| None
-| [[10.1.0-27|10.1.0-X]]
+With [[10.2.0-28|10.2.0-X]] Home Menu, the only code change was that the following was added right after theme-load and before actual decompression: "if(<get_lzheader_decompressed_size>(compressed_buf) > 0x150000)<exit>;". This fixed the vuln.
+| [[10.2.0-28|10.2.0-X]]
+| [[10.2.0-28|10.2.0-X]]
 | December 22, 2014
 | [[User:Yellows8|Yellows8]]