3DS System Flaws: Difference between revisions
No edit summary |
|||
| Line 754: | Line 754: | ||
! Timeframe this was added to wiki | ! Timeframe this was added to wiki | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[MP_Services|MP]] cmd1 out-of-bounds handle read | |||
| MP-sysmodule handles the input parameter for cmd1 as a s32. It checks for >=16, but not <0. With <16 it basically does the following(array of entries 4-bytes each): *outhandle = ((Handle*)(stateptr+offsetinstate))[inputindex]. | |||
Hence, this can be used to load any handle in MP-sysmodule memory. MP doesn't really have any service handles of interest however(can be obtained from elsewhere too). | |||
| Reading any handle in MP-sysmodule memory. | |||
| None | |||
| [[8.0.0-18]](MP-sysmodule v2048) | |||
| January 21, 2017 | |||
| January 22, 2017 | |||
| [[User:Yellows8|Yellows8]] | |||
|- | |- | ||
| AM stack/.bss infoleak via [[AM:ReadTwlBackupInfo]]([[AM:ReadTwlBackupInfoEx|Ex]]) | | AM stack/.bss infoleak via [[AM:ReadTwlBackupInfo]]([[AM:ReadTwlBackupInfoEx|Ex]]) | ||