3DS System Flaws: Difference between revisions

Line 60:

|-

| [[Services|"srv:pm"]] process registration

| Originally the ~~service-manager didn't restrict the number of sessions for~~ "srv:pm". The ~~processIDs~~ used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", ~~which~~ therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list. This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] ~~the service-manager will execute [[SVC|svcBreak]] when another session for~~ "srv:pm" is ~~attempting~~ to ~~be opened after the [[Process_Manager_Services|initial]] session~~. This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).

| Originally any process had access to the port "srv:pm". The PID's used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", and therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list.

This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] "srv:pm" is now a service instead of a globally accessible port. Only processes with PID's less than 5 (in other words: fs, ldr, sm, pm, pxi modules) have access to it.

This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).

| [[7.0.0-13]]

|}

@@ Line 60: / Line 60: @@
 |-
 | [[Services|"srv:pm"]] process registration
-| Originally the service-manager didn't restrict the number of sessions for "srv:pm". The processIDs used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", which therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list. This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] the service-manager will execute [[SVC|svcBreak]] when another session for "srv:pm" is attempting to be opened after the [[Process_Manager_Services|initial]] session. This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
+| Originally any process had access to the port "srv:pm". The PID's used for the (un)registration commands are not checked either. This allowed any process to re-register itself with "srv:pm", and therefore allowed the process to give itself access to any service, bypassing the exheader service-access-control list.
+This was fixed in [[7.0.0-13]]: starting with [[7.0.0-13]] "srv:pm" is now a service instead of a globally accessible port. Only processes with PID's less than 5 (in other words: fs, ldr, sm, pm, pxi modules) have access to it.
+This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
 | [[7.0.0-13]]
 |}