28
edits
Changes
Jump to navigation
Jump to search
Line 956:
Line 956: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 965:
Line 1,001: − |- Line 1,026:
Line 1,061: − + Line 1,075:
Line 1,110: − + − | [[9.6.0-24|9.6.0-X]] (Latest sysmodule version as of [[10.7.0-32|10.7.0-32]])+ Line 1,198:
Line 1,233: + + + + + + + + +
→Standalone Sysmodules
! Timeframe this was added to wiki
! Timeframe this was added to wiki
! Discovered by
! Discovered by
|-
| [[CECD_Services|CECD:ndm]] SetNZoneMacFilter (cmd8) stack smashing
| The length of the mac filter is not checked before being copied to a fixed-size buffer on stack.
| ROP under [[CECD_Services|CECD]] sysmodule
| None
| [[11.13.0-45]]
| 2020
| July 20, 2020
| [[User:Nba_Yoh|MrNbaYoh]]
|-
| [[CECD_Services|CECD]] message box access
| CECD allows any process to write to any message box, thus allowing to write Streetpass data to the message box of any title.
| Install exploit for any title having a vulnerability in Streetpass data parsers (see CTRSDK Streetpass parser vulnerability).
| None
| None
| ?
| June 1, 2020
| Everyone?
|-
| [[CECD_Services|CECD]] packet type 0x32/0x34 stack-smashing
| When parsing Streetpass packets of type 0x32 and 0x34, CECD copies a list without checking the number of entries. The packet length is limited to 0x400 bytes, which is not enough to reach the end of the stack frame and overwrite the return address. However, the buffer located just next to the packet buffer is actually filled with data sent just before, hence actually allowing to overwrite the whole stack frame with conrolled data.
| RCE under [[CECD_Services|CECD]]
| [[11.12.0-44]]
| [[11.12.0-44]]
| Summer 2019
| June 1, 2020
| [[User:Nba_Yoh|MrNbaYoh]]
|-
| [[CECD_Services|CECD]] TMP files parser multiple vulnerabilities
| When parsing "TMP_XXX" files, CECD does not check the number of messages contained in the file. This allows to overflow the array of message pointers and message sizes on the stack. Pointers aren't controlled and sizes are limited (one cannot send gigabytes of data...), yet the last message size can be an arbitrary value (the current message pointer goes outside the file buffer and the parsing loop is broken). This allows to overwrite a pointer to a lock object on the stack and decrement an arbitrary value in memory. One can change the TMP file parsing mode to have CECD trying to free all the message buffers after parsing the next TMP file. The parsing mode is usually restored when parsing a new TMP file, but an invalid TMP file allows to make a function returns an error before the mode is restored , the return value is not checked and the parser consider the file valid. The message pointers and sizes arrays are not updated though, this is not a problem since the previous TMP file buffer is reused for the new TMP file in memory. Thus the message pointers actually points to controlled data. This allows to get a bunch of fake heap chunk freed, thus a bunch of unsafe unlink arbitrary writes.
| RCE under [[CECD_Services|CECD]]
| [[11.12.0-44]]
| [[11.12.0-44]]
| Summer 2019
| June 1, 2020
| [[User:Nba_Yoh|MrNbaYoh]]
|-
|-
| [[Config_Services|CFG]]:CreateConfigInfoBlk integer underflow
| [[Config_Services|CFG]]:CreateConfigInfoBlk integer underflow
| November 24, 2018
| November 24, 2018
| [[User:Nba_Yoh|MrNbaYoh]]
| [[User:Nba_Yoh|MrNbaYoh]]
|-
|-
| [[MP:SendDataFrame]] missing input array index validation
| [[MP:SendDataFrame]] missing input array index validation
Besides CTRSDK memchunk-headers, there are no addresses stored under this sharedmem.
Besides CTRSDK memchunk-headers, there are no addresses stored under this sharedmem.
| ROP under NWM-module.
| ROP under NWM-module.
| [[11.4.0-37|11.4.0-X]]
| None (need to check, but CTRSDK heap code is vulnerable)
| [[9.0.0-20|9.0.0-X]]
| [[9.0.0-20|9.0.0-X]]
| April 10, 2016
| April 10, 2016
This is exploited by [https://github.com/yellows8/ctr-httpwn/ctr-httpwn ctr-httpwn].
This is exploited by [https://github.com/yellows8/ctr-httpwn/ctr-httpwn ctr-httpwn].
| ROP under HTTP sysmdule.
| ROP under HTTP sysmdule.
| [[11.4.0-37|11.4.0-X]]
| None
| [[11.13.0-45|11.13.0-X]]
| Late 2015
| Late 2015
| March 22, 2016
| March 22, 2016
! Timeframe this was discovered
! Timeframe this was discovered
! Discovered by
! Discovered by
|-
| [[CECD_Services|CECD]] Streetpass message exheader stack-smashing
| When parsing streetpass messages, "nn::cec::CTR::Message::InputMessage" calls "nn::cec::CTR::Message::SetExHeaderWithoutCalc" for each exheader entry in the input message. The number of entries should not exceed 16 but remains unchecked, leading to a stack-buffer-overflow.
| ROP under any application parsing Streetpass messages
Remote code execution under [[CECD_Services|CECD]]
| [[11.12.0-44]]
|
| 2019
| [[User:Nba_Yoh|MrNbaYoh]]
|-
|-
| [[NWM_Services|UDS]] beacon additional-data buffer overflow
| [[NWM_Services|UDS]] beacon additional-data buffer overflow