2
edits
Changes
Jump to navigation
Jump to search
mLine 311:
Line 311: + + + + + + + + + Line 326:
Line 335: + + + + + + + + + Line 569:
Line 587: − + Line 636:
Line 654: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 934:
Line 998: − + Line 943:
Line 1,007: + + + + + + + + + + + + + + + + + + + Line 956:
Line 1,039: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 1,121:
Line 1,233: − + − +
→FIRM Sysmodules
| May 19, 2017
| May 19, 2017
| [[User:SciresM|SciresM]], [[User:Myria|Myria]]
| [[User:SciresM|SciresM]], [[User:Myria|Myria]]
|-
| safecerthax
| O3DS & O2DS SAFE_FIRM is still vulnerable to the PXIAM:ImportCertificates flaw fixed in [[5.0.0-11]] and to SSLoth fixed in [[11.14.0-46]]. It makes it possible to spoof the official NUS update server and remotely trigger the vulnerability in SAFE_FIRM.
| Remote Arm9 code execution in O3DS/O2DS SAFE_FIRM
| None
| [[11.14.0-46|11.14.0-X]]
| 2020
| December 18, 2020
| [[User:Nba_Yoh|MrNbaYoh]]
|-
|-
| twlhax: Corrupted SRL header leads to memory overwrite
| twlhax: Corrupted SRL header leads to memory overwrite
| August 11, 2018
| August 11, 2018
| smea
| smea
|-
| agbhax
| This is the same issue as twlhax above. Legacy FIRMs share the same OS code (Arm9-side OS, Arm11 kernel), and therefore, the outdated AGB_FIRM can be tricked into executing the still vulnerable PrepareArm9ForTwl function.
| ARM9 code execution (whilst still in 3DS mode)
| None
| [[11.14.0-46|11.14.0-X]]
|
| December 17, 2020
| Everyone
|-
|-
| safefirmhax
| safefirmhax
| [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?)
| [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?)
|-
|-
| [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]])
| [[Application_Manager_Services_PXI|PXIAM]]:ImportCertificates (See also [[Application_Manager_Services|this]])
| When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800.
| When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800.
| ARM9 code execution
| ARM9 code execution
! Timeframe this was discovered
! Timeframe this was discovered
! Discovered by
! Discovered by
|-
| [[SVC|svcUnbindInterrupt]] double free when irqId = 15
| svcBindInterrupt and svcUnbindInterrupt give special treatment to irqId 15 (FIQ helper): the access control list is bypassed and the provided KInterruptEvent (event or semaphore, via handle) is stored inside a singleton static object after having its refcount increased by 1.
svcUnbindInterrupt assumes that the user-provided handle is what is stored in the singleton and will decref the user-provided KInterruptEvent twice, causing a use-after-free if the attacker didn't actually provide an handle to the same event or semaphore.
This was "fixed" on [[11.14.0-46|11.14.0-X]] by preventing irqId 15 to be bound on retail units altogether (in both functions).
| Arm11 kernel code execution
| [[11.14.0-46|11.14.0-X]] (only on retail units)
| [[11.14.0-46|11.14.0-X]]
| 2019
| [[User:TuxSH|TuxSH]], maybe others
|-
| [[SVC|svcKernelSetState]] op=3 could map the NULL page
| svcKernelSetState op=3 param1=1 maps the firmlaunch parameters page to the user-specified VA.
It had previously no check, allowing the attacker to map data at VA 0.
Starting from [[11.14.0-46|11.14.0-X]], the VA must be in the standard 0x10000000-0x14000000 address range.
| Mapping the NULL page (as RW) to leverage other kernel vulnerabilities
| [[11.14.0-46|11.14.0-X]]
| [[11.14.0-46|11.14.0-X]]
| 2019
| [[User:TuxSH|TuxSH]]
|-
| [[SVC|svcMapProcessMemory]] can map the NULL page
| svcMapProcessMemory's destination VA is unchecked.
By passing a big enough "size" parameter, an attacker can map chunks of data at VA 0 in the destination (caller) process.
| Mapping the NULL page (as RW) to leverage other kernel vulnerabilities
| None
| [[11.14.0-46|11.14.0-X]]
| 2020
| [[User:TuxSH|TuxSH]]
|-
| Resource limit use-after-free
| When assigning a KResourceLimit to a KProcess, the reslimit's refcounter doesn't get incremented. This essentially means all KResourceLimit get freed if pm gets somehow terminated.
It turns out it is possible to ask pm (via ns:s or pm:app) to terminate itself along all other KIPs simply by passing TID 0004000100001000.
Calling [[SVC|svcGetResourceLimit]] afterwards triggers a use-after-free. This is rather difficult to exploit, however: there is one slot left in the reslimit slabheap. An attacker either has to map the NULL page as R(W)X (svcControlProcessMemory vuln fixed on [[11.8.0-41|11.8.0-X]]), or use one of the map-null exploits above while having access to svcCreateResourceLimit (with the only one that is easy enough to use in that context having been fixed on [[11.14.0-46|11.14.0-X]], anyway).
| Arm11 kernel code execution
| None (although near impossible to exploit on [[11.14.0-46|11.14.0-X]])
| [[11.14.0-46|11.14.0-X]]
| 2020
| [[User:TuxSH|TuxSH]]
|-
|-
| [[SVC|svcSetProcessIdealProcessor]] reference count overflow and therefore use-after-free.
| [[SVC|svcSetProcessIdealProcessor]] reference count overflow and therefore use-after-free.
| [[User:Yellows8|Yellows8]]
| [[User:Yellows8|Yellows8]]
|-
|-
| [[SM]] out-of-bounds BSS write (table 1 entry too small)
| Useless [[SM]] off-by-one write
| After accepting a new session, [[SM]] writes a (handler ID (0 for srv: sessions (max. 64), 1 for the srv:pm one), pointer to session context structure in BSS) pair in a global array. However that array is only 64-entry-big instead of 65 (as it ought to be), and no bound check is done in that regard.
| After accepting a new session, [[SM]] writes a (handler ID (0 for srv: sessions (max. 64), 1 for the srv:pm one), pointer to session context structure in BSS) pair in a global array. However that array is only 64-entry-big instead of 65 (as it ought to be), and no bound check is done in that regard.
|
|
|
|
|-
| smpwn
| When registering a new service (or "port"), no bound checks are done on the service table. One can simply call RegisterPort repeatedly to overflow that table: it will overflow into the command replay structure.
Combined with a other minor bugs in the sysmodule, it is possible to take over [[SM]] with this nevertheless difficult-to-exploit vulnerability.
| Code execution under [[SM]], etc.
| [[11.16.0-48]]
| [[11.14.0-46]]
| July 2017
| [[User:TuxSH|TuxSH]] (independently), presumably ichfly before
|-
| PXI cmdbuf buffer overrun
| Like its Arm9 counterpart, before version [[5.0.0-11|5.0.0-X]], the PXI system module did not check the command sizes. This makes it possible to get ROP under the PXI sysmodule from a pwned Process9.
safecerthax uses it to takeover the Arm11 processor after directly getting remote code execution on the Arm9 side. Though, is useless in classic Arm11 -> Arm9 chains.
| ROP under [[PXI_Services|PXI]]
| probably [[5.0.0-11|5.0.0-X]]
| [[11.14.0-46]]
|
| Everyone
|}
|}
! Timeframe this was added to wiki
! Timeframe this was added to wiki
! Discovered by
! Discovered by
|-
| [[CSND_Services|CSND]] sysmodule crash due to out of bounds parameters.
| The CSND command [[CSND:PlaySoundDirectly|PlaySoundDirectly (0x00040080)]] takes a channel ID as the first parameter. Any value outside the range [0-3] makes the system module become unstable or crash due to an out of bounds memory read.
| Out of bounds memory read, probably not exploitable. More research needed.
| None
| [[11.14.0-46]]
| January 2021
| January 22, 2021
| [[User:PabloMK7|PabloMK7]]
|-
| SSLoth: [[SSL_Services|SSL]] sysmodule improper certificate verification
| Initially, the SSL sysmodule missed the R_VERIFY_RES_SIGNATURE entry in the "resource list" provided to the RSA BSAFE library. Consequently, it did not check signatures when validating certificate chains.
| Forge fake certificates, spoof official servers and perform MitM attacks on SSL/TLS connections.
| [[11.14.0-46]]
| [[11.14.0-46]]
| 2020
| December 18, 2020
| [[User:Nba_Yoh|MrNbaYoh]], shutterbug2000 (independently)
|-
| [[CECD_Services|CECD:ndm]] SetNZoneMacFilter (cmd8) stack smashing
| The length of the mac filter is not checked before being copied to a fixed-size buffer on stack.
| ROP under [[CECD_Services|CECD]] sysmodule
| None
| [[11.13.0-45]]
| 2020
| July 20, 2020
| [[User:Nba_Yoh|MrNbaYoh]]
|-
|-
| [[CECD_Services|CECD]] message box access
| [[CECD_Services|CECD]] message box access
| [[SPI_Services|SPI]] service out-of-bounds write
| [[SPI_Services|SPI]] service out-of-bounds write
| cmd1 has out-of-bounds write allowing overwrite of some static variables in .data.
| cmd1 has out-of-bounds write allowing overwrite of some static variables in .data.
|
| Code execution under spi sysmodule; access to [[CONFIG11_Registers|CFG11_GPUPROT]] and ultimately kernel code execution.
| None
| None
| [[9.5.0-22]]
| [[11.14.0-46]]
| March 2015
| March 2015
|
|