Line 311: |
Line 311: |
| | May 19, 2017 | | | May 19, 2017 |
| | [[User:SciresM|SciresM]], [[User:Myria|Myria]] | | | [[User:SciresM|SciresM]], [[User:Myria|Myria]] |
| + | |- |
| + | | safecerthax |
| + | | O3DS & O2DS SAFE_FIRM is still vulnerable to the PXIAM:ImportCertificates flaw fixed in [[5.0.0-11]] and to SSLoth fixed in [[11.14.0-46]]. It makes it possible to spoof the official NUS update server and remotely trigger the vulnerability in SAFE_FIRM. |
| + | | Remote Arm9 code execution in O3DS/O2DS SAFE_FIRM |
| + | | None |
| + | | [[11.14.0-46|11.14.0-X]] |
| + | | 2020 |
| + | | December 18, 2020 |
| + | | [[User:Nba_Yoh|MrNbaYoh]] |
| |- | | |- |
| | twlhax: Corrupted SRL header leads to memory overwrite | | | twlhax: Corrupted SRL header leads to memory overwrite |
Line 326: |
Line 335: |
| | August 11, 2018 | | | August 11, 2018 |
| | smea | | | smea |
| + | |- |
| + | | agbhax |
| + | | This is the same issue as twlhax above. Legacy FIRMs share the same OS code (Arm9-side OS, Arm11 kernel), and therefore, the outdated AGB_FIRM can be tricked into executing the still vulnerable PrepareArm9ForTwl function. |
| + | | ARM9 code execution (whilst still in 3DS mode) |
| + | | None |
| + | | [[11.14.0-46|11.14.0-X]] |
| + | | |
| + | | December 17, 2020 |
| + | | Everyone |
| |- | | |- |
| | safefirmhax | | | safefirmhax |
Line 569: |
Line 587: |
| | [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?) | | | [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?) |
| |- | | |- |
− | | [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]]) | + | | [[Application_Manager_Services_PXI|PXIAM]]:ImportCertificates (See also [[Application_Manager_Services|this]]) |
| | When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800. | | | When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800. |
| | ARM9 code execution | | | ARM9 code execution |
Line 636: |
Line 654: |
| ! Timeframe this was discovered | | ! Timeframe this was discovered |
| ! Discovered by | | ! Discovered by |
| + | |- |
| + | | [[SVC|svcUnbindInterrupt]] double free when irqId = 15 |
| + | | svcBindInterrupt and svcUnbindInterrupt give special treatment to irqId 15 (FIQ helper): the access control list is bypassed and the provided KInterruptEvent (event or semaphore, via handle) is stored inside a singleton static object after having its refcount increased by 1. |
| + | |
| + | svcUnbindInterrupt assumes that the user-provided handle is what is stored in the singleton and will decref the user-provided KInterruptEvent twice, causing a use-after-free if the attacker didn't actually provide an handle to the same event or semaphore. |
| + | |
| + | This was "fixed" on [[11.14.0-46|11.14.0-X]] by preventing irqId 15 to be bound on retail units altogether (in both functions). |
| + | | Arm11 kernel code execution |
| + | | [[11.14.0-46|11.14.0-X]] (only on retail units) |
| + | | [[11.14.0-46|11.14.0-X]] |
| + | | 2019 |
| + | | [[User:TuxSH|TuxSH]], maybe others |
| + | |- |
| + | | [[SVC|svcKernelSetState]] op=3 could map the NULL page |
| + | | svcKernelSetState op=3 param1=1 maps the firmlaunch parameters page to the user-specified VA. |
| + | |
| + | It had previously no check, allowing the attacker to map data at VA 0. |
| + | |
| + | Starting from [[11.14.0-46|11.14.0-X]], the VA must be in the standard 0x10000000-0x14000000 address range. |
| + | | Mapping the NULL page (as RW) to leverage other kernel vulnerabilities |
| + | | [[11.14.0-46|11.14.0-X]] |
| + | | [[11.14.0-46|11.14.0-X]] |
| + | | 2019 |
| + | | [[User:TuxSH|TuxSH]] |
| + | |- |
| + | | [[SVC|svcMapProcessMemory]] can map the NULL page |
| + | | svcMapProcessMemory's destination VA is unchecked. |
| + | |
| + | By passing a big enough "size" parameter, an attacker can map chunks of data at VA 0 in the destination (caller) process. |
| + | | Mapping the NULL page (as RW) to leverage other kernel vulnerabilities |
| + | | None |
| + | | [[11.14.0-46|11.14.0-X]] |
| + | | 2020 |
| + | | [[User:TuxSH|TuxSH]] |
| + | |- |
| + | | Resource limit use-after-free |
| + | | When assigning a KResourceLimit to a KProcess, the reslimit's refcounter doesn't get incremented. This essentially means all KResourceLimit get freed if pm gets somehow terminated. |
| + | |
| + | It turns out it is possible to ask pm (via ns:s or pm:app) to terminate itself along all other KIPs simply by passing TID 0004000100001000. |
| + | |
| + | Calling [[SVC|svcGetResourceLimit]] afterwards triggers a use-after-free. This is rather difficult to exploit, however: there is one slot left in the reslimit slabheap. An attacker either has to map the NULL page as R(W)X (svcControlProcessMemory vuln fixed on [[11.8.0-41|11.8.0-X]]), or use one of the map-null exploits above while having access to svcCreateResourceLimit (with the only one that is easy enough to use in that context having been fixed on [[11.14.0-46|11.14.0-X]], anyway). |
| + | | Arm11 kernel code execution |
| + | | None (although near impossible to exploit on [[11.14.0-46|11.14.0-X]]) |
| + | | [[11.14.0-46|11.14.0-X]] |
| + | | 2020 |
| + | | [[User:TuxSH|TuxSH]] |
| |- | | |- |
| | [[SVC|svcSetProcessIdealProcessor]] reference count overflow and therefore use-after-free. | | | [[SVC|svcSetProcessIdealProcessor]] reference count overflow and therefore use-after-free. |
Line 934: |
Line 998: |
| | [[User:Yellows8|Yellows8]] | | | [[User:Yellows8|Yellows8]] |
| |- | | |- |
− | | [[SM]] out-of-bounds BSS write (table 1 entry too small) | + | | Useless [[SM]] off-by-one write |
| | After accepting a new session, [[SM]] writes a (handler ID (0 for srv: sessions (max. 64), 1 for the srv:pm one), pointer to session context structure in BSS) pair in a global array. However that array is only 64-entry-big instead of 65 (as it ought to be), and no bound check is done in that regard. | | | After accepting a new session, [[SM]] writes a (handler ID (0 for srv: sessions (max. 64), 1 for the srv:pm one), pointer to session context structure in BSS) pair in a global array. However that array is only 64-entry-big instead of 65 (as it ought to be), and no bound check is done in that regard. |
| | | |
Line 943: |
Line 1,007: |
| | | | | |
| | | | | |
| + | |- |
| + | | smpwn |
| + | | When registering a new service (or "port"), no bound checks are done on the service table. One can simply call RegisterPort repeatedly to overflow that table: it will overflow into the command replay structure. |
| + | |
| + | Combined with a other minor bugs in the sysmodule, it is possible to take over [[SM]] with this nevertheless difficult-to-exploit vulnerability. |
| + | | Code execution under [[SM]], etc. |
| + | | [[11.16.0-48]] |
| + | | [[11.14.0-46]] |
| + | | July 2017 |
| + | | [[User:TuxSH|TuxSH]] (independently), presumably ichfly before |
| + | |- |
| + | | PXI cmdbuf buffer overrun |
| + | | Like its Arm9 counterpart, before version [[5.0.0-11|5.0.0-X]], the PXI system module did not check the command sizes. This makes it possible to get ROP under the PXI sysmodule from a pwned Process9. |
| + | safecerthax uses it to takeover the Arm11 processor after directly getting remote code execution on the Arm9 side. Though, is useless in classic Arm11 -> Arm9 chains. |
| + | | ROP under [[PXI_Services|PXI]] |
| + | | probably [[5.0.0-11|5.0.0-X]] |
| + | | [[11.14.0-46]] |
| + | | |
| + | | Everyone |
| |} | | |} |
| | | |
Line 956: |
Line 1,039: |
| ! Timeframe this was added to wiki | | ! Timeframe this was added to wiki |
| ! Discovered by | | ! Discovered by |
| + | |- |
| + | | [[CSND_Services|CSND]] sysmodule crash due to out of bounds parameters. |
| + | | The CSND command [[CSND:PlaySoundDirectly|PlaySoundDirectly (0x00040080)]] takes a channel ID as the first parameter. Any value outside the range [0-3] makes the system module become unstable or crash due to an out of bounds memory read. |
| + | | Out of bounds memory read, probably not exploitable. More research needed. |
| + | | None |
| + | | [[11.14.0-46]] |
| + | | January 2021 |
| + | | January 22, 2021 |
| + | | [[User:PabloMK7|PabloMK7]] |
| + | |
| + | |- |
| + | | SSLoth: [[SSL_Services|SSL]] sysmodule improper certificate verification |
| + | | Initially, the SSL sysmodule missed the R_VERIFY_RES_SIGNATURE entry in the "resource list" provided to the RSA BSAFE library. Consequently, it did not check signatures when validating certificate chains. |
| + | | Forge fake certificates, spoof official servers and perform MitM attacks on SSL/TLS connections. |
| + | | [[11.14.0-46]] |
| + | | [[11.14.0-46]] |
| + | | 2020 |
| + | | December 18, 2020 |
| + | | [[User:Nba_Yoh|MrNbaYoh]], shutterbug2000 (independently) |
| + | |
| + | |- |
| + | | [[CECD_Services|CECD:ndm]] SetNZoneMacFilter (cmd8) stack smashing |
| + | | The length of the mac filter is not checked before being copied to a fixed-size buffer on stack. |
| + | | ROP under [[CECD_Services|CECD]] sysmodule |
| + | | None |
| + | | [[11.13.0-45]] |
| + | | 2020 |
| + | | July 20, 2020 |
| + | | [[User:Nba_Yoh|MrNbaYoh]] |
| |- | | |- |
| | [[CECD_Services|CECD]] message box access | | | [[CECD_Services|CECD]] message box access |
Line 1,121: |
Line 1,233: |
| | [[SPI_Services|SPI]] service out-of-bounds write | | | [[SPI_Services|SPI]] service out-of-bounds write |
| | cmd1 has out-of-bounds write allowing overwrite of some static variables in .data. | | | cmd1 has out-of-bounds write allowing overwrite of some static variables in .data. |
− | | | + | | Code execution under spi sysmodule; access to [[CONFIG11_Registers|CFG11_GPUPROT]] and ultimately kernel code execution. |
| | None | | | None |
− | | [[9.5.0-22]] | + | | [[11.14.0-46]] |
| | March 2015 | | | March 2015 |
| | | | | |