Line 311: |
Line 311: |
| | May 19, 2017 | | | May 19, 2017 |
| | [[User:SciresM|SciresM]], [[User:Myria|Myria]] | | | [[User:SciresM|SciresM]], [[User:Myria|Myria]] |
| + | |- |
| + | | safecerthax |
| + | | O3DS & O2DS SAFE_FIRM is still vulnerable to the PXIAM:ImportCertificates flaw fixed in [[5.0.0-11]] and to SSLoth fixed in [[11.14.0-46]]. It makes it possible to spoof the official NUS update server and remotely trigger the vulnerability in SAFE_FIRM. |
| + | | Remote Arm9 code execution in O3DS/O2DS SAFE_FIRM |
| + | | None |
| + | | [[11.14.0-46|11.14.0-X]] |
| + | | 2020 |
| + | | December 18, 2020 |
| + | | [[User:Nba_Yoh|MrNbaYoh]] |
| |- | | |- |
| | twlhax: Corrupted SRL header leads to memory overwrite | | | twlhax: Corrupted SRL header leads to memory overwrite |
Line 578: |
Line 587: |
| | [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?) | | | [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?) |
| |- | | |- |
− | | [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]]) | + | | [[Application_Manager_Services_PXI|PXIAM]]:ImportCertificates (See also [[Application_Manager_Services|this]]) |
| | When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800. | | | When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800. |
| | ARM9 code execution | | | ARM9 code execution |
Line 1,004: |
Line 1,013: |
| Combined with a other minor bugs in the sysmodule, it is possible to take over [[SM]] with this nevertheless difficult-to-exploit vulnerability. | | Combined with a other minor bugs in the sysmodule, it is possible to take over [[SM]] with this nevertheless difficult-to-exploit vulnerability. |
| | Code execution under [[SM]], etc. | | | Code execution under [[SM]], etc. |
− | | None | + | | [[11.16.0-48]] |
| | [[11.14.0-46]] | | | [[11.14.0-46]] |
| | July 2017 | | | July 2017 |
| | [[User:TuxSH|TuxSH]] (independently), presumably ichfly before | | | [[User:TuxSH|TuxSH]] (independently), presumably ichfly before |
| + | |- |
| + | | PXI cmdbuf buffer overrun |
| + | | Like its Arm9 counterpart, before version [[5.0.0-11|5.0.0-X]], the PXI system module did not check the command sizes. This makes it possible to get ROP under the PXI sysmodule from a pwned Process9. |
| + | safecerthax uses it to takeover the Arm11 processor after directly getting remote code execution on the Arm9 side. Though, is useless in classic Arm11 -> Arm9 chains. |
| + | | ROP under [[PXI_Services|PXI]] |
| + | | probably [[5.0.0-11|5.0.0-X]] |
| + | | [[11.14.0-46]] |
| + | | |
| + | | Everyone |
| |} | | |} |
| | | |
Line 1,021: |
Line 1,039: |
| ! Timeframe this was added to wiki | | ! Timeframe this was added to wiki |
| ! Discovered by | | ! Discovered by |
| + | |- |
| + | | [[CSND_Services|CSND]] sysmodule crash due to out of bounds parameters. |
| + | | The CSND command [[CSND:PlaySoundDirectly|PlaySoundDirectly (0x00040080)]] takes a channel ID as the first parameter. Any value outside the range [0-3] makes the system module become unstable or crash due to an out of bounds memory read. |
| + | | Out of bounds memory read, probably not exploitable. More research needed. |
| + | | None |
| + | | [[11.14.0-46]] |
| + | | January 2021 |
| + | | January 22, 2021 |
| + | | [[User:PabloMK7|PabloMK7]] |
| + | |
| |- | | |- |
| | SSLoth: [[SSL_Services|SSL]] sysmodule improper certificate verification | | | SSLoth: [[SSL_Services|SSL]] sysmodule improper certificate verification |