Changes

2,149 bytes added , 16:00, 20 November 2023

m

no edit summary

Line 462: Line 462:

|-

| [[FS:EnumerateExtSaveData]] crashes process9 when trying to parse a file as an extdata directory in Data Management (MSET9)

−

| ~~When FS_EnumerateExtData is~~ called by [[System_Settings|MSET]] to parse 3DS extdata IDs for Data Management, a file that starts with 8 hex digits can crash process9 if placed directly inside the extdata directory. It can crash in various ways based on subtle differences in the way the user triggers the crash event.

+

| In the implementation for FSPXI:EnumerateExtSaveData (called by [[System_Settings|MSET]] to parse 3DS extdata IDs for Data Management), the return value of the P9 internal function call to open a directory (when enumerating contents of the extdata directory) was not checked. Therefore, if the call fails, an uninitialised pointer on stack will be used for a vtable call.

+

As such, a file that starts with 8 hex digits can crash process9 if placed directly inside the extdata directory. It can crash in various ways based on subtle differences in the way the user triggers the crash event.

While mostly leading to null derefs, in one specific context, process9 jumps directly to an ID1 string being held in ARM9 memory. Surprisingly, the 3DS doesn't discern what characters are used for the ID1 directory name on the SD, only requiring exactly 32 chars. This allows the attacker to insert arm instructions into the unicode ID1 dirname and take control of the ARM9, and thus, full control of the 3DS.

Line 1,397: Line 1,399:

| See [https://switchbrew.org/wiki/Switch_System_Flaws#Pia here]; separately checked later (UpdateConnectionReport) by [[User:Riley|Riley]] on: June 14, 2023

| [[User:Yellows8|Yellows8]]; added to 3dbrew (UpdateConnectionReport) by [[User:Riley|Riley]] later

+

|-

+

| pialease nerf: stack overflow in Pia when parsing UDS packet cmd=5 "UpdateMigrationNodeInfoMessage"

+

| A UDS packet as received by Pia contains a command type, where cmd=1 is higher-layer game-data, and other cmds are parsed internally.

+

A function named "UdsNode::ParseUpdateMigrationNodeInfoMessage" is called to handle packets with cmd=5.

+

This checks the player nodeID (returns if not player 1, that is, UDS network host), then calls an additional function which does a loop of 64-bit copies to a fixed-size stack buffer using unchecked index and data from the received packet contents.

+

This therefore leads to trivial RCE (of every UDS network client) by just sending a single UDS packet; only 0xC u64s on stack can be overwritten easily, but just 2 is enough to start a ROP chain and pivot to the rest of the UDS packet contents elsewhere on the stack.

+

To exploit some games, an attacker would need to also reimplement the DLP server protocol (and any quirks that game has when parsing the UDS network passphrase obtained from the DLP server). One game that requires this is Mario Party: Island Tour (only the dlplay child connects to a UDS network).

+

Earliest version of Pia known to be vulnerable is v2.x. v1.x still parses this packet, but does not have the stack-copy loop (index is still unchecked there leading to heap overflow but due to overwrites not being contiguous in memory it may or may not be exploitable).

+

Fixed with Pia version 4.x, which refactored the UDS send/receive wrapper code and parses completely different commands.

+

| ROP under the vulnerable application. A server can exploit every client connected to it; a client can exploit every other client connected to that server.

+

| "[SDK+Nintendo:PIA_4_2_0]"

+

| "[SDK+Nintendo:PIA_3_10_2]", "[SDK+Nintendo:PIA_4_2_0]"

+

| Discovery: June 3, 2023.

+

Wiki: November 20, 2023.

+

| [[User:Riley|Riley]]

|}

Riley

39

edits

Changes

3DS System Flaws (edit)

Revision as of 16:00, 20 November 2023