10
edits
Changes
Jump to navigation
Jump to search
mLine 178:
Line 178: + + + + + + + + + + + + + + + + + + Line 249:
Line 267: + + + + + + + + + + Line 325:
Line 353: + + + + + + + + + + +
→Useless crashes / applications which were fuzzed
| June, 2016
| June, 2016
| [[User:Nba_Yoh|MrNbaYoh]]
| [[User:Nba_Yoh|MrNbaYoh]]
|-
| RPG Maker Fes/Player
| OOB write
| When handling events in a map, the indices of "buttons" are not checked. This results in an out of bound bit write, one can thus write a rop directly on the stack (bit by bit).
| None?
| App: ?
| August 5, 2018
|
| [[User:Nba_Yoh|MrNbaYoh]]
|-
| Unholy Heights
| Buffer overflow via unchecked string size
| The game stores some utf-16 messages in the savefile. Right before the message is the length(u32) for the string, the game uses this size to memcpy the message from the savefile to the stack without checking the length. This allows one to overwrite some function addresses on the stack and form a rop chain.
| None
| App: Initial Version
| September 13, 2018
| August, 2018
| Kartik
|}
|}
* "Mutant Mudds": Overwriting the savefile with random data results in a crash
* "Mutant Mudds": Overwriting the savefile with random data results in a crash
* "Worcle Worlds": Overwriting the savefile with 0xFF results in a crash due to an out of bound read
* "Animal Crossing: New Leaf": Creating a QR code from random data results in a valid QR code and a random design. In some very rare cases(which aren't always reproducible?) a crash/etc may occur, but this isn't known to be useful.
* "Animal Crossing: New Leaf": Creating a QR code from random data results in a valid QR code and a random design. In some very rare cases(which aren't always reproducible?) a crash/etc may occur, but this isn't known to be useful.
* "Angry Birds Star Wars": Strings in the savefile are preceded by their lengths. These strings are never stored on the stack and are memcpy'd into heap memory. If the size is invalid the alloc will fail and thus the memcpy will operate on a nullptr resulting in a useless data abort.
* "Gem Smashers": Overwriting the savefile with random bytes results in useless crashes.
* "Luxor:" Strings/plaintext in the savefile are present and these's no checks. Overwriting the whole save (excluding the header), with /dev/random cause a useless crash.
* "Luv Me Buddies Wonderland:" Doesn't crash at all with the entire savedata overwritten. Overwriting some areas, points to useless nulls
==Crashes needing investigation==
==Crashes needing investigation==
| May 20, 2018
| May 20, 2018
| [[User:Nba_Yoh|MrNbaYoh]]
| [[User:Nba_Yoh|MrNbaYoh]]
|-
| MicroSD Management - malformed security blob causes stack buffer overflow (mhax)
| The MicroSD Management application's parsing of Windows NTLM security blobs in the SMB/CIFS protocol doesn't verify that the client's specified NT domain name is less than 32 UTF-16 characters. When it's longer, a stack buffer overrun occurs, leading to a ROP chain and complete control of the mcopy application.
The malformed security blob can be sent by an attacker within the SMB_COM_SESSION_SETUP_ANDX (0x73) packet.
| [[11.8.0-41|11.8.0-41]]
| [[11.8.0-41|11.8.0-41]]
| [[9.0.0-20|9.0.0-20]]
| August 12, 2018
| 2018
| smea
|}
|}