6,263
edits
Changes
Jump to navigation
Jump to search
Line 82:
Line 82: + + + + + + + + + + + + + + + Line 179:
Line 194: + + + + + + + + + + +
no edit summary
| slackerSnail, 12Me12, incvoid
| slackerSnail, 12Me12, incvoid
Exploited by MrNbaYoh and [[User:Plutooo|plutoo]].
Exploited by MrNbaYoh and [[User:Plutooo|plutoo]].
|-
| The Legend of Zelda: Tri Force Heroes
| [[3DS_System_Flaws#General.2FCTRSDK|CTRSDK]] CTPK buffer overflow combined with game's usage of SpotPass
| This isn't really useful due to [[BOSS_Services#Custom_SpotPass_content|this]].
During the very first screen displayed by the game during boot("Loading..."), just seconds after title launch, the game loads CTPK from the [[BOSS_Services|stored]] SpotPass content. Hence, this game could be exploited via the vulnerable CTRSDK CTPK code ''if'' one could get custom SpotPass data into extdata somehow.
The code for this runs from a thread separate from the main-thread, with the stack in linearmem heap.
The two SpotPass URLs for this have always(?) returned HTTP 404 as of November 2016. It appears these were intended for use as textures for additional costumes(and never got used publicly), but this wasn't tested.
| None
| App: v2.1.0
| November 18, 2016
| November 14, 2016
| [[User:Yellows8|Yellows8]]
|}
|}
! Timeframe this was discovered
! Timeframe this was discovered
! Discovered by
! Discovered by
|-
| bossbannerhax
| This isn't really useful due to [[BOSS_Services#Custom_SpotPass_content|this]].
After successfully loading [[Extended_Banner|extended-banner]] data(done when selecting an icon), Home Menu attempts to load [[CBMD]] data into a 0x100000-byte heap buffer from the [[BOSS_Services|stored]] SpotPass content. When successful and the magic-number is CBMD, Home Menu then decompresses the CGFX sections into another fixed-size heap buffer, without checking the outsize at all. The main CBMD CGFX code with ExeFS checks the size, but this code doesn't.
| None
| [[11.2.0-35|11.2.0-X]]
| [[1.0.0-0|1.0.0-0]]
| November 18, 2016
| December 23, 2014
| [[User:Yellows8|Yellows8]]
|-
|-
| sdiconhax
| sdiconhax