2
edits
Changes
mLine 311:
Line 311: + + + + + + + + + Line 578:
Line 587: − + Line 1,004:
Line 1,013: − + + + + + + + + + + Line 1,021:
Line 1,039: + + + + + + + + + +
→FIRM Sysmodules
| May 19, 2017
| May 19, 2017
| [[User:SciresM|SciresM]], [[User:Myria|Myria]]
| [[User:SciresM|SciresM]], [[User:Myria|Myria]]
|-
| safecerthax
| O3DS & O2DS SAFE_FIRM is still vulnerable to the PXIAM:ImportCertificates flaw fixed in [[5.0.0-11]] and to SSLoth fixed in [[11.14.0-46]]. It makes it possible to spoof the official NUS update server and remotely trigger the vulnerability in SAFE_FIRM.
| Remote Arm9 code execution in O3DS/O2DS SAFE_FIRM
| None
| [[11.14.0-46|11.14.0-X]]
| 2020
| December 18, 2020
| [[User:Nba_Yoh|MrNbaYoh]]
|-
|-
| twlhax: Corrupted SRL header leads to memory overwrite
| twlhax: Corrupted SRL header leads to memory overwrite
| [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?)
| [[User:Plutooo|plutoo]]/[[User:Yellows8|Yellows8]]/maybe others(?)
|-
|-
| [[Application_Manager_Services_PXI|PXIAM]] command 0x003D0108(See also [[Application_Manager_Services|this]])
| [[Application_Manager_Services_PXI|PXIAM]]:ImportCertificates (See also [[Application_Manager_Services|this]])
| When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800.
| When handling this command, Process9 allocates a 0x2800-byte heap buffer, then copies the 4 FCRAM input buffers to this heap buffer without checking the sizes at all(only the buffers with non-zero sizes are copied). Starting with [[5.0.0-11|5.0.0-X]], the total combined size of the input data must be <=0x2800.
| ARM9 code execution
| ARM9 code execution
Combined with a other minor bugs in the sysmodule, it is possible to take over [[SM]] with this nevertheless difficult-to-exploit vulnerability.
Combined with a other minor bugs in the sysmodule, it is possible to take over [[SM]] with this nevertheless difficult-to-exploit vulnerability.
| Code execution under [[SM]], etc.
| Code execution under [[SM]], etc.
| None
| [[11.16.0-48]]
| [[11.14.0-46]]
| [[11.14.0-46]]
| July 2017
| July 2017
| [[User:TuxSH|TuxSH]] (independently), presumably ichfly before
| [[User:TuxSH|TuxSH]] (independently), presumably ichfly before
|-
| PXI cmdbuf buffer overrun
| Like its Arm9 counterpart, before version [[5.0.0-11|5.0.0-X]], the PXI system module did not check the command sizes. This makes it possible to get ROP under the PXI sysmodule from a pwned Process9.
safecerthax uses it to takeover the Arm11 processor after directly getting remote code execution on the Arm9 side. Though, is useless in classic Arm11 -> Arm9 chains.
| ROP under [[PXI_Services|PXI]]
| probably [[5.0.0-11|5.0.0-X]]
| [[11.14.0-46]]
|
| Everyone
|}
|}
! Timeframe this was added to wiki
! Timeframe this was added to wiki
! Discovered by
! Discovered by
|-
| [[CSND_Services|CSND]] sysmodule crash due to out of bounds parameters.
| The CSND command [[CSND:PlaySoundDirectly|PlaySoundDirectly (0x00040080)]] takes a channel ID as the first parameter. Any value outside the range [0-3] makes the system module become unstable or crash due to an out of bounds memory read.
| Out of bounds memory read, probably not exploitable. More research needed.
| None
| [[11.14.0-46]]
| January 2021
| January 22, 2021
| [[User:PabloMK7|PabloMK7]]
|-
|-
| SSLoth: [[SSL_Services|SSL]] sysmodule improper certificate verification
| SSLoth: [[SSL_Services|SSL]] sysmodule improper certificate verification