3dbrew

Changes

3DS System Flaws (edit)

Revision as of 18:07, 16 April 2016

745 bytes added ,  18:07, 16 April 2016
→‎Standalone Sysmodules
Line 611: Line 611:  
!  Timeframe this was added to wiki
 
!  Timeframe this was added to wiki
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| [[NWM_Services|NWM]]: Using CTRSDK heap with UDS sharedmem from the user-process.
 +
| See the HTTP-sysmodule section below.
 +
 +
CTRSDK heap is used with the sharedmem from [[NWMUDS:InitializeWithVersion]]. Buffers are allocated/freed under this heap using [[NWMUDS:Bind]] and [[NWMUDS:Unbind]].
 +
 +
Hence, overwriting sharedmem with gspwn then using [[NWMUDS:Unbind]] results in the usual controlled CTRSDK memchunk-header write, similar to HTTP-sysmodule.
 +
 +
This could be done by creating an UDS network, without any other nodes on the network.
 +
 +
Besides CTRSDK memchunk-headers, there are no addresses stored under this sharedmem.
 +
| ROP under NWM-module.
 +
| None
 +
| [[9.0.0-20|9.0.0-X]]
 +
| April 10, 2016
 +
| April 16, 2016
 +
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
 
| [[DLP_Services|DLP]]: Out-of-bounds memory access during spectator [[Download_Play|data-frame]] checksum calculation
 
| [[DLP_Services|DLP]]: Out-of-bounds memory access during spectator [[Download_Play|data-frame]] checksum calculation
Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/16728"