Changes

Jump to navigation Jump to search

3DS System Flaws (edit)

Revision as of 03:25, 8 August 2023

964 bytes added ,  03:25, 8 August 2023
Process9 primary
Line 460: Line 460:  
|  
 
|  
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 +
|-
 +
| [[FS:EnumerateExtSaveData]] crashes process9 when trying to parse a file as an extdata directory in Data Management (MSET9)
 +
| When FS_EnumerateExtData is called by [[System_Settings|MSET]] to parse 3DS extdata IDs for Data Management, a file that starts with 8 hex digits can crash process9 if placed directly inside the extdata directory. It can crash in various ways based on subtle differences in the way the user triggers the crash event.
 +
 +
While mostly leading to null derefs, in one specific context, process9 jumps directly to an ID1 string being held in ARM9 memory. Surprisingly, the 3DS doesn't discern what characters are used for the ID1 directory name on the SD, only requiring exactly 32 chars. This allows the attacker to insert arm instructions into the unicode ID1 dirname and take control of the ARM9, and thus, full control of the 3DS.
 +
| ARM9 code execution (primary)
 +
| None
 +
| [[11.17.0-50|11.17.0-X]]
 +
| April 2022
 +
| August 7, 2023
 +
| zoogie
 
|-
 
|-
 
| RSA signature padding checks
 
| RSA signature padding checks
EvilFlight
48

edits

Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/22294"

Navigation menu