Difference between revisions of "3DS Userland Flaws"

From 3dbrew
Jump to navigation Jump to search
Line 11: Line 11:
 
!  Timeframe this was discovered
 
!  Timeframe this was discovered
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| The Legend of Zelda: Ocarina of Time 3D
 +
| UTF-16 name string buffer overflow via unchecked u8 length field
 +
| The u8 at offfset 0x2C in the savefile is the character-length of the UTF-16 string at offset 0x1C. When copying this string, it's essentially a memory-copy with lenval*2, not a string-copy. This can be used to trigger buffer overflows at various locations depending on the string length.
 +
Length value>=0xCD causes a crash while loading the saveslot, via a heap buffer overflow. When value is >=0x6E it crashes when saving the saveslot. With value >=0x9A, it crashes via stack-smash in-game once any dialogs are opened(touching buttons on the touch-screen to enter certain menu(s) can trigger it too).
 +
| None
 +
|
 +
| Around October 22, 2012
 +
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
 
| Cubic Ninja
 
| Cubic Ninja

Revision as of 23:21, 11 March 2015

This page lists vulnerabilities / exploits for 3DS applications and applets. Exploiting these initially results in ROP.

Non-system applications

Application name Summary Description Fixed in version Last version this flaw was checked for Timeframe this was discovered Discovered by
The Legend of Zelda: Ocarina of Time 3D UTF-16 name string buffer overflow via unchecked u8 length field The u8 at offfset 0x2C in the savefile is the character-length of the UTF-16 string at offset 0x1C. When copying this string, it's essentially a memory-copy with lenval*2, not a string-copy. This can be used to trigger buffer overflows at various locations depending on the string length.

Length value>=0xCD causes a crash while loading the saveslot, via a heap buffer overflow. When value is >=0x6E it crashes when saving the saveslot. With value >=0x9A, it crashes via stack-smash in-game once any dialogs are opened(touching buttons on the touch-screen to enter certain menu(s) can trigger it too).

None Around October 22, 2012 Yellows8
Cubic Ninja Map-data stack smash See here regarding Ninjhax. None smea

System applications

Summary Description Fixed in version Last version this flaw was checked for Timeframe this was discovered Discovered by
3DS System Settings DS profile string stack-smash Too long or corrupted strings (01Ah 2 Nickname length in characters 050h 2 Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) cause it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid). TWL_FIRM also resets the NVRAM user-settings when the string-length(s) are too long. 7.0.0-13 7.0.0-13 2012 Ichfly

System applets