3DS Userland Flaws: Difference between revisions
No edit summary |
|||
| (11 intermediate revisions by 5 users not shown) | |||
| Line 82: | Line 82: | ||
| slackerSnail, 12Me12, incvoid | | slackerSnail, 12Me12, incvoid | ||
Exploited by MrNbaYoh and [[User:Plutooo|plutoo]]. | Exploited by MrNbaYoh and [[User:Plutooo|plutoo]]. | ||
|- | |||
| SmileBASIC 3.x | |||
| Subscripted TIME$/DATE$ allow write access to DATA/BSS | |||
| Utf-16 characters can be assigned to subscripted TIME$/DATE$ interpreter sysvars which results in write-only access to all of DATA and some BSS in userland. | |||
TIME$[0]/DATE$[0] actually point to somewhere in rodata, and an overly large subscript can be used to write well past it and into the aforementioned areas. Demo [https://github.com/zoogie/smilehax-IIe here.] | |||
| App: 3.6.2 (3.6.0 latest for US/EU, JP appvers. can be downgraded) | |||
| System: [[11.13.0-45]]. | |||
| April 2020 | |||
| February 2020 | |||
| bug publicly documented [https://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fsmilebasic.com%2Fdebug%2Farchive%2F here.] | |||
Exploited by Zoogie | |||
|- | |- | ||
| The Legend of Zelda: Tri Force Heroes | | The Legend of Zelda: Tri Force Heroes | ||
| Line 168: | Line 179: | ||
| August 29, 2017 | | August 29, 2017 | ||
| August, 2017 | | August, 2017 | ||
| [[User:Nba_Yoh|MrNbaYoh]] | | [[User:Nba_Yoh|MrNbaYoh]], [[User: ChampionLeake|ChampionLeake]] | ||
|- | |- | ||
| Pokemon Omega Ruby/Alpha Sapphire | | Pokemon Omega Ruby/Alpha Sapphire | ||
| Line 196: | Line 207: | ||
| August, 2018 | | August, 2018 | ||
| Kartik | | Kartik | ||
|- | |||
| Mononoke Forest | |||
| String Buffer Overflow via unchecked string length | |||
| The game stores plaintext profile names in the savefile. The profile names are strcpy/memcpy to different areas of the game's functions in the stack. Using a large extensive profile name, a user can overwrite some stack-registers and point to stack buffer addresses to eventually gain control of the stack to lead and form a rop-chain. | |||
| None | |||
| App: v1.0.0 | |||
| August 14, 2019 | |||
| February 8, 2019 | |||
| [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]] | |||
|- | |||
| Picross 3D: Round 2 | |||
| Out of bounds array access allowing to point to fabricated objects and vtable | |||
| Game only checks save header. With the last interacted save slot index at +0xb270 in the save data unchecked we can achieve a predictable out of bounds access, as well inserting ROP data without detecting save corruption. Game references an object from an array of 3 elements and passes it to a function that will read object pointers and hit a vtable call. With a copy save data left in memory and a properly calculated index, we can point to a fake object position in the save, vtable jump to a stack pivot and start the ROP chain. | |||
| None | |||
| App: Initial version | |||
| September 10, 2020 | |||
| August 24, 2020 | |||
| [[User: Luigoalma|Luigoalma]] and [[User: Kartik|Kartik]] | |||
|- | |||
| Me and My Pets 3D | |||
| String buffer overflow | |||
| The game stores some strings in the savegame. Using a large enough string, once can overwrite addresses on the stack and form a ropchain. | |||
| None | |||
| App: Initial Version | |||
| June 24, 2022 | |||
| June 12, 2022 | |||
| [[User: Kartik|Kartik]] | |||
|} | |} | ||
| Line 277: | Line 315: | ||
* "Luxor:" Strings/plaintext in the savefile are present and these's no checks. Overwriting the whole save (excluding the header), with /dev/random cause a useless crash. | * "Luxor:" Strings/plaintext in the savefile are present and these's no checks. Overwriting the whole save (excluding the header), with /dev/random cause a useless crash. | ||
* "Luv Me Buddies Wonderland:" Doesn't crash at all with the entire savedata overwritten. Overwriting some areas, points to useless nulls | |||
==Crashes needing investigation== | ==Crashes needing investigation== | ||
| Line 299: | Line 339: | ||
| 2012 | | 2012 | ||
| [[User:Ichfly|Ichfly]] | | [[User:Ichfly|Ichfly]] | ||
|- | |||
| 3DS [[System Settings]] stack smash via title strings in [[DSiWare_Exports]] | |||
| DSiWare export banners contain 16 consecutive 0x100 byte, utf-16 game title strings for different languages. Nintendo correctly limits the string's max length by placing a NULL at str[127] before it's copied to the stack. However, they didn't allocate enough space for all 128 wchars (char/wchar type confusion?), so an attacker can craft a valid full-length string that will crash the stack at about str+0xEC. ROP execution can then be obtained from this crash in DSiWare Data Management as demonstrated [https://github.com/zoogie/Bannerbomb3 here]. | |||
Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring. | |||
| [[11.17.0-50]] | |||
| [[11.13.0-45]] | |||
| Dec. 2018 | |||
| Zoogie | |||
|- | |||
| 3DS SAFE_MODE [https://www.3dbrew.org/wiki/System_Settings#System_Updater System Updater] stack smash from proxy-url string | |||
| During [[Recovery Mode]] and after all 3 wifi slots fail to find an access point for sysupdate, a user is permitted to access the wifi settings mode to make changes. Here, if the proxy-url field string's NULL terminator had been altered beforehand, a stack smash can occur when the user selects Proxy Settings -> Detailed Setup and the corrupted url string is displayed. | |||
This is a difficult crash to control because the url string is converted from ascii to utf-16 between the slot and stack, effectively reducing the available gadgets to 0.4% of the normal amount. It's possible to improvise an "escape" using an eoreq pc w/shift gadget to combine registers and form a jump that can access 1/2 of all available gadgets. | |||
Because this exploit runs *under* SAFE_MODE, it's possible to run safehax with one's choice of k11 and arm9 hax. Prerequisite: a userland exploit with cfg:s/i access to modify the wifi slot. A demonstration can be viewed [https://github.com/zoogie/unSAFE_MODE here]. | |||
| None | |||
| [[11.13.0-45]] | |||
| Jan. 2020 | |||
| Zoogie | |||
|- | |- | ||
| [[Nintendo 3DS Sound]] | | [[Nintendo 3DS Sound]] | ||
| Line 306: | Line 366: | ||
| June/July 2016 | | June/July 2016 | ||
| [[User:nedwill|nedwill]] | | [[User:nedwill|nedwill]] | ||
|- | |||
| [[EShop]] | |||
| When creating an audio decoder object for the moflex movie player, if the audio codec is PCM16, the application uses an uninitialized value as a pointer. One can spray the heap to get control of that pointer and achieve ROP. | |||
| None | |||
| [[11.14.0-46]] | |||
| 2020 | |||
| [[User:Nba_Yoh|MrNbaYoh]] | |||
|} | |} | ||
| Line 375: | Line 442: | ||
! Timeframe this was discovered | ! Timeframe this was discovered | ||
! Discovered by | ! Discovered by | ||
|- | |||
| u8 brightness setting OOB index (menuhax67) | |||
| Config block 0x50001, which contains a u8 brightness setting that indexes a table of u32 addresses, can be set to an out-of-bounds index (it's normally 1-5). Located within cfg block 0x50009, there exists a single controllable u32 that's located within the u8's range. With these set properly, one can eventually redirect a function pointer to an address of their choice. This is triggered after the Home Menu quick launch tab is activated. POC [https://github.com/zoogie/menuhax67 here]. | |||
| None | |||
| [[11.13.0-45]] | |||
| | |||
| October 4, 2020 | |||
| September, 2020 | |||
| Zoogie | |||
|- | |- | ||
| bossbannerhax | | bossbannerhax | ||