3DS Userland Flaws: Difference between revisions
No edit summary |
|||
| (8 intermediate revisions by 5 users not shown) | |||
| Line 82: | Line 82: | ||
| slackerSnail, 12Me12, incvoid | | slackerSnail, 12Me12, incvoid | ||
Exploited by MrNbaYoh and [[User:Plutooo|plutoo]]. | Exploited by MrNbaYoh and [[User:Plutooo|plutoo]]. | ||
|- | |||
| SmileBASIC 3.x | |||
| Subscripted TIME$/DATE$ allow write access to DATA/BSS | |||
| Utf-16 characters can be assigned to subscripted TIME$/DATE$ interpreter sysvars which results in write-only access to all of DATA and some BSS in userland. | |||
TIME$[0]/DATE$[0] actually point to somewhere in rodata, and an overly large subscript can be used to write well past it and into the aforementioned areas. Demo [https://github.com/zoogie/smilehax-IIe here.] | |||
| App: 3.6.2 (3.6.0 latest for US/EU, JP appvers. can be downgraded) | |||
| System: [[11.13.0-45]]. | |||
| April 2020 | |||
| February 2020 | |||
| bug publicly documented [https://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fsmilebasic.com%2Fdebug%2Farchive%2F here.] | |||
Exploited by Zoogie | |||
|- | |- | ||
| The Legend of Zelda: Tri Force Heroes | | The Legend of Zelda: Tri Force Heroes | ||
| Line 168: | Line 179: | ||
| August 29, 2017 | | August 29, 2017 | ||
| August, 2017 | | August, 2017 | ||
| [[User:Nba_Yoh|MrNbaYoh]] | | [[User:Nba_Yoh|MrNbaYoh]], [[User: ChampionLeake|ChampionLeake]] | ||
|- | |- | ||
| Pokemon Omega Ruby/Alpha Sapphire | | Pokemon Omega Ruby/Alpha Sapphire | ||
| Line 205: | Line 216: | ||
| February 8, 2019 | | February 8, 2019 | ||
| [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]] | | [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]] | ||
|- | |||
| Picross 3D: Round 2 | |||
| Out of bounds array access allowing to point to fabricated objects and vtable | |||
| Game only checks save header. With the last interacted save slot index at +0xb270 in the save data unchecked we can achieve a predictable out of bounds access, as well inserting ROP data without detecting save corruption. Game references an object from an array of 3 elements and passes it to a function that will read object pointers and hit a vtable call. With a copy save data left in memory and a properly calculated index, we can point to a fake object position in the save, vtable jump to a stack pivot and start the ROP chain. | |||
| None | |||
| App: Initial version | |||
| September 10, 2020 | |||
| August 24, 2020 | |||
| [[User: Luigoalma|Luigoalma]] and [[User: Kartik|Kartik]] | |||
|- | |||
| Me and My Pets 3D | |||
| String buffer overflow | |||
| The game stores some strings in the savegame. Using a large enough string, once can overwrite addresses on the stack and form a ropchain. | |||
| None | |||
| App: Initial Version | |||
| June 24, 2022 | |||
| June 12, 2022 | |||
| [[User: Kartik|Kartik]] | |||
|} | |} | ||
| Line 315: | Line 344: | ||
Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring. | Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring. | ||
| [[11.17.0-50]] | |||
| [[11.13.0-45]] | |||
| Dec. 2018 | |||
| Zoogie | |||
|- | |||
| 3DS SAFE_MODE [https://www.3dbrew.org/wiki/System_Settings#System_Updater System Updater] stack smash from proxy-url string | |||
| During [[Recovery Mode]] and after all 3 wifi slots fail to find an access point for sysupdate, a user is permitted to access the wifi settings mode to make changes. Here, if the proxy-url field string's NULL terminator had been altered beforehand, a stack smash can occur when the user selects Proxy Settings -> Detailed Setup and the corrupted url string is displayed. | |||
This is a difficult crash to control because the url string is converted from ascii to utf-16 between the slot and stack, effectively reducing the available gadgets to 0.4% of the normal amount. It's possible to improvise an "escape" using an eoreq pc w/shift gadget to combine registers and form a jump that can access 1/2 of all available gadgets. | |||
Because this exploit runs *under* SAFE_MODE, it's possible to run safehax with one's choice of k11 and arm9 hax. Prerequisite: a userland exploit with cfg:s/i access to modify the wifi slot. A demonstration can be viewed [https://github.com/zoogie/unSAFE_MODE here]. | |||
| None | | None | ||
| [[11. | | [[11.13.0-45]] | ||
| | | Jan. 2020 | ||
| Zoogie | | Zoogie | ||
|- | |- | ||
| Line 326: | Line 366: | ||
| June/July 2016 | | June/July 2016 | ||
| [[User:nedwill|nedwill]] | | [[User:nedwill|nedwill]] | ||
|- | |||
| [[EShop]] | |||
| When creating an audio decoder object for the moflex movie player, if the audio codec is PCM16, the application uses an uninitialized value as a pointer. One can spray the heap to get control of that pointer and achieve ROP. | |||
| None | |||
| [[11.14.0-46]] | |||
| 2020 | |||
| [[User:Nba_Yoh|MrNbaYoh]] | |||
|} | |} | ||
| Line 395: | Line 442: | ||
! Timeframe this was discovered | ! Timeframe this was discovered | ||
! Discovered by | ! Discovered by | ||
|- | |||
| u8 brightness setting OOB index (menuhax67) | |||
| Config block 0x50001, which contains a u8 brightness setting that indexes a table of u32 addresses, can be set to an out-of-bounds index (it's normally 1-5). Located within cfg block 0x50009, there exists a single controllable u32 that's located within the u8's range. With these set properly, one can eventually redirect a function pointer to an address of their choice. This is triggered after the Home Menu quick launch tab is activated. POC [https://github.com/zoogie/menuhax67 here]. | |||
| None | |||
| [[11.13.0-45]] | |||
| | |||
| October 4, 2020 | |||
| September, 2020 | |||
| Zoogie | |||
|- | |- | ||
| bossbannerhax | | bossbannerhax | ||