Changes

1,009 bytes added ,  17:40, 12 January 2015
no edit summary
Line 41: Line 41:  
!  Description
 
!  Description
 
!  Successful exploitation result
 
!  Successful exploitation result
!  Fixed in system version
+
!  Fixed in [[FIRM]] system version
!  Last FIRM version this flaw was checked for
+
!  Last [[FIRM]] system version this flaw was checked for
 
!  Timeframe this was discovered
 
!  Timeframe this was discovered
 +
!  Discovered by
 
|-
 
|-
 
|  
 
|  
Line 50: Line 51:  
| None
 
| None
 
| [[9.3.0-21|9.3.0-X]]
 
| [[9.3.0-21|9.3.0-X]]
| 2012
+
| 2012  
 +
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
| [[Process_Services_PXI|ps:VerifyRsaSha256]] buffer overflow
+
| [[Process_Services_PXI|PS RSA]] commands buffer overflows
| Unchecked copy to a buffer in Process9's .bss. The buffer is located before the pxi cmdhandler threads' stacks.
+
| pxips9 cmd1(not accessible via ps:ps) and VerifyRsaSha256: unchecked copy to a buffer in Process9's .bss, from the input FCRAM buffer. The buffer is located before the pxi cmdhandler threads' stacks. SignRsaSha256 also has a buf overflow, but this isn't exploitable.
 +
The buffer for this is the buffer for the signature data. With v5.0, the signature buffer was moved to stack, with a check for the signature data size. When the signature data size is too large, Process9 uses [[SVC|svcBreak]].
 
| ARM9 code execution
 
| ARM9 code execution
| [[5.0.0-11]]
+
| [[5.0.0-11|5.0.0-X]]
 
|  
 
|  
 
| 2012
 
| 2012
 +
| [[User:Yellows8|Yellows8]]
 
|}
 
|}
   Line 66: Line 70:  
!  Description
 
!  Description
 
!  Successful exploitation result
 
!  Successful exploitation result
!  Fixed in system version
+
!  Fixed in [[FIRM]] system version
!  Last FIRM version this flaw was checked for
+
!  Last [[FIRM]] system version this flaw was checked for
 
!  Timeframe this was discovered
 
!  Timeframe this was discovered
 +
!  Discovered by
 
|-
 
|-
 
|  [[SVC]] table too small
 
|  [[SVC]] table too small
Line 78: Line 83:  
| [[9.3.0-21|9.3.0-21]]
 
| [[9.3.0-21|9.3.0-21]]
 
| 2012
 
| 2012
 +
|
 
|-
 
|-
 
|  [[SVC|svcBackdoor (0x7B)]]
 
|  [[SVC|svcBackdoor (0x7B)]]
Line 85: Line 91:  
| [[9.3.0-21|9.3.0-21]]
 
| [[9.3.0-21|9.3.0-21]]
 
|
 
|
 +
|
 
|-
 
|-
 
| [[Memory_layout#ARM11_Detailed_virtual_memory_map|0xEFF00000]] / 0xDFF00000 ARM11 kernel virtual-memory
 
| [[Memory_layout#ARM11_Detailed_virtual_memory_map|0xEFF00000]] / 0xDFF00000 ARM11 kernel virtual-memory
Line 91: Line 98:  
| None
 
| None
 
| [[9.3.0-21|9.3.0-21]]
 
| [[9.3.0-21|9.3.0-21]]
 +
|
 
|  
 
|  
 
|-
 
|-
Line 99: Line 107:  
|  
 
|  
 
| February 2014
 
| February 2014
 +
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
 
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions
 
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions
Line 106: Line 115:  
|  
 
|  
 
| 2012
 
| 2012
 +
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
 
| [[SVC|svcStartInterProcessDma]]
 
| [[SVC|svcStartInterProcessDma]]
Line 119: Line 129:  
|  
 
|  
 
| DmaConfig issue: unknown. The rest: 2014
 
| DmaConfig issue: unknown. The rest: 2014
 +
|
 
|-
 
|-
 
| [[SVC|svcControlMemory]] Parameter checks
 
| [[SVC|svcControlMemory]] Parameter checks
Line 131: Line 142:  
|  
 
|  
 
|
 
|
 +
|
 
|-
 
|-
 
| [[RPC_Command_Structure|Command]] request/response buffer overflow
 
| [[RPC_Command_Structure|Command]] request/response buffer overflow
Line 140: Line 152:  
|  
 
|  
 
| v4.1 FIRM -> v5.0 code diff
 
| v4.1 FIRM -> v5.0 code diff
 +
|
 
|-
 
|-
 
| [[SVC|SVC stack allocation overflows]]
 
| [[SVC|SVC stack allocation overflows]]
Line 153: Line 166:  
|  
 
|  
 
| v4.1 FIRM -> v5.0 code diff
 
| v4.1 FIRM -> v5.0 code diff
 +
|
 
|-
 
|-
 
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
 
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
Line 160: Line 174:  
|  
 
|  
 
| 2012
 
| 2012
 +
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
 
| [[RPC_Command_Structure|Command]] input/output buffer permissions
 
| [[RPC_Command_Structure|Command]] input/output buffer permissions
Line 167: Line 182:  
|  
 
|  
 
| 2012
 
| 2012
 +
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
 
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
 
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
Line 174: Line 190:  
|  
 
|  
 
| 2012?
 
| 2012?
 +
| [[User:Yellows8|Yellows8]]
 
|}
 
|}
   Line 181: Line 198:  
!  Summary
 
!  Summary
 
!  Description
 
!  Description
!  Fixed in system version
+
!  Successful exploitation result
 +
!  Fixed in [[FIRM]] system version
 +
!  Last [[FIRM]] system version this flaw was checked for
 +
!  Timeframe this was discovered
 +
!  Discovered by
 
|-
 
|-
 
| [[Services|"srv:pm"]] process registration
 
| [[Services|"srv:pm"]] process registration
Line 189: Line 210:     
This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
 
This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
 +
| Access to arbitrary services
 
| [[7.0.0-13]]
 
| [[7.0.0-13]]
 +
|
 +
| 2012
 +
| [[User:Yellows8|Yellows8]]
 
|}
 
|}
   Line 201: Line 226:  
!  Last system version this flaw was checked for
 
!  Last system version this flaw was checked for
 
!  Timeframe this was discovered
 
!  Timeframe this was discovered
 +
!  Discovered by
 
|-
 
|-
 
| gspwn
 
| gspwn
Line 207: Line 233:  
| None
 
| None
 
| [[9.4.0-21]]
 
| [[9.4.0-21]]
 +
|
 
|  
 
|  
 
|-
 
|-
Line 216: Line 243:  
| [[9.3.0-21]]
 
| [[9.3.0-21]]
 
| [[9.4.0-21]]
 
| [[9.4.0-21]]
 +
|
 
|  
 
|  
 
|}
 
|}
Line 228: Line 256:  
!  Last system version this flaw was checked for
 
!  Last system version this flaw was checked for
 
!  Timeframe this was discovered
 
!  Timeframe this was discovered
 +
!  Discovered by
 
|-
 
|-
 
| 3DS [[System Settings]] DS profile string stack-smash
 
| 3DS [[System Settings]] DS profile string stack-smash
Line 235: Line 264:  
| [[7.0.0-13]]
 
| [[7.0.0-13]]
 
| 2012
 
| 2012
 +
| Whoever originally added the vuln info for this to 3dbrew.
 
|}
 
|}