Changes

1,453 bytes added ,  16:51, 3 August 2015
Line 452: Line 452:  
!  Last system-module system-version this flaw was checked for
 
!  Last system-module system-version this flaw was checked for
 
!  Timeframe this was discovered
 
!  Timeframe this was discovered
 +
!  Timeframe this was added to wiki
 
!  Discovered by
 
!  Discovered by
 
|-
 
|-
Line 460: Line 461:  
| [[9.5.0-22]]
 
| [[9.5.0-22]]
 
| March 2015
 
| March 2015
 +
|
 
| plutoo
 
| plutoo
 
|-
 
|-
Line 471: Line 473:  
| New3DS: [[9.5.0-22]]
 
| New3DS: [[9.5.0-22]]
 
| December 2014?
 
| December 2014?
 +
|
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
Line 479: Line 482:  
| [[9.7.0-25|9.7.0-X]]
 
| [[9.7.0-25|9.7.0-X]]
 
| December 2014
 
| December 2014
 +
|
 +
| [[User:Yellows8|Yellows8]]
 +
|-
 +
| [[NWMUDS:DecryptBeaconData]] heap buffer overflow
 +
| input_size = 0x1E * <value the u8 from input_[[NWM_Services|networkstruct]]+0x1D>. Then input_tag0 is copied to a heap buffer. When input_size is larger than 0xFA-bytes, it will then copy input_tag1 to <end_address_of_previous_outbuf>, with size=input_size-0xFA.
 +
 +
This can be triggered by either using this command directly, or by boadcasting a wifi beacon which triggers it while a 3DS system running the target process is in range, when the process is scanning for hosts to connect to. Processes will only pass tag data to this command when the wlancommID and other thing(s) match the values for the process.
 +
 +
There's no known way to actually exploit this for getting ROP under NWM-module, at the time of originally adding this to the wiki. This is because the data which gets copied out-of-bounds *and* actually causes crash(es), can't be controlled it seems(with just broadcasting a beacon at least). It's unknown whether this could be exploited from just using NWMUDS service-cmd(s) directly.
 +
| Without any actual way to exploit this: NWM-module DoS, resulting in process termination(process crash). This breaks *everything* involving wifi comms, a reboot is required to recover from this.
 +
| None
 +
| [[9.0.0-20]]
 +
| ~September 23, 2014(see the [[NWMUDS:DecryptBeaconData]] page history)
 +
| August 3, 2015
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
Line 487: Line 504:  
| [[9.3.0-21]]
 
| [[9.3.0-21]]
 
| 2014?
 
| 2014?
 +
|
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
Line 497: Line 515:  
| [[9.6.0-24|9.6.0-X]]
 
| [[9.6.0-24|9.6.0-X]]
 
| Early 2014
 
| Early 2014
 +
|
 
| smea, [[User:Yellows8|Yellows8]]/others before then
 
| smea, [[User:Yellows8|Yellows8]]/others before then
 
|-
 
|-
Line 506: Line 525:  
| [[9.3.0-21]]
 
| [[9.3.0-21]]
 
| [[9.4.0-21]]
 
| [[9.4.0-21]]
 +
|
 
|  
 
|  
 
| smea, plutoo joint effort
 
| smea, plutoo joint effort
Line 516: Line 536:  
| [[9.8.0-25|9.8.0-X]]
 
| [[9.8.0-25|9.8.0-X]]
 
| June(?) 2014
 
| June(?) 2014
 +
|
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
Line 525: Line 546:  
| [[9.0.0-20]]
 
| [[9.0.0-20]]
 
| 2013?
 
| 2013?
 +
|
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 
|}
 
|}