3dbrew

Changes

3DS System Flaws (edit)

Revision as of 23:03, 22 March 2016

917 bytes added ,  23:03, 22 March 2016
→‎Standalone Sysmodules
Line 621: Line 621:  
| February 23, 2016 (Unknown if it was noticed before then)
 
| February 23, 2016 (Unknown if it was noticed before then)
 
| February 23, 2016
 
| February 23, 2016
 +
| [[User:Yellows8|Yellows8]]
 +
|-
 +
| [[HTTP_Services|HTTP]]: Using CTRSDK heap with sharedmem from the user-process.
 +
| The data from httpcAddPostDataAscii and other commands is stored under a CTRSDK heap. That heap is the sharedmem specified by the user-process via the HTTPC Initialize command.
 +
Normally this sharedmem isn't accessible to the user-process once the sysmodule maps it, hence using it is supposed to be "safe".
 +
 +
This isn't the case due to gspwn however. Since CTRSDK heap code is so insecure in general, one can use gspwn to locate the HTTPC sharedmem + read/write it, then trigger a mem-write under the sysmodule. This can then be used to get ROP going under HTTP-sysmodule.
 +
 +
This is exploited by [https://github.com/yellows8/ctr-httpwn/ctr-httpwn ctr-httpwn].
 +
| ROP under HTTP sysmdule.
 +
| None
 +
| [[9.6.0-24|9.6.0-X]] (Latest sysmodule version as of [[10.7.0-32|10.7.0-32]])
 +
| Late 2015
 +
| March 22, 2016
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 
|-
 
|-
Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/16139"