Changes

457 bytes added ,  21:14, 2 January 2017
ntrcardhax description
Line 216: Line 216:  
|-
 
|-
 
| ntrcardhax
 
| ntrcardhax
|  
+
| When reading the banner of a NTR title, Process9 relies on a hardware register to know when the banner was fully read.
 +
However that register is shared between the ARM9 and the ARM11.
 +
An attacker with k11 control can so make Process9 believe the banner continues forever and so trigger a buffer overflow.
 +
With a custom banner for a NTR flashcart, this leads to code execution in Process9.
 +
 
 +
This was fixed by adding bound checks on the read data.
 
| ARM9 code execution
 
| ARM9 code execution
| 10.4.0-29
+
| [[10.4.0-29|10.4.0-X]]
 
|  
 
|  
 
| March 2015
 
| March 2015
19

edits