3dbrew

Changes

3DS Userland Flaws (edit)

Revision as of 23:48, 25 July 2019

815 bytes added ,  23:48, 25 July 2019
→‎System applications
Line 301: Line 301:  
| 2012
 
| 2012
 
| [[User:Ichfly|Ichfly]]
 
| [[User:Ichfly|Ichfly]]
 +
|-
 +
| 3DS [[System Settings]] stack smash via title strings in [[DSiWare_Exports]]
 +
| DSiWare export banners contain 16 consecutive 0x100 byte, utf-16 game title strings for different languages. Nintendo correctly limits the string's max length by placing a NULL at str[127] before it's copied to the stack. However, they didn't allocate enough space for all 128 wchars (char/wchar type confusion?), so an attacker can craft a valid full-length string that will crash the stack at about str+0xEC. ROP execution can then be obtained from this crash in DSiWare Data Management as demonstrated [https://github.com/zoogie/Bannerbomb3 here].
 +
 +
Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring.
 +
| None
 +
| [[11.10.0-43]]
 +
| Dec. 2018
 +
| Zoogie
 
|-
 
|-
 
| [[Nintendo 3DS Sound]]
 
| [[Nintendo 3DS Sound]]
EvilFlight
48

edits

Retrieved from "https://www.3dbrew.org/wiki/Special:MobileDiff/21029"