Changes

1,874 bytes added ,  14:59, 20 November 2023
was going to wait until march-april, but N apparently confirmed to someone that there will be no more 3DS firmware updates ( https://nitter.net/RoseSilicon/status/1720635007788552396#m )
Line 1,399: Line 1,399:  
| See [https://switchbrew.org/wiki/Switch_System_Flaws#Pia here]; separately checked later (UpdateConnectionReport) by [[User:Riley|Riley]] on: June 14, 2023
 
| See [https://switchbrew.org/wiki/Switch_System_Flaws#Pia here]; separately checked later (UpdateConnectionReport) by [[User:Riley|Riley]] on: June 14, 2023
 
| [[User:Yellows8|Yellows8]]; added to 3dbrew (UpdateConnectionReport) by [[User:Riley|Riley]] later
 
| [[User:Yellows8|Yellows8]]; added to 3dbrew (UpdateConnectionReport) by [[User:Riley|Riley]] later
|}
+
|-
 +
| pialease nerf: stack overflow in Pia when parsing UDS packet cmd=5 "UpdateMigrationNodeInfoMessage"
 +
| A UDS packet as received by Pia contains a command type, where cmd=1 is higher-layer game-data, and other cmds are parsed internally.
 +
 
 +
A function named "UdsNode::ParseUpdateMigrationNodeInfoMessage" is called to handle packets with cmd=5.
 +
 
 +
This checks the player nodeID (returns if not player 1, that is, UDS network host), then calls an additional function which does a loop of 64-bit copies to a fixed-size stack buffer using unchecked index and data from the received packet contents.
 +
 
 +
This therefore leads to trivial RCE (of every UDS network client) by just sending a single UDS packet; only 0xC u64s on stack can be overwritten easily, but just 2 is enough to start a ROP chain and pivot to the rest of the UDS packet contents elsewhere on the stack.
 +
 
 +
To exploit some games, an attacker would need to also reimplement the DLP server protocol (and any quirks that game has when parsing the UDS network passphrase obtained from the DLP server). One game that requires this is Mario Party: Island Tour (only the dlplay child connects to a UDS network).
 +
 
 +
Earliest version of Pia known to be vulnerable is v2.x. v1.x still parses this packet, but does not have the stack-copy loop (index is still unchecked there leading to heap overflow but due to overwrites not being contiguous in memory it may or may not be exploitable).
 +
 
 +
Fixed with Pia version 4.x, which refactored the UDS send/receive wrapper code and parses completely different commands.
 +
| ROP under the vulnerable application. A server can exploit every client connected to it; a client can exploit every other client connected to that server.
 +
| "[SDK+Nintendo:PIA_4_2_0]"
 +
| "[SDK+Nintendo:PIA_3_10_2]", "[SDK+Nintendo:PIA_4_2_0]"
 +
| Discovery: June 3, 2023.
 +
 
 +
Wiki: November 20, 2023.
 +
| [[User:Riley|Riley]]}
39

edits