Changes

Jump to navigation Jump to search
975 bytes added ,  00:46, 12 January 2015
Line 199: Line 199:  
!  Summary
 
!  Summary
 
!  Description
 
!  Description
 +
!  Successful exploitation result
 
!  Fixed in system version
 
!  Fixed in system version
 +
!  Last FIRM version this flaw was checked for
 +
!  Timeframe this was discovered
 +
|-
 +
| gspwn
 +
| GSP module does not validate addresses given to the GPU. This allows a user-mode game to read/write to a large part of physical FCRAM using GPU DMA. From this, you can overwrite the .text segment of the game you're running under, and gain real code-execution from a ROP-chain.
 +
 +
| User-mode code execution.
 +
| None
 +
| [[9.4.0-21]]
 +
|
 +
|-
 +
| ropwn
 +
| Using gspwn, it is possible to overwrite a loaded [[CRO0]]/[[CRR0]] after its RSA-signature has been validated. Badly validated [[CRO0]] header leads to arbitrary read/write of memory in the ro-process. This gives code-execution in the ro module, who has access to [[SVC|syscalls]] 0x70-0x72, 0x7D.
 +
 +
This was fixed after [[ninjhax]] release by adding checks on [[CRO0]]-based pointers before writing to them.
 +
| Memory-mapping syscalls.
 +
| [[9.3.0-21]]
 +
| [[9.4.0-21]]
 +
|
 
|-
 
|-
 
| 3DS [[System Settings]] DS profile string stack-smash
 
| 3DS [[System Settings]] DS profile string stack-smash
 
| Too long or corrupted strings (01Ah  2  Nickname length in characters    050h  2  Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) cause it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid). TWL_FIRM also resets the NVRAM user-settings when the string-length(s) are too long.
 
| Too long or corrupted strings (01Ah  2  Nickname length in characters    050h  2  Message length in characters) in the NVRAM DS user settings (System Settings->Other Settings->Profile->Nintendo DS Profile) cause it to crash in 3DS-mode due to a stack-smash. The DSi is not vulnerable to this, DSi launcher(menu) and DSi System Settings will reset the NVRAM user-settings if the length field values are too long(same result as when the CRCs are invalid). TWL_FIRM also resets the NVRAM user-settings when the string-length(s) are too long.
 +
| ROP in mset.
 +
| [[7.0.0-13]]
 
| [[7.0.0-13]]
 
| [[7.0.0-13]]
 +
| 2012
 
|}
 
|}

Navigation menu