6,264
edits
Changes
Jump to navigation
Jump to search
Line 41:
Line 41: − + − + + Line 50:
Line 51: − + + − + − + + − + + Line 66:
Line 70: − + − + + Line 78:
Line 83: + Line 85:
Line 91: + Line 91:
Line 98: + Line 99:
Line 107: + Line 106:
Line 115: + Line 119:
Line 129: + Line 131:
Line 142: + Line 140:
Line 152: + Line 153:
Line 166: + Line 160:
Line 174: + Line 167:
Line 182: + Line 174:
Line 190: + Line 181:
Line 198: − + + + + + Line 189:
Line 210: + + + + Line 201:
Line 226: + Line 207:
Line 233: + Line 216:
Line 243: + Line 228:
Line 256: + Line 235:
Line 264: +
no edit summary
! Description
! Description
! Successful exploitation result
! Successful exploitation result
! Fixed in system version
! Fixed in [[FIRM]] system version
! Last FIRM version this flaw was checked for
! Last [[FIRM]] system version this flaw was checked for
! Timeframe this was discovered
! Timeframe this was discovered
! Discovered by
|-
|-
|
|
| None
| None
| [[9.3.0-21|9.3.0-X]]
| [[9.3.0-21|9.3.0-X]]
| 2012
| 2012
| [[User:Yellows8|Yellows8]]
|-
|-
| [[Process_Services_PXI|ps:VerifyRsaSha256]] buffer overflow
| [[Process_Services_PXI|PS RSA]] commands buffer overflows
| Unchecked copy to a buffer in Process9's .bss. The buffer is located before the pxi cmdhandler threads' stacks.
| pxips9 cmd1(not accessible via ps:ps) and VerifyRsaSha256: unchecked copy to a buffer in Process9's .bss, from the input FCRAM buffer. The buffer is located before the pxi cmdhandler threads' stacks. SignRsaSha256 also has a buf overflow, but this isn't exploitable.
The buffer for this is the buffer for the signature data. With v5.0, the signature buffer was moved to stack, with a check for the signature data size. When the signature data size is too large, Process9 uses [[SVC|svcBreak]].
| ARM9 code execution
| ARM9 code execution
| [[5.0.0-11]]
| [[5.0.0-11|5.0.0-X]]
|
|
| 2012
| 2012
| [[User:Yellows8|Yellows8]]
|}
|}
! Description
! Description
! Successful exploitation result
! Successful exploitation result
! Fixed in system version
! Fixed in [[FIRM]] system version
! Last FIRM version this flaw was checked for
! Last [[FIRM]] system version this flaw was checked for
! Timeframe this was discovered
! Timeframe this was discovered
! Discovered by
|-
|-
| [[SVC]] table too small
| [[SVC]] table too small
| [[9.3.0-21|9.3.0-21]]
| [[9.3.0-21|9.3.0-21]]
| 2012
| 2012
|
|-
|-
| [[SVC|svcBackdoor (0x7B)]]
| [[SVC|svcBackdoor (0x7B)]]
| [[9.3.0-21|9.3.0-21]]
| [[9.3.0-21|9.3.0-21]]
|
|
|
|-
|-
| [[Memory_layout#ARM11_Detailed_virtual_memory_map|0xEFF00000]] / 0xDFF00000 ARM11 kernel virtual-memory
| [[Memory_layout#ARM11_Detailed_virtual_memory_map|0xEFF00000]] / 0xDFF00000 ARM11 kernel virtual-memory
| None
| None
| [[9.3.0-21|9.3.0-21]]
| [[9.3.0-21|9.3.0-21]]
|
|
|
|-
|-
|
|
| February 2014
| February 2014
| [[User:Yellows8|Yellows8]]
|-
|-
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions
| PXI [[RPC_Command_Structure|Command]] input/output buffer permissions
|
|
| 2012
| 2012
| [[User:Yellows8|Yellows8]]
|-
|-
| [[SVC|svcStartInterProcessDma]]
| [[SVC|svcStartInterProcessDma]]
|
|
| DmaConfig issue: unknown. The rest: 2014
| DmaConfig issue: unknown. The rest: 2014
|
|-
|-
| [[SVC|svcControlMemory]] Parameter checks
| [[SVC|svcControlMemory]] Parameter checks
|
|
|
|
|
|-
|-
| [[RPC_Command_Structure|Command]] request/response buffer overflow
| [[RPC_Command_Structure|Command]] request/response buffer overflow
|
|
| v4.1 FIRM -> v5.0 code diff
| v4.1 FIRM -> v5.0 code diff
|
|-
|-
| [[SVC|SVC stack allocation overflows]]
| [[SVC|SVC stack allocation overflows]]
|
|
| v4.1 FIRM -> v5.0 code diff
| v4.1 FIRM -> v5.0 code diff
|
|-
|-
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
| [[SVC|svcControlMemory]] MemoryOperation MAP memory-permissions
|
|
| 2012
| 2012
| [[User:Yellows8|Yellows8]]
|-
|-
| [[RPC_Command_Structure|Command]] input/output buffer permissions
| [[RPC_Command_Structure|Command]] input/output buffer permissions
|
|
| 2012
| 2012
| [[User:Yellows8|Yellows8]]
|-
|-
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
| [[SVC|svcReadProcessMemory/svcWriteProcessMemory memory]] permissions
|
|
| 2012?
| 2012?
| [[User:Yellows8|Yellows8]]
|}
|}
! Summary
! Summary
! Description
! Description
! Fixed in system version
! Successful exploitation result
! Fixed in [[FIRM]] system version
! Last [[FIRM]] system version this flaw was checked for
! Timeframe this was discovered
! Discovered by
|-
|-
| [[Services|"srv:pm"]] process registration
| [[Services|"srv:pm"]] process registration
This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
This flaw was needed for exploiting the <=v4.x Process9 PXI vulnerabilities from ARM11 userland ROP, since most applications don't have access to those service(s).
| Access to arbitrary services
| [[7.0.0-13]]
| [[7.0.0-13]]
|
| 2012
| [[User:Yellows8|Yellows8]]
|}
|}
! Last system version this flaw was checked for
! Last system version this flaw was checked for
! Timeframe this was discovered
! Timeframe this was discovered
! Discovered by
|-
|-
| gspwn
| gspwn
| None
| None
| [[9.4.0-21]]
| [[9.4.0-21]]
|
|
|
|-
|-
| [[9.3.0-21]]
| [[9.3.0-21]]
| [[9.4.0-21]]
| [[9.4.0-21]]
|
|
|
|}
|}
! Last system version this flaw was checked for
! Last system version this flaw was checked for
! Timeframe this was discovered
! Timeframe this was discovered
! Discovered by
|-
|-
| 3DS [[System Settings]] DS profile string stack-smash
| 3DS [[System Settings]] DS profile string stack-smash
| [[7.0.0-13]]
| [[7.0.0-13]]
| 2012
| 2012
| Whoever originally added the vuln info for this to 3dbrew.
|}
|}