| When sending cmdreplies, it does not validate that the src_addr and src_size match the equivalent dst_addr and dst_size. With a modified addr/size specified in a cmdreply for an output buffer, the data-copy for the first/last pages could be used to overwrite data outside of the buffer specified by the original process.
+
+
Used by ctr-httpwn as of v1.2, for "ipctakeover/bosshaxx".
+
+
This can be used to takeover processes where the process is using your service session. Like HTTPC -> BOSS, for bosshaxx above. NIM takeover can be done too(actual stack buffer overflow can trigger), etc.
+
| See description.
+
| None
+
| [[11.2.0-35|11.2.0-X]]
+
| November 26, 2016
+
| [[User:Yellows8|Yellows8]]
+
|-
+
| Using IPC input buffers as output buffers
+
| When sending cmdreplies, it does not validate that the cmdreply descriptor type matches the equivalent cmdreq descriptor type. This could be used by an exploited sysmodule to use what was intended as an input-buffer as an output-buffer, and also combine other IPC vuln(s) with this.
+
+
Used by ctr-httpwn as of v1.2, for "ipctakeover/bosshaxx".