Changes

Jump to navigation Jump to search
2,379 bytes added ,  21:44, 1 June 2020
CECD vulnerabilities
Line 956: Line 956:  
!  Timeframe this was added to wiki
 
!  Timeframe this was added to wiki
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| [[CECD_Services|CECD]] message box access
 +
| CECD allows any process to write to any message box, thus allowing to write Streetpass data to the message box of any title.
 +
| Install exploit for any title having a vulnerability in Streetpass data parsers (see CTRSDK Streetpass parser vulnerability).
 +
| None
 +
| None
 +
| ?
 +
| June 1, 2020
 +
| Everyone?
 +
|-
 +
| [[CECD_Services|CECD]] packet type 0x32/0x34 stack-smashing
 +
| When parsing Streetpass packets of type 0x32 and 0x34, CECD copies a list without checking the number of entries. The packet length is limited to 0x400 bytes, which is not enough to reach the end of the stack frame and overwrite the return address. However, the buffer located just next to the packet buffer is actually filled with data sent just before, hence actually allowing to overwrite the whole stack frame with conrolled data.
 +
| RCE under [[CECD_Services|CECD]]
 +
| [[11.12.0-44]]
 +
| [[11.12.0-44]]
 +
| Summer 2019
 +
| June 1, 2020
 +
| [[User:Nba_Yoh|MrNbaYoh]]
 +
|-
 +
| [[CECD_Services|CECD]] TMP files parser multiple vulnerabilities
 +
| When parsing "TMP_XXX" files, CECD does not check the number of messages contained in the file. This allows to overflow the array of message pointers and message sizes on the stack. Pointers aren't controlled and sizes are limited (one cannot send gigabytes of data...), yet the last message size can be an arbitrary value (the current message pointer goes outside the file buffer and the parsing loop is broken). This allows to overwrite a pointer to a lock object on the stack and decrement an arbitrary value in memory. One can change the TMP file parsing mode to have CECD trying to free all the message buffers after parsing the next TMP file. The parsing mode is usually restored when parsing a new TMP file, but an invalid TMP file allows to make a function returns an error before the mode is restored , the return value is not checked and the parser consider the file valid. The message pointers and sizes arrays are not updated though, this is not a problem since the previous TMP file buffer is reused for the new TMP file in memory. Thus the message pointers actually points to controlled data. This allows to get a bunch of fake heap chunk freed, thus a bunch of unsafe unlink arbitrary writes.
 +
| RCE under [[CECD_Services|CECD]]
 +
| [[11.12.0-44]]
 +
| [[11.12.0-44]]
 +
| Summer 2019
 +
| June 1, 2020
 +
| [[User:Nba_Yoh|MrNbaYoh]]
 
|-
 
|-
 
| [[Config_Services|CFG]]:CreateConfigInfoBlk integer underflow
 
| [[Config_Services|CFG]]:CreateConfigInfoBlk integer underflow
Line 965: Line 992:  
| November 24, 2018
 
| November 24, 2018
 
| [[User:Nba_Yoh|MrNbaYoh]]
 
| [[User:Nba_Yoh|MrNbaYoh]]
|-
   
|-
 
|-
 
| [[MP:SendDataFrame]] missing input array index validation
 
| [[MP:SendDataFrame]] missing input array index validation
28

edits

Navigation menu