Switch System Flaws: Difference between revisions
Rambo6Glaz (talk | contribs) No edit summary |
|||
| Line 1,067: | Line 1,067: | ||
| [[User:Yellows8|yellows8]] | | [[User:Yellows8|yellows8]] | ||
|} | |} | ||
=== Enl === | |||
This section documents vulnerabilities for Enl. A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2 | |||
. | |||
{| class="wikitable" border="1" | |||
|- | |||
! Summary | |||
! Description | |||
! Successful exploitation result | |||
! Fixed in Enl version | |||
! Last Enl version this flaw was checked for | |||
! Timeframe this was discovered | |||
! Public disclosure timeframe | |||
! Discovered by | |||
|- | |||
| enl::TransportManager::updateReceiveBuffer_() nullptr deref | |||
| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID / Index) and a length. | |||
The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code> | |||
Then it will try to dereference the pointer to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code> | |||
[https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed] | |||
| nullptr dereference triggered by an invalid content transporter type in the ENL header (it will crash the game/process) | |||
| Unknown | |||
| Depends on the game | |||
| Early April 2022 | |||
| November 16, 2022 | |||
| [[User:Rambo6Glaz|Rambo6Glaz]] | |||
|} | |||
There's another one more interesting but it will have to wait a bit :) | |||