Switch System Flaws: Difference between revisions

Line 1,080:

|}

=== ~~Enl~~ ===

=== ENL ===

This section documents vulnerabilities for ~~Enl~~. A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2

This section documents vulnerabilities for [https://github.com/kinnay/NintendoClients/wiki/ENL-Protocol ENL].

.

A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2, and more.

Fun fact, this library appears to re-use network code and concepts from older Nintendo titles such as Mario Kart 7 and some Wii multiplayer games.

{| class="wikitable" border="1"

|-

Line 1,095:

Line 1,099:

|-

| enl::TransportManager::updateReceiveBuffer_() nullptr deref

| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID ~~/ Index~~) and a length.

| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID) and a length.

The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>

The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>, it returns NULL if there's no content transporter with the same ID

*NOTE: The function may be inlined

Then it will try ~~to dereference the pointer~~ to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>

Then it will try to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>, dereferencing the pointer to fetch the vtable ptr

[https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed]

Line 1,107:

Line 1,113:

| Early April 2022

| November 16, 2022

| [[User:Rambo6Glaz|Rambo6Glaz]]

| [[User:Rambo6Glaz|Rambo6Glaz]], Kinnay (massive RE help)

|}

There's another one more interesting but it will have to wait a bit :)

@@ Line 1,080: / Line 1,080: @@
 |}
-=== Enl ===
+=== ENL ===
-This section documents vulnerabilities for Enl. A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2
+This section documents vulnerabilities for [https://github.com/kinnay/NintendoClients/wiki/ENL-Protocol ENL].
-.
+A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2, and more.
+Fun fact, this library appears to re-use network code and concepts from older Nintendo titles such as Mario Kart 7 and some Wii multiplayer games.
 {| class="wikitable" border="1"
 |-
@@ Line 1,095: / Line 1,099: @@
 |-
 | enl::TransportManager::updateReceiveBuffer_() nullptr deref
-| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID / Index) and a length.
+| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID) and a length.
-The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>
+The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>, it returns NULL if there's no content transporter with the same ID
+*NOTE: The function may be inlined
-Then it will try to dereference the pointer to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>
+Then it will try to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>, dereferencing the pointer to fetch the vtable ptr
 [https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed]
@@ Line 1,107: / Line 1,113: @@
 | Early April 2022
 | November 16, 2022
-| [[User:Rambo6Glaz|Rambo6Glaz]]
+| [[User:Rambo6Glaz|Rambo6Glaz]], Kinnay (massive RE help)
 |}
 There's another one more interesting but it will have to wait a bit :)