Switch System Flaws: Difference between revisions
| Line 1,004: | Line 1,004: | ||
| February 25, 2022 | | February 25, 2022 | ||
| October 24, 2023 | | October 24, 2023 | ||
| [[User:Yellows8|yellows8]] | |||
|- | |||
| [[Audio_services|audctl]] GetTargetDeviceInfo infoleak | |||
| audctl GetTargetDeviceInfo calls an impl func with a ptr to a stackbuf, then if successful memcpys the 0x100-bytes from that buffer to output. This stackbuf is not memset. This func (after doing various state checks) copies a string to output, other than always writing a NUL-terminator there's no clearing of the buffer. | |||
This will leak audio-sysmodule stack into the output buffer as long as the state/input checks pass (for the remainder of the buffer following the string NUL-terminator). | |||
With [18.0.0+] data is written directly to the outbuf instead of the stack tmpbuf. | |||
| audio-sysmodule infoleak, which allows defeating ASLR. | |||
| [[18.0.0]] | |||
| [[18.0.0]] | |||
| December 24, 2022 | |||
| March 26, 2024 | |||
| [[User:Yellows8|yellows8]] | | [[User:Yellows8|yellows8]] | ||
|} | |} | ||