Switch System Flaws: Difference between revisions
| Line 1,115: | Line 1,115: | ||
| March 2020 | | March 2020 | ||
| May 4, 2025 | | May 4, 2025 | ||
| [[User:Yellows8|yellows8]] | |||
|- | |||
| [[LDN_services|ldn]] AdvertiseData OOB-memcpy with EncryptionType3 (AES-128-GCM) actionframes (ldnhax) | |||
| The ldn action-frame parser object for AES-128-GCM (used with [[LDN_services|EncryptionType3]]), when it does validation once finished, only verifies that the sizes are within bounds of the input buffer. There's no validation against constants, which the other EncryptionType objects have. The caller code doesn't validate the size either. | |||
[21.0.0+] Now validates the advert-size with sizeof(NetworkInfo.AdvertiseData). | |||
For more details see [https://gist.github.com/yellows8/16bb56343d085d2db2ab0adc5d4cef99 here]. | |||
| Compromise of ldn starting from OOB-memcpy, even on S2: stack infoleak (ASLR defeat), arbitrary memory read/write (which also allows handle-leak), vfunc-calls with arbitrary [[Security_Mitigations|vtable]]. | |||
| [[21.0.0]] | |||
| [[21.0.0]] | |||
| June ~13, 2025 | |||
| November 11, 2025 | |||
| [[User:Yellows8|yellows8]] | | [[User:Yellows8|yellows8]] | ||
|} | |} | ||