|
|
| (4 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| This page lists vulnerabilities / exploits for Nintendo Switch applications/applets and SDK.
| | #REDIRECT [[Switch_System_Flaws]] |
| | |
| == Browser userspace ==
| |
| {| class="wikitable" border="1"
| |
| ! Summary
| |
| ! Description
| |
| ! Fixed with software update
| |
| ! Newest software update this flaw was checked for
| |
| ! Timeframe this was discovered
| |
| ! Discovered by
| |
| |-
| |
| | CVE-2016-4657
| |
| | WebKit vuln discovered around August 2016. Most notably used in the iOS 9.3.X exploit. A simple PoC can be found [https://github.com/LiveOverflow/lo_nintendoswitch/blob/master/poc1.html here]. This was later exploited by [https://twitter.com/qwertyoruiopz Qwertyoruiop] using an adjusted version of his iOS 9.3 webkit exploit (others exploited this prior to then).
| |
| | [[2.1.0]]
| |
| | [[2.0.0]]
| |
| | Original: August 2016
| |
| Switch: March 3rd-4th 2017
| |
| | Everyone
| |
| |-
| |
| | CVE-2017-7005
| |
| | WebKit type confusion.
| |
| | [[3.0.1]]
| |
| | [[3.0.1]]
| |
| |
| |
| | Everyone
| |
| |-
| |
| | CVE-2016-4622
| |
| | WebKit memory corruption bug. This bug was incorrectly re-introduced in [[4.0.0]]. See [http://www.phrack.org/papers/attacking_javascript_engines.html here] for a detailed write-up from the author.
| |
| | [[6.1.0]]
| |
| | [[6.1.0]]
| |
| |
| |
| | Everyone
| |
| |-
| |
| | CVE-2018-4441
| |
| | WebKit memory corruption bug. See [https://bugs.chromium.org/p/project-zero/issues/detail?id=1685&desc=2 here].
| |
| | [[7.0.0]]
| |
| | [[7.0.0]]
| |
| |
| |
| | Everyone
| |
| |}
| |
| | |
| == NintendoSDK ==
| |
| This section documents vulnerabilities for NSOs in NintendoSDK.
| |
| | |
| === nnSdk ===
| |
| This section documents vulnerabilities for nnSdk (sdknso).
| |
| | |
| {| class="wikitable" border="1"
| |
| |-
| |
| ! Summary
| |
| ! Description
| |
| ! Successful exploitation result
| |
| ! Fixed in SDK [[System_Versions|version]]
| |
| ! Last SDK version this flaw was checked for
| |
| ! Timeframe this was discovered
| |
| ! Public disclosure timeframe
| |
| ! Discovered by
| |
| |-
| |
| | [[HID_services|hidbus]] GetJoyPollingReceivedData buffer overflow
| |
| | hidbus GetJoyPollingReceivedData doesn't validate the u8 size used for memcpy, when copying the data to the output JoyPollingReceivedData. With 11.x, the size is now clamped to a maximum of 0x2C (regardless of polling-mode). Note that 0x2C is the data-size for JoyButtonOnlyPollingDataAccessor, the other polling-modes have a smaller size.
| |
| | |
| The hid-sysmodule code which writes data here does handle it properly: size is clamped to a max size, and the data-read uses a fixed-size anyway (hence there's no way to trigger this sdknso vuln with the hid-sysmodule tmem writing code).
| |
| | |
| This could only be exploited if one directly writes to the tmem when one has previously compromised hid-sysmodule, without using the normal tmem-writing func for this.
| |
| | |
| There are only a few [[HID_services#ExternalDevices|apps]] which use hidbus.
| |
| | Triggering a buffer overflow in an application which uses hidbus GetJoyPollingReceivedData, from a previously compromised hid-sysmodule.
| |
| | 11.x.0
| |
| | 11.4.0
| |
| | March 2020
| |
| | December 3, 2020
| |
| | [[User:Yellows8|yellows8]]
| |
| |}
| |