Switch System Flaws: Difference between revisions

(4 intermediate revisions by 3 users not shown)

Line 1,180:

| November 2021?

| January 19, 2026

| [[User:Yellows8|yellows8]]

|-

| [[NFC_services|nfc]] Initialize buffer overflow

| All Initialize* cmds for nn::nfc::detail::IUser (nfc:user), nn::nfc::detail::ISystem (nfc:sys), nn::nfp::detail::IUser (nfp:user), nn::nfp::detail::ISystem (nfp:sys), nn::nfp::detail::IDebug (nfp:dbg), nn::nfc::mifare::detail::IUser (nfc:mf:u): these copy the input array into _this, without validating the array count.

The data is copied to obj_impl+0x8+0x28, with each entry being 0x20-bytes. The event handle returned by AttachAvailabilityChangeEvent is at obj_impl+0x8+0xB8+0x14 (Same with nfc/nfp interfaces). This therefore means +0xA4 in the input buffer will overwrite the handle returned by that cmd, allowing one to leak any handle with the specified value. This can be done with count=0x6. The object is large enough that this count will only overwrite data within the current object. However during the dtor it will use ptrs which were corrupted with this (located before the event), so one must avoid closing the session unless the input data included valid ptrs.

This can be exploited by just using a 0xC0-byte (array_count=0x6) input buffer with Initialize where each u32 is the target nfc handle value, then using cmd GetAvailabilityChangeEventHandle to leak the handle.

[22.0.0+] This was fixed by clamping the count to a maximum of 0x4.

| OOB datacopy into object state. Allows leaking arbitary [[NFC_services|handles]], including on [S2] (such as process-handle, sm, fsp-srv (remaining services can also be used via sm)).

| [[22.0.0]]

| November 2021

| March 17, 2026

| [[User:Yellows8|yellows8]]

|}

Line 1,528:

Line 1,542:

| Mario Kart World

| ASLR leak in application data

| A memory address can be leaked by changing your username to something short, and hosting a network session in LAN mode (press L + R + Left Stick on the main menu to enable this). The memory address can be found in bytes 12 - 19 of the application data that is transmitted ~~after receiving~~ a browse request.

| A memory address can be leaked by changing your username to something short, and hosting a network session in LAN mode (press L + R + Left Stick on the main menu to enable this). The memory address can be found in bytes 12 - 19 of the application data that is transmitted in response to a browse request.

'''Note:''' there is more uninitialized data in the packet, but the memory address is probably the most interesting part. The vulnerability was fixed by clearing the application data with zeros, before filling in the information.

[https://hackerone.com/reports/3463719 HackerOne report]

This stack infoleak was also present in the [[LDN_services|ldn]] AdvertiseData.

| A memory address can leaked (this is a requirement for many types of attacks).

| 1.5.0

| December 12, 2025

| February 19, 2026

| [https://github.com/kinnay Yannik]

| [https://github.com/kinnay Yannik], yellows8 (ldn)

|-

| Splatoon 3

| ~~Predictable~~ seed ~~in anti-cheat system?~~

| Anticheat Seed Randomization Weakness

| [https://hackerone.com/reports/3042475 HackerOne report]

| This oversight of seed generation would allow an attacker to quickly compute all code hashes, and modify game code, while still producing a valid ch1 hash.

| ~~Relatively easy way~~ to bypass anti-cheat.

| ?

[https://hackerone.com/reports/3042475 HackerOne report]

| ~~Reported on~~ March 17, 2025

| Allows an attacker to bypass the ch1 anti-cheat hashing mechanism.

| 10.0.0

| March 17, 2025

| February 19, 2026

| hana2736

|}

@@ Line 1,180: / Line 1,180: @@
 | November 2021?
 | January 19, 2026
+| [[User:Yellows8|yellows8]]
+|-
+| [[NFC_services|nfc]] Initialize buffer overflow
+| All Initialize* cmds for nn::nfc::detail::IUser (nfc:user), nn::nfc::detail::ISystem (nfc:sys), nn::nfp::detail::IUser (nfp:user), nn::nfp::detail::ISystem (nfp:sys), nn::nfp::detail::IDebug (nfp:dbg), nn::nfc::mifare::detail::IUser (nfc:mf:u): these copy the input array into _this, without validating the array count.
+The data is copied to obj_impl+0x8+0x28, with each entry being 0x20-bytes. The event handle returned by AttachAvailabilityChangeEvent is at obj_impl+0x8+0xB8+0x14 (Same with nfc/nfp interfaces). This therefore means +0xA4 in the input buffer will overwrite the handle returned by that cmd, allowing one to leak any handle with the specified value. This can be done with count=0x6. The object is large enough that this count will only overwrite data within the current object. However during the dtor it will use ptrs which were corrupted with this (located before the event), so one must avoid closing the session unless the input data included valid ptrs.
+This can be exploited by just using a 0xC0-byte (array_count=0x6) input buffer with Initialize where each u32 is the target nfc handle value, then using cmd GetAvailabilityChangeEventHandle to leak the handle.
+[22.0.0+] This was fixed by clamping the count to a maximum of 0x4.
+| OOB datacopy into object state. Allows leaking arbitary [[NFC_services|handles]], including on [S2] (such as process-handle, sm, fsp-srv (remaining services can also be used via sm)).
+| [[22.0.0]]
+| [[22.0.0]]
+| November 2021
+| March 17, 2026
 | [[User:Yellows8|yellows8]]
 |}
@@ Line 1,528: / Line 1,542: @@
 | Mario Kart World
 | ASLR leak in application data
-| A memory address can be leaked by changing your username to something short, and hosting a network session in LAN mode (press L + R + Left Stick on the main menu to enable this). The memory address can be found in bytes 12 - 19 of the application data that is transmitted after receiving a browse request.
+| A memory address can be leaked by changing your username to something short, and hosting a network session in LAN mode (press L + R + Left Stick on the main menu to enable this). The memory address can be found in bytes 12 - 19 of the application data that is transmitted in response to a browse request.
 '''Note:''' there is more uninitialized data in the packet, but the memory address is probably the most interesting part. The vulnerability was fixed by clearing the application data with zeros, before filling in the information.
 [https://hackerone.com/reports/3463719 HackerOne report]
+This stack infoleak was also present in the [[LDN_services|ldn]] AdvertiseData.
 | A memory address can leaked (this is a requirement for many types of attacks).
 | 1.5.0
 | December 12, 2025
 | February 19, 2026
-| [https://github.com/kinnay Yannik]
+| [https://github.com/kinnay Yannik], yellows8 (ldn)
 |-
 | Splatoon 3
-| Predictable seed in anti-cheat system?
+| Anticheat Seed Randomization Weakness
-| [https://hackerone.com/reports/3042475 HackerOne report]
+| This oversight of seed generation would allow an attacker to quickly compute all code hashes, and modify game code, while still producing a valid ch1 hash.
-| Relatively easy way to bypass anti-cheat.
-| ?
+[https://hackerone.com/reports/3042475 HackerOne report]
-| Reported on March 17, 2025
+| Allows an attacker to bypass the ch1 anti-cheat hashing mechanism.
+| 10.0.0
+| March 17, 2025
 | February 19, 2026
 | hana2736
 |}