Switch System Flaws: Difference between revisions

Line 1,017:

| December 24, 2022

| March 26, 2024

| [[User:Yellows8|yellows8]]

|-

| [[Audio_services|audctl]] GetSystemInformationForDebug infoleak / buffer overflow

| audctl GetSystemInformationForDebug calls a func with a 0x1000-byte stack tmpbuf, then afterwards that buffer is memcpy'd into the cmd outbuf. This called func doesn't clear the buffer. This func eventually uses [[BTM_services|btm]] cmd75 with outarray={global ptr} and count=10. Then if the outcount is s32 >=1, it loops through the output using the outcount, without validating it besides the <1 check. Data from that outarray is copied into the array in the func output buffer (tmpbuf above).

With btm comprimised, one could return a large output count and trigger a stack buffer overflow with data following that global array, however exploiting this would be difficult since that data would be uncontrolled (can't directly control it from this cmd at least).

A stack infoleak can be obtained with this as well (assuming the above output array isn't full).

Even though the name has "ForDebug", there's no checks which would trigger an error / return early (this also always returns 0).

[18.0.0+] now clears the output buffer, and also now prints strings into the buffer instead of writing binary data (overflow no longer possible).

| audio-sysmodule infoleak, which allows defeating ASLR. Also audio-sysmodule memory corruption, likely not useful unless there's a way to control the data.

| [[18.0.0]]

| December 7, 2022

| March 27, 2024

| [[User:Yellows8|yellows8]]

|}

@@ Line 1,017: / Line 1,017: @@
 | December 24, 2022
 | March 26, 2024
+| [[User:Yellows8|yellows8]]
+|-
+| [[Audio_services|audctl]] GetSystemInformationForDebug infoleak / buffer overflow
+| audctl GetSystemInformationForDebug calls a func with a 0x1000-byte stack tmpbuf, then afterwards that buffer is memcpy'd into the cmd outbuf. This called func doesn't clear the buffer. This func eventually uses [[BTM_services|btm]] cmd75 with outarray={global ptr} and count=10. Then if the outcount is s32 >=1, it loops through the output using the outcount, without validating it besides the <1 check. Data from that outarray is copied into the array in the func output buffer (tmpbuf above).
+With btm comprimised, one could return a large output count and trigger a stack buffer overflow with data following that global array, however exploiting this would be difficult since that data would be uncontrolled (can't directly control it from this cmd at least).
+A stack infoleak can be obtained with this as well (assuming the above output array isn't full).
+Even though the name has "ForDebug", there's no checks which would trigger an error / return early (this also always returns 0).
+[18.0.0+] now clears the output buffer, and also now prints strings into the buffer instead of writing binary data (overflow no longer possible).
+| audio-sysmodule infoleak, which allows defeating ASLR. Also audio-sysmodule memory corruption, likely not useful unless there's a way to control the data.
+| [[18.0.0]]
+| [[18.0.0]]
+| December 7, 2022
+| March 27, 2024
 | [[User:Yellows8|yellows8]]
 |}