Switch System Flaws: Difference between revisions
Browser Is Userland |
RIP pl:utoohax |
||
| Line 67: | Line 67: | ||
| | | | ||
| | | | ||
|- | |||
|} | |||
===System Modules=== | |||
{| class="wikitable" border="1" | |||
|- | |||
! Summary | |||
! Description | |||
! Successful exploitation result | |||
! Fixed in system version | |||
! Last system version this flaw was checked for | |||
! Timeframe this was discovered | |||
! Public disclosure timeframe | |||
! Discovered by | |||
|- | |||
| OOB Read in NS system module (pl:utoohax, pl:utonium, maybe other names) | |||
| Prior to [[3.0.0]], pl:u (Shared Font services implemented in the NS sysmodule) service commands 1,2,3 took in a signed 32-bit index and returned that index of an array but did not check that index at all. This allowed for an arbitrary read within a 34-bit range (33-bit signed) from pl:u .bss | |||
| Dumping pl:u (part of the the NS module)'s virtual memory (including code); obtaining base addresses for NS module .text (thus defeating ASLR) | |||
| [[3.0.0]] | |||
| [[3.0.0]] | |||
| April 2017 | |||
| On exploit's fix in [[3.0.0]] | |||
| qlutoo, Reswitched team (independently) | |||
|- | |- | ||
|} | |} | ||