Switch System Flaws: Difference between revisions

← Older edit Newer edit →

@@ Line 3: / Line 3: @@
 =List of Switch System Flaws=
-These are the current public Switch System Flaws.
 == Hardware ==
@@ Line 23: / Line 21: @@
 |-
 |}
-==ARM TrustZone software==
-===ARM TrustZone===
+== System software ==
+=== Kernel ===
 {| class="wikitable" border="1"
 |-
@@ Line 36: / Line 35: @@
 !  Discovered by
 |-
-|  No public ARM TrustZone exploits
+|  No public Kernel exploits
 |
 |
@@ Line 46: / Line 45: @@
 |-
 |}
-== Kernel software==
-===Kernel===
+=== TrustZone ===
 {| class="wikitable" border="1"
 |-
@@ Line 59: / Line 58: @@
 !  Discovered by
 |-
-|  No public Kernel exploits
+|  No public ARM TrustZone exploits
 |
 |
@@ Line 67: / Line 66: @@
 |
 |
+|-
+|}
+=== System Modules ===
+{| class="wikitable" border="1"
+|-
+!  Summary
+!  Description
+!  Successful exploitation result
+!  Fixed in system version
+!  Last system version this flaw was checked for
+!  Timeframe this was discovered
+!  Public disclosure timeframe
+!  Discovered by
+|-
+|  OOB Read in NS system module (pl:utoohax, pl:utonium, maybe other names)
+|  Prior to [[3.0.0]], pl:u (Shared Font services implemented in the NS sysmodule) service commands 1,2,3 took in a signed 32-bit index and returned that index of an array but did not check that index at all. This allowed for an arbitrary read within a 34-bit range (33-bit signed) from NS .bss. In [[3.0.0]], sending out of range indexes causes error code 0x60A to be returned.
+|  Dumping full NS .text, .rodata and .data, infoleak, etc
+|  [[3.0.0]]
+|  [[3.0.0]]
+|  April 2017
+|  On exploit's fix in [[3.0.0]]
+|  qlutoo, Reswitched team (independently)
 |-
 |}