Changes

1,320 bytes added ,  01:43, 20 January 2022
Line 547: Line 547:  
!  Public disclosure timeframe
 
!  Public disclosure timeframe
 
!  Discovered by
 
!  Discovered by
 +
|-
 +
| [[SSL_services|ssl]] CVE-2021-43527
 +
| CVE-2021-43527, see also [https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 here] and [https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html here].
 +
Using BigSig where the server cert sig is RSA-PSS results in the remote server throwing {no shared cipher} error when Switch connects. If however one creates a rootCA using BigSig (RSA-PSS), which then signs a server cert where the server key is RSA (not PSS), the vuln can be triggered (if the rootCA is trusted, via using the import service-cmd). It's unknown whether there's other ways to trigger the vuln.
 +
 +
The crash occurs in VFY_Begin when using the previously overwritten data. A bitsize of <code>$((16384 + 32 + 64 + 64 + 64))</code> is only enough to overwrite cx->hashcx, to fully overwrite cx->hashobj an additional 0xC-bytes (additional 96 bits) is needed.
 +
Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow).
 +
| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a funcptr.
 +
| 13.2.1
 +
| 13.2.1
 +
| Switch: December 1-2, 2021
 +
| Switch: Janurary 19, 2022
 +
|
 
|-
 
|-
 
| [[Bluetooth_Driver_services|bluetooth]] EventInfo infoleak
 
| [[Bluetooth_Driver_services|bluetooth]] EventInfo infoleak