Changes

1,422 bytes added ,  02:57, 16 November 2022
no edit summary
Line 1,067: Line 1,067:  
| [[User:Yellows8|yellows8]]
 
| [[User:Yellows8|yellows8]]
 
|}
 
|}
 +
 +
=== Enl ===
 +
This section documents vulnerabilities for Enl. A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2
 +
.
 +
{| class="wikitable" border="1"
 +
|-
 +
!  Summary
 +
!  Description
 +
!  Successful exploitation result
 +
!  Fixed in Enl version
 +
!  Last Enl version this flaw was checked for
 +
!  Timeframe this was discovered
 +
!  Public disclosure timeframe
 +
!  Discovered by
 +
|-
 +
| enl::TransportManager::updateReceiveBuffer_() nullptr deref
 +
| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID / Index) and a length.
 +
The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>
 +
 +
Then it will try to dereference the pointer to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>
 +
 +
[https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed]
 +
 +
| nullptr dereference triggered by an invalid content transporter type in the ENL header (it will crash the game/process)
 +
| Unknown
 +
| Depends on the game
 +
| Early April 2022
 +
| November 16, 2022
 +
| [[User:Rambo6Glaz|Rambo6Glaz]]
 +
|}
 +
 +
There's another one more interesting but it will have to wait a bit :)
2

edits