2
edits
Changes
Jump to navigation
Jump to search
Line 1,067:
Line 1,067: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
no edit summary
| [[User:Yellows8|yellows8]]
| [[User:Yellows8|yellows8]]
|}
|}
=== Enl ===
This section documents vulnerabilities for Enl. A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2
.
{| class="wikitable" border="1"
|-
! Summary
! Description
! Successful exploitation result
! Fixed in Enl version
! Last Enl version this flaw was checked for
! Timeframe this was discovered
! Public disclosure timeframe
! Discovered by
|-
| enl::TransportManager::updateReceiveBuffer_() nullptr deref
| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID / Index) and a length.
The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>
Then it will try to dereference the pointer to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>
[https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed]
| nullptr dereference triggered by an invalid content transporter type in the ENL header (it will crash the game/process)
| Unknown
| Depends on the game
| Early April 2022
| November 16, 2022
| [[User:Rambo6Glaz|Rambo6Glaz]]
|}
There's another one more interesting but it will have to wait a bit :)