Changes

Jump to navigation Jump to search
4,037 bytes removed ,  18:16, 10 November 2022
Redirected page to Switch System Flaws
Line 1: Line 1: −
This page lists vulnerabilities / exploits for Nintendo Switch applications/applets and SDK.
+
#REDIRECT [[Switch_System_Flaws]]
 
  −
== Browser userspace ==
  −
{| class="wikitable" border="1"
  −
!  Summary
  −
!  Description
  −
!  Fixed with system version
  −
!  Newest system version this flaw was checked for
  −
!  Timeframe this was discovered
  −
!  Discovered by
  −
|-
  −
| CVE-2016-4657
  −
| WebKit vuln discovered around August 2016. Most notably used in the iOS 9.3.X exploit. A simple PoC can be found [https://github.com/LiveOverflow/lo_nintendoswitch/blob/master/poc1.html here]. This was later exploited by [https://twitter.com/qwertyoruiopz Qwertyoruiop] using an adjusted version of his iOS 9.3 webkit exploit (others exploited this prior to then).
  −
| [[2.1.0]]
  −
| [[2.0.0]]
  −
| Original: August 2016
  −
Switch: March 3rd-4th 2017
  −
| Everyone
  −
|-
  −
| CVE-2017-7005
  −
| WebKit type confusion.
  −
| [[3.0.1]]
  −
| [[3.0.1]]
  −
|
  −
| Everyone
  −
|-
  −
| CVE-2016-4622
  −
| WebKit memory corruption bug. This bug was incorrectly re-introduced in [[4.0.0]]. See [http://www.phrack.org/papers/attacking_javascript_engines.html here] for a detailed write-up from the author.
  −
| [[6.1.0]]
  −
| [[6.1.0]]
  −
|
  −
| Everyone
  −
|-
  −
| CVE-2018-4441
  −
| WebKit memory corruption bug. See [https://bugs.chromium.org/p/project-zero/issues/detail?id=1685&desc=2 here].
  −
| [[7.0.0]]
  −
| [[7.0.0]]
  −
|
  −
| Everyone
  −
|}
  −
 
  −
=== Whitelist ===
  −
This section documents [[Internet_Browser|WebApplet]] whitelist issues in applications. These can be used to load your own browser content over plain HTTP, which then for example could be used for web-applet exploitation.
  −
 
  −
{| class="wikitable" border="1"
  −
!  Application
  −
!  Description
  −
!  Fixed with app version
  −
!  Newest app version this flaw was checked for
  −
!  Timeframe this was discovered
  −
!  Public disclosure timeframe
  −
!  Discovered by
  −
|-
  −
| Sonic Mania
  −
| Originally this game launched web-applet with a plain-http URL for displaying the manual, this was later changed to https. Originally the whitelist only had 1 entry for a http URL, this was later replaced with various https-only URLs.
  −
| 1.04, unknown if fixed with an earlier update
  −
| 1.04
  −
| January (?) 2022
  −
| February 23, 2022
  −
| [[User:Yellows8|yellows8]]
  −
|}
  −
 
  −
== NintendoSDK ==
  −
This section documents vulnerabilities for NSOs in NintendoSDK.
  −
 
  −
=== nnSdk ===
  −
This section documents vulnerabilities for nnSdk (sdknso).
  −
 
  −
{| class="wikitable" border="1"
  −
|-
  −
!  Summary
  −
!  Description
  −
!  Successful exploitation result
  −
!  Fixed in SDK [[System_Versions|version]]
  −
!  Last SDK version this flaw was checked for
  −
!  Timeframe this was discovered
  −
!  Public disclosure timeframe
  −
!  Discovered by
  −
|-
  −
| [[Profile_Selector|Profile Selector]] uninitialized input data
  −
| Originally unused regions of [[Profile_Selector]] UiSettings/UserSelectionSettings were not cleared prior to being sent to the applet. With 1.x.x these are now properly memset().
  −
| Stack infoleak from user-process, sent to the applet.
  −
| 1.x.x
  −
| 11.4.0
  −
| November-December 2019
  −
| December 31, 2020
  −
| [[User:Yellows8|yellows8]]
  −
|-
  −
| [[HID_services|hidbus]] GetJoyPollingReceivedData buffer overflow
  −
| hidbus GetJoyPollingReceivedData doesn't validate the u8 size used for memcpy, when copying the data to the output JoyPollingReceivedData. With 11.x, the size is now clamped to a maximum of 0x2C (regardless of polling-mode). Note that 0x2C is the data-size for JoyButtonOnlyPollingDataAccessor, the other polling-modes have a smaller size.
  −
 
  −
The hid-sysmodule code which writes data here does handle it properly: size is clamped to a max size, and the data-read uses a fixed-size anyway (hence there's no way to trigger this sdknso vuln with the hid-sysmodule tmem writing code).
  −
 
  −
This could only be exploited if one directly writes to the tmem when one has previously compromised hid-sysmodule, without using the normal tmem-writing func for this.
  −
 
  −
There are only a few [[HID_services#ExternalDevices|apps]] which use hidbus.
  −
| Triggering a buffer overflow in an application which uses hidbus GetJoyPollingReceivedData, from a previously compromised hid-sysmodule.
  −
| 11.x.0
  −
| 11.4.0
  −
| March 2020
  −
| December 3, 2020
  −
| [[User:Yellows8|yellows8]]
  −
|}
 

Navigation menu