Nintendo Switch Brew

Changes

Switch System Flaws (view source)

Revision as of 15:48, 21 November 2022

300 bytes added ,  15:48, 21 November 2022
→‎Pia
Line 1,010: Line 1,010:  
=== Pia ===
 
=== Pia ===
 
This section documents vulnerabilities for [https://github.com/Kinnay/NintendoClients/wiki/Pia-Overview Pia].
 
This section documents vulnerabilities for [https://github.com/Kinnay/NintendoClients/wiki/Pia-Overview Pia].
 +
 +
In v5.11.3 (exact starting version unknown) the fixes aren't present for the below vulns which were fixed in v5.9.3, while in v5.18.98 these are present (exact starting version unknown). This probably indicates that the vuln fixes were backported from a newer Pia version to v5.9.3.
    
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 1,030: Line 1,032:  
This is called from nn::pia::session::MeshProtocol::ParseConnectionReport().
 
This is called from nn::pia::session::MeshProtocol::ParseConnectionReport().
 
| Heap buffer overflow triggered by a Pia MeshProtocol message sent to a host device.
 
| Heap buffer overflow triggered by a Pia MeshProtocol message sent to a host device.
| v5.9.3
+
| v5.9.3, see above.
 
| v5.9.1/v5.9.2/v5.9.3
 
| v5.9.1/v5.9.2/v5.9.3
 
| November 11, 2022
 
| November 11, 2022
Line 1,048: Line 1,050:  
In fixed versions ReceivedFragmentData::Receive added a bunch of validation before the memcpy.
 
In fixed versions ReceivedFragmentData::Receive added a bunch of validation before the memcpy.
 
| Stack/heap buffer overflow triggered by a Pia LanProtocol message.
 
| Stack/heap buffer overflow triggered by a Pia LanProtocol message.
| v5.9.3
+
| v5.9.3, see above.
 
| v5.9.1/v5.9.2/v5.9.3
 
| v5.9.1/v5.9.2/v5.9.3
 
| November 14, 2022
 
| November 14, 2022
Line 1,061: Line 1,063:  
In fixed versions the arraycount field is now validated. However it seems at some point this fix was reverted, in v5.11.3 (exact starting version unknown) the check isn't present, while in v5.18.98 it is present (exact starting version unknown).
 
In fixed versions the arraycount field is now validated. However it seems at some point this fix was reverted, in v5.11.3 (exact starting version unknown) the check isn't present, while in v5.18.98 it is present (exact starting version unknown).
 
| Stack buffer overflow triggered by a Pia SessionProtocol message.
 
| Stack buffer overflow triggered by a Pia SessionProtocol message.
| v5.9.3, reverted and fixed again later
+
| v5.9.3, see above.
 
| v5.9.1/v5.9.2/v5.9.3
 
| v5.9.1/v5.9.2/v5.9.3
 
| November 14, 2022
 
| November 14, 2022
Line 1,073: Line 1,075:  
This can be used to send a plaintext Pia packet without needing to handle encryption, especially useful if the session-key can't be obtained (online-play matchmaking). This could be combined with other vulns if wanted.
 
This can be used to send a plaintext Pia packet without needing to handle encryption, especially useful if the session-key can't be obtained (online-play matchmaking). This could be combined with other vulns if wanted.
 
| Sending a plaintext Pia packet without needing to handle encryption.
 
| Sending a plaintext Pia packet without needing to handle encryption.
| v5.9.3
+
| v5.9.3, see above.
 
| v5.9.3 (and later versions)
 
| v5.9.3 (and later versions)
 
|  
 
|  
Retrieved from "https://switchbrew.org/wiki/Special:MobileDiff/12048"