Difference between revisions of "Wii U system flaws"
| Line 3: | Line 3: | ||
'''Application''': [[Internet Browser]] | '''Application''': [[Internet Browser]] | ||
| − | ''' | + | '''Present in system versions''': 2.0.0-5.1.0 |
'''Public in libwiiu''': Yes | '''Public in libwiiu''': Yes | ||
| Line 12: | Line 12: | ||
'''Application''': [[Internet Browser]] | '''Application''': [[Internet Browser]] | ||
| − | ''' | + | '''Present in system versions''': 5.1.1-5.3.1 (possibly older versions, too) |
| − | ''' | + | '''Publicly exploited in: ''': libwiiu (5.3.2 only) |
When joining an array of strings, the lengths of the strings are summed to calculate the needed storage space. This summation is vulnerable to an integer overflow, which enables a heap overflow. As a result, a sprayed value from Javascript ends up as a vtable pointer, which can be used with a forged vtable to start a ROP chain. More information [http://googleprojectzero.blogspot.com/2014/07/pwn4fun-spring-2014-safari-part-i_24.html here]. | When joining an array of strings, the lengths of the strings are summed to calculate the needed storage space. This summation is vulnerable to an integer overflow, which enables a heap overflow. As a result, a sprayed value from Javascript ends up as a vtable pointer, which can be used with a forged vtable to start a ROP chain. More information [http://googleprojectzero.blogspot.com/2014/07/pwn4fun-spring-2014-safari-part-i_24.html here]. | ||
| Line 20: | Line 20: | ||
==PPC kernel exploits== | ==PPC kernel exploits== | ||
===OSDriver race attack=== | ===OSDriver race attack=== | ||
| − | ''' | + | '''Present in system versions''': 2.0.0-5.4.0 |
| − | ''' | + | '''Publicly exploited in: ''': libwiiu |
The Cafe OS kernel implements a structure called an OSDriver, which can hold a 0x1000-byte cross-process data area. Accessing this data area is done through the CopyToSaveArea() and CopyFromSaveArea() [[Cafe OS Syscalls|syscalls]]. However, no lock on the OSDriver is held during the copy, allowing the save area to be freed and reallocated while the copy is taking place. With all 3 PPC cores, it is possible to copy over an OSDriver structure, and create a save area that points at the syscall table, giving PPC user mode code access to it. More information [http://gbatemp.net/threads/osdriver-kernel-exploit-a-technical-description.395444/ here]. | The Cafe OS kernel implements a structure called an OSDriver, which can hold a 0x1000-byte cross-process data area. Accessing this data area is done through the CopyToSaveArea() and CopyFromSaveArea() [[Cafe OS Syscalls|syscalls]]. However, no lock on the OSDriver is held during the copy, allowing the save area to be freed and reallocated while the copy is taking place. With all 3 PPC cores, it is possible to copy over an OSDriver structure, and create a save area that points at the syscall table, giving PPC user mode code access to it. More information [http://gbatemp.net/threads/osdriver-kernel-exploit-a-technical-description.395444/ here]. | ||
| Line 28: | Line 28: | ||
==IOSU module exploits== | ==IOSU module exploits== | ||
| − | === ioctlvhax - ioctlv TOCTOU | + | === ioctlvhax - ioctlv TOCTOU === |
| − | + | '''Present in system versions''': ???-5.2.0 | |
| − | + | ||
| + | This flaw technically is in the kernel, but it can be used to exploit a usermode module. | ||
| + | It allows changing an ioctlv vector buffer address entry after it has been validated by the kernel. Any module not checking the number of ioctlv vectors is vulnerable. More information [https://nwert.wordpress.com/2016/05/03/ioctlvhax/ here]. | ||
==IOSU kernel exploits== | ==IOSU kernel exploits== | ||
=== IOS_CreateThread unchecked memset === | === IOS_CreateThread unchecked memset === | ||
| + | '''Present in system versions''': ???-latest | ||
| + | |||
This system call will fill the stack of the newly created thread with a predefined constant (0xFA5A5A5A) without validating the passed stack address. | This system call will fill the stack of the newly created thread with a predefined constant (0xFA5A5A5A) without validating the passed stack address. | ||
Revision as of 16:13, 22 June 2016
PPC userspace exploits
RenderArena use-after-free
Application: Internet Browser
Present in system versions: 2.0.0-5.1.0
Public in libwiiu: Yes
An iframe is removed from its parent in a beforeload event and freed, but accessed for a vtable call later. Using Javascript, a vtable pointer is sprayed, occupying the frame's previous memory. A forged vtable referred to by the pointer is also sprayed. When WebKit attempts the virtual call, it goes to the forged vtable, which starts a ROP chain. More information here.
JSStringJoiner heap overflow
Application: Internet Browser
Present in system versions: 5.1.1-5.3.1 (possibly older versions, too)
Publicly exploited in: : libwiiu (5.3.2 only)
When joining an array of strings, the lengths of the strings are summed to calculate the needed storage space. This summation is vulnerable to an integer overflow, which enables a heap overflow. As a result, a sprayed value from Javascript ends up as a vtable pointer, which can be used with a forged vtable to start a ROP chain. More information here.
PPC kernel exploits
OSDriver race attack
Present in system versions: 2.0.0-5.4.0
Publicly exploited in: : libwiiu
The Cafe OS kernel implements a structure called an OSDriver, which can hold a 0x1000-byte cross-process data area. Accessing this data area is done through the CopyToSaveArea() and CopyFromSaveArea() syscalls. However, no lock on the OSDriver is held during the copy, allowing the save area to be freed and reallocated while the copy is taking place. With all 3 PPC cores, it is possible to copy over an OSDriver structure, and create a save area that points at the syscall table, giving PPC user mode code access to it. More information here.
IOSU module exploits
ioctlvhax - ioctlv TOCTOU
Present in system versions: ???-5.2.0
This flaw technically is in the kernel, but it can be used to exploit a usermode module. It allows changing an ioctlv vector buffer address entry after it has been validated by the kernel. Any module not checking the number of ioctlv vectors is vulnerable. More information here.
IOSU kernel exploits
IOS_CreateThread unchecked memset
Present in system versions: ???-latest
This system call will fill the stack of the newly created thread with a predefined constant (0xFA5A5A5A) without validating the passed stack address.