Difference between revisions of "Wii U system flaws"

From WiiUBrew
Jump to navigation Jump to search
(Create page detailing currently available exploits)
 
m (Fix lines/spacing)
Line 2: Line 2:
 
===RenderArena use-after-free===
 
===RenderArena use-after-free===
 
'''Application''': [[Internet Browser]]
 
'''Application''': [[Internet Browser]]
 +
 
'''Supported versions''': 2.0.0-5.1.0
 
'''Supported versions''': 2.0.0-5.1.0
 +
 
'''Public in libwiiu''': Yes
 
'''Public in libwiiu''': Yes
 +
 
An iframe is removed from its parent in a beforeload event and freed, but accessed for a vtable call later. Using Javascript, a vtable pointer is sprayed, occupying the frame's previous memory. A forged vtable referred to by the pointer is also sprayed. When WebKit attempts the virtual call, it goes to the forged vtable, which starts a ROP chain. More information [https://code.google.com/p/chromium/issues/detail?id=226696 here].
 
An iframe is removed from its parent in a beforeload event and freed, but accessed for a vtable call later. Using Javascript, a vtable pointer is sprayed, occupying the frame's previous memory. A forged vtable referred to by the pointer is also sprayed. When WebKit attempts the virtual call, it goes to the forged vtable, which starts a ROP chain. More information [https://code.google.com/p/chromium/issues/detail?id=226696 here].
  
 
===JSStringJoiner heap overflow===
 
===JSStringJoiner heap overflow===
 
'''Application''': [[Internet Browser]]
 
'''Application''': [[Internet Browser]]
 +
 
'''Supported versions''': 5.3.2 (works but unimplemented for 5.1.1-5.3.1)
 
'''Supported versions''': 5.3.2 (works but unimplemented for 5.1.1-5.3.1)
 +
 
'''Public in libwiiu''': Yes
 
'''Public in libwiiu''': Yes
 +
 
When joining an array of strings, the lengths of the strings are summed to calculate the needed storage space. This summation is vulnerable to an integer overflow, which enables a heap overflow. As a result, a sprayed value from Javascript ends up as a vtable pointer, which can be used with a forged vtable to start a ROP chain. More information [http://googleprojectzero.blogspot.com/2014/07/pwn4fun-spring-2014-safari-part-i_24.html here].
 
When joining an array of strings, the lengths of the strings are summed to calculate the needed storage space. This summation is vulnerable to an integer overflow, which enables a heap overflow. As a result, a sprayed value from Javascript ends up as a vtable pointer, which can be used with a forged vtable to start a ROP chain. More information [http://googleprojectzero.blogspot.com/2014/07/pwn4fun-spring-2014-safari-part-i_24.html here].
  
Line 15: Line 21:
 
===OSDriver race attack===
 
===OSDriver race attack===
 
'''Supported versions''': 2.0.0-5.4.0
 
'''Supported versions''': 2.0.0-5.4.0
 +
 
'''Public in libwiiu''': Yes
 
'''Public in libwiiu''': Yes
 +
 
The Cafe OS kernel implements a structure called an OSDriver, which can hold a 0x1000-byte cross-process data area. Accessing this data area is done through the CopyToSaveArea() and CopyFromSaveArea() [[Cafe OS Syscalls|syscalls]]. However, no lock on the OSDriver is held during the copy, allowing the save area to be freed and reallocated while the copy is taking place. With all 3 PPC cores, it is possible to copy over an OSDriver structure, and create a save area that points at the syscall table, giving PPC user mode code access to it. More information [http://gbatemp.net/threads/osdriver-kernel-exploit-a-technical-description.395444/ here].
 
The Cafe OS kernel implements a structure called an OSDriver, which can hold a 0x1000-byte cross-process data area. Accessing this data area is done through the CopyToSaveArea() and CopyFromSaveArea() [[Cafe OS Syscalls|syscalls]]. However, no lock on the OSDriver is held during the copy, allowing the save area to be freed and reallocated while the copy is taking place. With all 3 PPC cores, it is possible to copy over an OSDriver structure, and create a save area that points at the syscall table, giving PPC user mode code access to it. More information [http://gbatemp.net/threads/osdriver-kernel-exploit-a-technical-description.395444/ here].
  

Revision as of 01:05, 29 November 2015

PPC userspace exploits

RenderArena use-after-free

Application: Internet Browser

Supported versions: 2.0.0-5.1.0

Public in libwiiu: Yes

An iframe is removed from its parent in a beforeload event and freed, but accessed for a vtable call later. Using Javascript, a vtable pointer is sprayed, occupying the frame's previous memory. A forged vtable referred to by the pointer is also sprayed. When WebKit attempts the virtual call, it goes to the forged vtable, which starts a ROP chain. More information here.

JSStringJoiner heap overflow

Application: Internet Browser

Supported versions: 5.3.2 (works but unimplemented for 5.1.1-5.3.1)

Public in libwiiu: Yes

When joining an array of strings, the lengths of the strings are summed to calculate the needed storage space. This summation is vulnerable to an integer overflow, which enables a heap overflow. As a result, a sprayed value from Javascript ends up as a vtable pointer, which can be used with a forged vtable to start a ROP chain. More information here.

PPC kernel exploits

OSDriver race attack

Supported versions: 2.0.0-5.4.0

Public in libwiiu: Yes

The Cafe OS kernel implements a structure called an OSDriver, which can hold a 0x1000-byte cross-process data area. Accessing this data area is done through the CopyToSaveArea() and CopyFromSaveArea() syscalls. However, no lock on the OSDriver is held during the copy, allowing the save area to be freed and reallocated while the copy is taking place. With all 3 PPC cores, it is possible to copy over an OSDriver structure, and create a save area that points at the syscall table, giving PPC user mode code access to it. More information here.

IOSU module exploits

IOSU kernel exploits