340
edits
Changes
Jump to navigation
Jump to search
Line 41:
Line 41: − + − + − + + + + + + + + + + + + + + + + + + +
→PPC userspace exploits
'''Publicly exploited''': Yes
'''Publicly exploited''': Yes
'''Discovered by''': yellows8, smea
'''Discovered by''': yellows8, smea (Early 2016)
The Wii U's data management system does not include provisions to validate title content integrity. As such, any game or app's contents may be altered by attackers. In particular, attackers with IOSU code execution may use FSA commands to alter the content files in USB or MLC filesystems. Alternatively, an attacker with control over certain PPC usermode processes (such as home menu or system settings) may use commands such as MCP:CopyTitle to copy title contents over from SD to MLC or USB.
The Wii U's data management system does not include provisions to validate title content integrity. As such, any game or app's contents may be altered by attackers. In particular, attackers with IOSU code execution may use FSA commands to alter the content files in USB or MLC filesystems. Alternatively, an attacker with control over certain PPC usermode processes (such as home menu or system settings) may use commands such as MCP:CopyTitle to copy title contents over from SD to MLC or USB.
===haxchi===
====haxchi====
'''Present in system versions''': N/A
'''Present in system versions''': N/A
'''Publicly exploited''': Yes
'''Publicly exploited''': Yes
'''Discovered by''': smea
'''Discovered by''': smea (Early 2016)
The Wii U Nintendo DS virtual console emulator is vulnerable to contenthax attacks. In particular, the rom parsing code lets an attacker perform fully controled arbitrary write operations, which very easily leads to ROP and code execution, because these titles are among the few that have JIT capabilities.
The Wii U Nintendo DS virtual console emulator is vulnerable to contenthax attacks. In particular, the rom parsing code lets an attacker perform fully controled arbitrary write operations, which very easily leads to ROP and code execution, because these titles are among the few that have JIT capabilities.
====N64 VC contenthax====
'''Present in system versions''': N/A
'''Publicly exploited''': No
'''Discovered by''': yellows8 (Early 2016)
The Wii U N64 VC emulator title("VESSEL") has two known vulns which can be attacked via contenthax. These vulns were tested on hardware, but actual exploitation wasn't tested.
Note that this title can only write to codegen(JIT) via using OSCodegenCopy(), unlike other titles.
Currently this is the only known VC platform(N64) which is affected by any of these VESSEL vulns(not all platforms were checked for this).
The .ini loading occurs much earlier during title boot than the font loading. These vulns(or at least the .ini one) trigger while the system is still displaying the application spash-screen(from the title's meta/ directory).
* Stack buffer overflow when handling BMFont "pages". The entire block is copied to stack using just the size, without checking the size. The loaded data is not checked either, other than converting uppercase to lowercase('A'..'Z' to 'a'..'z'). This string is used with sprintf + PNG texture loading afterwards.
* Heap buffer overflow during .ini parsing with field-data string starting with '"'. The allocated heap buffer is 0x100-bytes, but the size is not checked when copying the value string into this buffer. During copying/etc this string content is not checked/modified, besides checking for the end of the string with '"'. For example: HAX = "LONGSTRINGHERE"
==PPC kernel exploits==
==PPC kernel exploits==