Changes

Jump to navigation Jump to search

Wii U system flaws (view source)

Revision as of 21:45, 2 April 2023

635 bytes added ,  21:45, 2 April 2023
no edit summary
Line 143: Line 143:  
| The Wii U doesn't verify that the total length of the USB configuration descriptor matches the total length used to determine the buffer size. This allows placing endpoint descriptors outside of the allocated buffer which will be swapped.
 
| The Wii U doesn't verify that the total length of the USB configuration descriptor matches the total length used to determine the buffer size. This allows placing endpoint descriptors outside of the allocated buffer which will be swapped.
 
| Out of bounds byteswap in IOS-USB heap. Can lead to ROP, see [https://garyodernichts.blogspot.com/2022/06/exploiting-wii-us-usb-descriptor-parsing.html this post].
 
| Out of bounds byteswap in IOS-USB heap. Can lead to ROP, see [https://garyodernichts.blogspot.com/2022/06/exploiting-wii-us-usb-descriptor-parsing.html this post].
 +
| None
 +
| [[User:GaryOderNichts|GaryOderNichts]]
 +
|-
 +
| Heap buffer overflow in DNS response processing
 +
| IOS-NET uses a modified version of NicheStack which is affected by [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25928 CVE-2020-25928]. Unlike described by the CVE, the IOS-NET implementation has an additional check for DNS PTR answers, which ensures the data isn't copied past the end of the buffer.
 +
For additional PTR records pointing at the first answer name <code>dnc_set_answer</code> is still called without checking the response data length field though.
 +
| Out-of-bounds heap write. Might be possible to exploit.
 
| None
 
| None
 
| [[User:GaryOderNichts|GaryOderNichts]]
 
| [[User:GaryOderNichts|GaryOderNichts]]
Retrieved from "https://wiiubrew.org/wiki/Special:MobileDiff/3574"

Navigation menu