Hacking Potential switch v2 vulnerability discovered

[mathew77]

Some thoughts about the topic: in Switchbrew Wiki, at the «Switch System Flaws» page there's a quite interesting string at the very bottom of the page:

'There's another one more interesting but it will have to wait a bit '

https://switchbrew.org/wiki/Switch_System_Flaws

Maybe (just maybe) there's still a hope of some more interesting stuff that's under veil for now?..

 

[linuxares]

The thing is, even if this would work as an exploit. You must exploit multiple layers from a game. Its not just one and done from the game like on the Wii. Believe it or not, Nintendo Switch been pretty solid. Its Nvidia that been the big issue for the Switch.

 

[urherenow]

Yes. But this happens on system level, not game. Corruption is not a case here because each system module is hash checked before running, so data corruption is impossible in this case if you can still run browser after reboot.

I seriously think you misunderstand what "corrupted data" means. I'm not talking about corrupting files on the disk. It's the data in MEMORY that gets corrupted. Memory that is cleared when you restart, so your argument makes zero sense. Everything these people are arguing with me against, are ALL data corruption. an overflow literally corrupts memory. This is how ROP works (but wouldn't work here because of ASLR).

Yes, ROP (Return-Oriented Programming) exploits corrupted memory by leveraging existing code snippets within a program to execute malicious instructions, essentially taking advantage of a memory corruption vulnerability to gain control flow within the application; it is often used when a buffer overflow occurs,

The OP was using DNS shenanigans to corrupt the memory. Data corruption. My very first, and very correct point.

Not to mention that another reply by this other person I just saw, clarifies that this person was straight up LYING when feeling offended when they were addressed as "dude" <- which is a gender fucking neutral thing in a large portion of the US, used amongst groups of girls too...

 

[hippy dave]

I was about to say "this thread sure went to shit" but then I remembered that's also how it started off.

 

[Deleted member 731084]

I seriously think you misunderstand what "corrupted data" means. I'm not talking about corrupting files on the disk. It's the data in MEMORY that gets corrupted. Memory that is cleared when you restart, so your argument makes zero sense. Everything these people are arguing with me against, are ALL data corruption. an overflow literally corrupts memory. This is how ROP works (but wouldn't work here because of ASLR).

The OP was using DNS shenanigans to corrupt the memory. Data corruption. My very first, and very correct point.

Not to mention that another reply by this other person I just saw, clarifies that this person was straight up LYING when feeling offended when they were addressed as "dude" <- which is a gender fucking neutral thing in a large portion of the US, used amongst groups of girls too...

i wish you'd stop embarrassing yourself.

the dns part is used to make the switch detect a captive portal, like hotel wifi. this is the easiest way to launch the web browser (but in applet mode, so it's not as useful as the tetris game way). this has nothing to do with data corruption.

what you're sort of describing is a buffer overflow, where a value with an excepted size is copied in a way that doesn't check size (i.e. with a string it copies until it hits a zero byte when using strcpy), which can overwrite the return instruction pointer. this would indeed also cause a "data abort" most of the time, because most memory is not executable. but that'd presume running a game off newgrounds somehow randomly hits a vulnerability in webkit, which is extremely unlikely. that webkit is not aware of how much memory it can use and doesn't check if the buffer they stick into an malloc call points to 0x0, and then writes to it is much more reasonable of an assumption. this would be easy to do because applet mode is memory constrained on purpose.

anyway, i can't believe i am actually explaining this to such a piece of shit who called me a liar because he can't handle his half-put together authorative sounding shit explaination being disproven and then goes on a rant about how my one sentence about prefering to not be misgendered constitutes hysteric screaming. also, for the record, you called me "bro".

i hope you step on a lego, you clown.

 

[urherenow]

**Meh... dreams of a day we can delete our own posts

 

[Deleted member 737209]

The thing is, even if this would work as an exploit. You must exploit multiple layers from a game. Its not just one and done from the game like on the Wii. Believe it or not, Nintendo Switch been pretty solid. Its Nvidia that been the big issue for the Switch.

How I miss the days of the Twilight Hack. Nintendo spent ages dealing with a buffer overflow exploit using Epona's name then hackers moved onto other games.

 

[SecureBoot]

Every six months or so, we see someone enter a thread with a glitch that happened when using their system in an unintended way claiming it could be a new hack. Let this serve as a lesson. Unless *you* are able to extrapolate this to some sort of exploit, it isn't a new exploit.

 

[nubman33]

Lol... you made a new account for this? Come on, what's your real account? That error is triggered when corrupt data is detected, and is exactly why there is nothing there that can EVER be exploited.

The Switch's firmware has been thoroughly reverse-engineered. There ARE NO EXPLOITABLE VUNERABILITIES in software. Get over it and buy a mod chip.

lets see your proof then

 

[l7777]

lets see your proof then

You're asking to prove a negative. This is a fools errand.

 

[urherenow]

lets see your proof then

Proof of what? Lack of vulnerabilities? Atmosphere source code. NX 100% reverse-engineered. It may be possible to crash/break a game or something, but games are sandboxed, and system is also covered by ASLR. You want proof, you're gonna have to prove there IS a vulnerability that can be exploited. SciresM says there is none. I'm going to take a not so big leap of faith and trust that he knows what the hell he's talking about.


I seriously don't get people who ask for proof of a negative. If I walk to the beach, scoop out some water with a big bucket, and show you no whales... will that prove to you that there are no whales in the ocean? Ridiculous...

 

[Deleted member 731084]

Proof of what? Lack of vulnerabilities? Atmosphere source code. NX 100% reverse-engineered. It may be possible to crash/break a game or something, but games are sandboxed, and system is also covered by ASLR. You want proof, you're gonna have to prove there IS a vulnerability that can be exploited. SciresM says there is none. I'm going to take a not so big leap of faith and trust that he knows what the hell he's talking about.


I seriously don't get people who ask for proof of a negative. If I walk to the beach, scoop out some water with a big bucket, and show you no whales... will that prove to you that there are no whales in the ocean? Ridiculous...

As a rule, I'd never invoke "proving a negative" in Infosec, and here's why.

As a general rule, every computer system ever known has unknown (and usually at least previously known) vulnerabilities. You have to assume there are vulnerabilities, and you have to layer your defenses in anticipation of them showing up. The Linux kernel is "100% reverse engineered open" and yet more clever ways to make it do unintended things are found regularly, after ~25 years in the enterprise and hacker's homes. The Switch's Kernel is a fundamentally better design, which is a reason vulnerabilities show up less often - this is a layer. Even formal verification of correctness is not safe from implementation errors or side channels, they're useful in making sure you don't have an obvious problem in your design, but they don't assure being bug-free.

It doesn't matter anyone will ever actually find one, but the assessment of security (and thus the burden of proof) is a sliding scale of rating how well a system is designed, a risk assessment, and it is never absolute in the direction of "safe". Just like you can't walk out of an MRT and claim you're *absolutely* cancer free.

 

[MrQQ]

As a rule, I'd never invoke "proving a negative" in Infosec, and here's why.

As a general rule, every computer system ever known has unknown (and usually at least previously known) vulnerabilities. You have to assume there are vulnerabilities, and you have to layer your defenses in anticipation of them showing up. The Linux kernel is "100% reverse engineered open" and yet more clever ways to make it do unintended things are found regularly, after ~25 years in the enterprise and hacker's homes. The Switch's Kernel is a fundamentally better design, which is a reason vulnerabilities show up less often - this is a layer. Even formal verification of correctness is not safe from implementation errors or side channels, they're useful in making sure you don't have an obvious problem in your design, but they don't assure being bug-free.

It doesn't matter anyone will ever actually find one, but the assessment of security (and thus the burden of proof) is a sliding scale of rating how well a system is designed, a risk assessment, and it is never absolute in the direction of "safe". Just like you can't walk out of an MRT and claim you're *absolutely* cancer free.

You truly are clueless.

 

[The Real Jdbye]

You truly are clueless.

No, he's right. Bugs can be difficult to spot, even if you wrote the original source code. And one person isn't likely to spot them all. Sometimes it takes a second, or third pair of eyes, and often they're discovered by complete accident. Bugs often become apparent only when they're causing an issue.

Most crashes aren't exploitable, but sometimes that is the case and there have been exploits discovered as a result of crashes.
Still, it takes more than one bug to create an exploit chain so by itself it isn't useful.

 

[MrQQ]

No, he's right. Bugs can be difficult to spot, even if you wrote the original source code. And one person isn't likely to spot them all. Sometimes it takes a second, or third pair of eyes, and often they're discovered by complete accident. Bugs often become apparent only when they're causing an issue.

Most crashes aren't exploitable, but sometimes that is the case and there have been exploits discovered as a result of crashes.
Still, it takes more than one bug to create an exploit chain so by itself it isn't useful.

No he isnt...in the slightest.

 

[The Real Jdbye]

No he isnt...in the slightest.

I can 100% guarantee you that guy knows more about infosec than you do. Up to you if you want to believe me or not.

 

[MrQQ]

I can 100% guarantee you that guy knows more about infosec than you do. Up to you if you want to believe me or not.

Considering I am an actual pen tester as my job I would highly doubt it

 

[Deleted member 731084]

*modsnip*

Considering I am an actual pen tester as my job I would highly doubt it

Can't wait to see your credentials. I wasn't going to lean on mine, but if you want to start a pissing contest.

Post automatically merged: Feb 11, 2025

*modsnip*

@DinohScene why'd you do that? Half of that wasn't even about this person, just my rationale for responding to bullshit.

 

[DinohScene]

*modsnip*


Can't wait to see your credentials. I wasn't going to lean on mine, but if you want to start a pissing contest.

Post automatically merged: Feb 11, 2025

@DinohScene why'd you do that? Half of that wasn't even about this person, just my rationale for responding to bullshit.

You're responding to a deleted post.
Want me to delete your message otherwise and call it a day?

 

[Maq47]

Fair enough. Though unfortunately it's not a field that gets shown in thread view. Guess I gotta pony up Patron money if I want a trans pride flag there.

You could put 'She/Her' after your custom title 'Nuisance', which is publicly visible. That would be good enough.