[Need Implementation] 3DS ARM11 Kernel Exploit by TuxSH

Discussion in '3DS - Homebrew Development and Emulators' started by NexoCube, Apr 5, 2017.

  1. NexoCube
    OP

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    Hello, 2 days ago, @TuxSH revealed (on 3dbrew) a bug he found in ARM11 Kernel.

    Summary : svcGetThreadList (svc 0x66) process reference leak

    Description given : When given a valid process handle (including 0xFFFF8001), svcGetThreadList forgets to decrement the reference count of the underlying KProcess instance, after having finished using it.

    What could happen if we exploit this bug : Before 11.2: reference count overflow and therefore use-after-free, but this UAF was most likely not exploitable

    Note (by me, lol) :

    - 0xFFFF8001 = Current KProcess Handle
    - Kernel Objects are C++ Virtual Classes : So, it means vtable (so, if you find a UAF bug in KObject management, it is "probably" exploitable)

    From what i understood ; if that UAF were exploitable, it would lead to K11 Code Execution, because it means vtable call (from a forged vtable)

    and pssstt... kernel exploit doesn't always mean code execution
     
    Last edited by NexoCube, Apr 5, 2017
    CaptainSwag101 and KiiWii like this.
  2. Arck

    Arck GBAtemp Advanced Fan

    Member
    789
    386
    Mar 13, 2016
    just check how the fasthax "System Flaws" work on 3dbrew and check his repo so you can easily compare.
     
  3. GhostLatte

    GhostLatte Yet Another Shitposter

    Member
    2,791
    13,845
    Mar 26, 2015
    United States
    The University of Shitpostology
  4. Arck

    Arck GBAtemp Advanced Fan

    Member
    789
    386
    Mar 13, 2016
    NexoCube likes this.
  5. NexoCube
    OP

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    ehe, i watched 33c3 and read the desc
     
  6. Giodude

    Giodude Ruler of Italy

    Member
    GBAtemp Patron
    Giodude is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    4,142
    1,254
    May 17, 2015
    United States
    New York
    Interesting, more or less interested in the idea of arm11loaderhax coldbooting a custom OS vs installing an entire new one.
     
  7. NexoCube
    OP

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    I heard each CPU have his bootrom, so, maybe someone can find a bug in the ARM11 BootROM
     
  8. rotomington

    rotomington Member

    Newcomer
    35
    27
    Dec 27, 2016
    According to derrek, there really isn't anything interesting in prot_boot11.bin or unprot_boot11.bin. All the fun stuff's in prot_boot9.bin.

    Although, if there are any bugs in the arm11 bootrom, they wouldn't be of much use since we'd need to reboot and have code execution just after boot (Which if you have, you might as well exploit the arm9 like in A9LH)
     
    NexoCube likes this.
  9. NexoCube
    OP

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    ARM9 boot time exploi is much more needed because it means we have have full control over the 3DS a few milliseconds after boot
     
  10. adrifcastr

    adrifcastr GBAtemp Advanced Maniac

    Member
    1,792
    818
    Sep 12, 2016
    Germany
    wow, nobody seems to care that an implementation of this could actually lead to kernel11 code execution.
    If I was any good in C/C++
    I would go and try, but I'm not good at all.
     
  11. metroid maniac

    metroid maniac An idiot with an opinion

    Member
    1,800
    719
    May 16, 2009
    Not that I want to hijack this thread, but I'm curious about something.
    How exactly can a use-after-free bug lead to an arbitrary code execution exploit in an NX environment?
    I assume the first step once you have a user-after-free bug would be to make a phony vtable with function pointers to useful gadgets, and then corrupt the free'd object so its vptr points to your vtable.
    But then, how can you execute multiple gadgets in a row? Once your gadget executes, won't you just return to the regular program flow?
     
  12. TuxSH

    TuxSH GBAtemp Advanced Fan

    Member
    612
    994
    Oct 19, 2015
    France
    The bug I mentioned isn't usable, and very likely not exploitable (and not exploitable at all since 11.3).

    tl;dr nothing to see here
     
    Nba_Yoh and g309768 like this.
  13. NexoCube
    OP

    NexoCube stop using piracy :(

    Member
    1,184
    588
    Nov 3, 2015
    France
    Stack Pointer
    Oh okay :P