Nvidia Shield TV Hit With High-Severity Security Flaws - Possible New Entry Points?

Discussion in 'Switch - Exploits, Custom Firmwares & Soft Mods' started by mattyxarope, Oct 15, 2019.

  1. mattyxarope
    OP

    mattyxarope Advanced Member

    Newcomer
    3
    Jan 15, 2019
    United States
    So NVIDIA detailed two new exploits for the bootloader of the NVIDIA Shield TV:

    CVE‑2019‑5699
    NVIDIA Tegra bootloader contains a vulnerability where the software performs an incorrect bounds check, which may lead to buffer overflow resulting in escalation of privileges and code execution.

    and

    CVE‑2019‑5700
    NVIDIA Tegra software contains a vulnerability in the bootloader, where it does not validate the fields of the boot image, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.

    "The first flaw (CVE‑2019‑5699) stems from the bootloader in the Nvidia Tegra SoC of Nvidia Shield TV. This is the piece of code that runs before an operating systems starts to run, and loads the operating system when a computer turns on. The issue is due to the software performing an incorrect bounds check. Bounds checking is a method of detecting whether a variable is within “bounds” before it is used in the memory buffer, which is a region of a physical memory storage. This flaw can lead to a buffer overflow; when more data is sent to a memory block (buffer) than it can hold. Attackers could leverage this flaw to launch escalation-of-privilege and code-execution attacks.

    The other flaw (CVE‑2019‑5700) exists in how the bootloader interacts with the boot image, a type of disk image that provides critical files necessary to load the device. The boot image typically contains a field that indicates a header version; the bootloader must check this header version field and parse the header accordingly. However, according to Nvidia, the bootloader in the vulnerable versions does not correctly validate the fields of the boot image. This glitch can lead to code execution, denial-of-service, escalation-of-privilege and information disclosure."

    https://nvidia.custhelp.com/app/answers/detail/a_id/4875

    Would these be applicable to the bootloader of the Switch?
     
    Last edited by mattyxarope, Oct 15, 2019
    linuxares and KiiWii like this.
  2. leerpsp

    leerpsp GBAtemp Advanced Maniac

    Member
    6
    Feb 22, 2014
    United States
    If that is the case then we can get a cold boot cfw if it runs before an operating system.
     
    mattyxarope likes this.
  3. linuxares

    linuxares I'm not a generous god!

    Moderator
    17
    Aug 5, 2007
    Sweden
    Yeah the first exploit if it's possible on the Switches is definitely a coldboot possibility, if it's the same on the Switch, CVE‑2019‑5700 however sounds like the RCM bug no?

    EDIT: What I get it seems that they are both software patchable. So we should not update if Nintendo magically release a new firmware update the next couple of weeks if these are exploitable.
     
    Last edited by linuxares, Oct 15, 2019
    Ericthegreat, KiiWii and mattyxarope like this.
  4. Ericthegreat

    Ericthegreat Not New Member

    Member
    10
    Nov 8, 2008
    United States
    Vana'diel
    I didn't think about this when I read about the security issue, interesting, if someone doesn't say somthing soon, Nintendo will patch it, and everyone will update.
     
  5. PRAGMA

    PRAGMA GBAtemp Addict

    Member
    13
    Dec 29, 2015
    Ireland
    127.0.0.1
    If people are curious (like I was) this doesn't seem to be the previously found selfblow exploit, as that one has a similar but different CVE
     
  6. linuxares

    linuxares I'm not a generous god!

    Moderator
    17
    Aug 5, 2007
    Sweden
    selfblow? I haven't heard about that one before either. Since it's software patchable it sounds like it's something with the Android system no?
     
  7. PRAGMA

    PRAGMA GBAtemp Addict

    Member
    13
    Dec 29, 2015
    Ireland
    127.0.0.1
    Selfblow isn't a switch vulnerability because the switch doesn't use the same bootloader as typical tegra devices (according to SciresM)
     
  8. mattyxarope
    OP

    mattyxarope Advanced Member

    Newcomer
    3
    Jan 15, 2019
    United States
    In which case these two might be useless, unfortunately.
     
  9. PRAGMA

    PRAGMA GBAtemp Addict

    Member
    13
    Dec 29, 2015
    Ireland
    127.0.0.1
    Yep sadly
     
  10. mattyxarope
    OP

    mattyxarope Advanced Member

    Newcomer
    3
    Jan 15, 2019
    United States
    I would have to assume that the two bootloaders share some commonality though, right?
     
  11. PRAGMA

    PRAGMA GBAtemp Addict

    Member
    13
    Dec 29, 2015
    Ireland
    127.0.0.1
    Not really, they would act differently depending on what they want to do on boot, there may be some similar code in play but generally speaking no
     
    mattyxarope likes this.
  12. kevin corms

    kevin corms GBAtemp Advanced Fan

    Member
    6
    Feb 21, 2015
    Canada
    Well on the other hand, the fact that it runs android means it isnt very secure in the first place. Its a great device for what it is, but I wouldnt trust my bank info or anything on it.
     
    Last edited by kevin corms, Oct 15, 2019
    andyhappypants likes this.
  13. linuxares

    linuxares I'm not a generous god!

    Moderator
    17
    Aug 5, 2007
    Sweden
    No real electronic is "secure". It's just safe until someone really wanna get in.
     
  14. kevin corms

    kevin corms GBAtemp Advanced Fan

    Member
    6
    Feb 21, 2015
    Canada
    There are variable levels of security, but yes nothing is perfect. I dont get this argument that seems to come straight from google, people are basically saying since any security can be theoretically defeated that security is just a waste of time? That kind of logic just doesnt fly with me, sorry.
     
    Last edited by kevin corms, Oct 23, 2019
  15. ZachyCatGames

    ZachyCatGames GBAtemp Addict

    Member
    9
    Jun 19, 2018
    United States
    Hell
    The Switch’s bootloader is called pk1ldr, it’s completely custom, and has the single purpose of loading package1. pk1ldr isn’t exploiable in any useful way.
     
Quick Reply
Draft saved Draft deleted
Loading...