[Unconfirmed] ARM11 Kernel Vulnerability under 10.0.0-X

Discussion in 'The Edge of the Forum' started by 173210, Oct 6, 2015.

Thread Status:
Not open for further replies.
  1. 173210
    OP

    173210 GBAtemp Regular

    Member
    245
    600
    Jan 22, 2014
    Japan
    Hello, I found something. I just found something and it may not be useful. Anyway, I'll post this because I don't know SVC handler well and have no idea where the function is. If you know how to find the actual code of SVC, please tell me. I'm a noob for 3DS. ;)

    3DS System Flaws - 3dbrew
    http://www.3dbrew.org/wiki/3DS_System_Flaws

    Usually 3dbrew writers don't provide actual unknown vulnerabilities, so I'm still wondering the following description is correct.
    Yellows8 doesn't mention about the possibility of the case that s32_processorid is negative. It can result in kernel memory corruption, and eventually kernel code execution.

    So, I wrote this simple PoC by modifying an example included in ctrulib.
    Code:
    diff --git a/examples/threads/event/source/main.c b/examples/threads/event/source/main.c
    index 1fcec86..dbe1d9e 100644
    --- a/examples/threads/event/source/main.c
    +++ b/examples/threads/event/source/main.c
    @@ -36,7 +36,7 @@ int main(int argc, char** argv) {
    
            svcCreateEvent(&threadRequest,0);
            u32 *threadStack = memalign(32, STACKSIZE);
    -       Result ret = svcCreateThread(&threadHandle, threadMain, 0, &threadStack[STACKSIZE/4], 0x3f, 0);
    +       Result ret = svcCreateThread(&threadHandle, threadMain, 0, &threadStack[STACKSIZE/4], 0x3f, -2147483647);
    
            printf("thread create returned %x\n", ret);
    svcCreateThread actually returned 0 and the created thread didn't seem to work. So, my experiment is successful, probably. :P

    Anyway, notice the following things.
    • It has so many limitations and is not so easy to exploit.
    • It's just an ARM11 kernel vulnerability, not ARM9.
    Status:
    KTR 9.2: Confirmed it accepts a negative value.
    CTR 9.9: Confirmed it has the vulnerable code at 0xfff079b4.
    CTR 4.5: Confirmed it has the vulnerable code at 0xfff07b2c.

    Update on 3dbrew.org
    According to 3dbrew.org, s32_processorid should be larger than -4, which is the code-reversed value of the number of n3ds core.
    So I carried out another experiment. It crashed when it took -4 as processorid on n3ds. So it may write the data in the same place as it does when it took 4 as processorid. It's still not clear whether it's exploitable or not.

    I may have to develop ARM11 debugger...
     
    Last edited by 173210, Oct 6, 2015 - Reason: Add "Update on 3dbrew.org"
    ShinkoNet, Tony_93, cynosura and 19 others like this.


  2. zoogie

    zoogie simple pimp tool

    Member
    6,149
    7,728
    Nov 30, 2014
    United States
    "It's just ARM11 kernel vulnerability, not ARM9."
    but with arm11 kernel you could downgrade and gain arm9.
     
  3. Petraplexity

    Petraplexity Fidget-Spinning Spicy Memelordâ„¢

    Member
    372
    766
    Sep 5, 2015
    United States
    Over There
    literally 1 hour after i updated.
    well that's nice
     
    xmosh, ShinkoNet, clank and 8 others like this.
  4. OctopusRift

    OctopusRift GBATemp's Local Octopus, Open 9am-2am. "Not Yet"

    Member
    1,460
    832
    Nov 19, 2014
    Saint Kitts and Nevis
    Really? That's fucking amazing. Today is a good day. But. One question... when we had 9.5.0 why did no-one write a downgrader.
     
    Margen67 likes this.
  5. zoogie

    zoogie simple pimp tool

    Member
    6,149
    7,728
    Nov 30, 2014
    United States
    Because the only known (at the time) arm11 kernel exploit was patched in 9.3.
     
    Margen67 and OctopusRift like this.
  6. Robfozz

    Robfozz GBAtemp Smartass

    Member
    606
    397
    Apr 19, 2014
    United States
    Onett
    FUUUUUUUUUUUUUUUUUUUUUUUUUUUUUCKKKKKKKKKKKKKKKKKK THHHIIIIIIIIIIISSSSSSSSSSSSS
    I LITERALLY POSTED A THREAD YESTERDAY WHETHER OR NOT I SHOULD UPDATE AND EVERYONE SAID I SHOULD
    LOOK GUYS NEW KERNAL VULNERABILITY
    FUCK
     
    ShinkoNet, cynosura, WeedZ and 9 others like this.
  7. The_Meistro

    The_Meistro GBATemp's "Official" Hank Hill

    Banned
    633
    336
    Aug 22, 2015
    The Magic School Bus
    O COME ON! I just updated from 9.9 to 10.0x last night!!!!!
    They said: if "theres gonna be an exploit for 9.3+ Then its gonna be for 10.0x also! No need to stay at 9.9!"
    GOSH DANG IT
     
    Margen67 and 173210 like this.
  8. OctopusRift

    OctopusRift GBATemp's Local Octopus, Open 9am-2am. "Not Yet"

    Member
    1,460
    832
    Nov 19, 2014
    Saint Kitts and Nevis
    butthurt
     
  9. The_Meistro

    The_Meistro GBATemp's "Official" Hank Hill

    Banned
    633
    336
    Aug 22, 2015
    The Magic School Bus
    OMG THIS GUY GETS ME!
     
    Margen67 likes this.
  10. lemanuel

    lemanuel Maxconsole's All-Knowing Lurker

    Member
    2,095
    1,092
    Dec 11, 2014
    Portugal
    So far no one has even proved that this actually works or if it actually gets Kernel Arm11 access. So you all don't start throwing fireworks yet until someone actually says something relevant about it
     
    ShinkoNet, nxwing, Margen67 and 7 others like this.
  11. OctopusRift

    OctopusRift GBATemp's Local Octopus, Open 9am-2am. "Not Yet"

    Member
    1,460
    832
    Nov 19, 2014
    Saint Kitts and Nevis
    ok cool!
     
    Margen67 likes this.
  12. The_Meistro

    The_Meistro GBATemp's "Official" Hank Hill

    Banned
    633
    336
    Aug 22, 2015
    The Magic School Bus
    You know what this means...
    "KERNEL EXPLOIT ON 9.3+
    OMG OMG OMG!"
    Just wait.....
     
    Margen67 likes this.
  13. GeneticMars

    GeneticMars Newbie

    Newcomer
    5
    1
    Oct 6, 2015
    Then what if im in 9.9 version?? will this benefit me?? :lol:
     
    Margen67 likes this.
  14. Robfozz

    Robfozz GBAtemp Smartass

    Member
    606
    397
    Apr 19, 2014
    United States
    Onett
    Could someone explain why this wouldnt work on 10.0+? It might be in the OP but looking at that stuff makes my normie head hurt
     
    Margen67 likes this.
  15. zoogie

    zoogie simple pimp tool

    Member
    6,149
    7,728
    Nov 30, 2014
    United States
    173210 actually has a track record (mostly PSP side but still). So maybe we should open our ears just a little.
     
  16. Randomdude0

    Randomdude0 Advanced Member

    Newcomer
    54
    27
    Jun 4, 2015
    Colombia
    And, in the random case it does lead to a kernel exploit the countless posts and comments...

    "WILL THIS WORK ON MY RECENT FW 10.1+?????? OMG I SO NOOB PLZ HALP"
     
    Bubsy Bobcat and Margen67 like this.
  17. ArmoredGuns1

    ArmoredGuns1 GBAtemp Regular

    Member
    211
    37
    Sep 27, 2007
    United States
    I hope someone figures it out. Having a 9.5 and a 9.9 O3DS in the waiting list.
     
    Margen67 likes this.
  18. ultramario1998

    ultramario1998 no woof tipsic

    Member
    385
    279
    May 7, 2014
    United States
    Not Here
    Oh wow, hopefully somebody gets this into a workable state sometime soon. So happy I didn't update my o3ds!
     
    Margen67 likes this.
  19. Sinon

    Sinon The Wolf Girl

    Member
    448
    362
    Sep 15, 2015
    Costa Rica
    Humm??
    Are you planning to work on this?
     
    Margen67 likes this.
  20. mungry

    mungry GBAtemp Fan

    Member
    322
    289
    Jul 29, 2015
    United States
    Yes! Wow.... I'm so happy I told myself to stay on 9.9! :grog:
     
    Tony_93, Margen67 and Jwiz33 like this.
Thread Status:
Not open for further replies.