[Unconfirmed] ARM11 Kernel Vulnerability under 10.0.0-X

[RedBlueGreen]

If this actually becomes a kernel exploit it better fucking be for 10.1 too or I'll cut my fucking dick off FUUUUUUUUUUUUUCK I UPDATED LIKE 2 DAYS AGO!!!!

Sadly it will not. Nintendo patched the vulnerability. One will have to be found in 10.1 for it to happen.

 

[Intronaut]

@173210 did you check the BootNTR's source code? It has functions related to service handling

 

[GoodCookie88]

I asked him to post here

 

[730]

Sadly it will not. Nintendo patched the vulnerability. One will have to be found in 10.1 for it to happen.

And here I thought Nintendo wouldn't patch vulns unless they were publicly revealed... *sigh*
At least I still have my o3DS on 9.5, but not the same as n3DS.

 

[Arseface_TM]

has simply turned into a huge clusterfuck cuz ppl can't hold their willies

I dunno, from the looks of it lots of the posters have grabbed their willies. I'd say the problem is the reverse, premature ejacu...willy holding.

 

[BMO]

People getting jumpy and excited before anything actually happens as usual on here...

 

[NoNoNeko]

Well, Smea is definitely a blessing and curse. That doof said to update because it didn't change anything. Now I am at 10.1 because I updated 3 days ago like a dummy. I am super upset right now.

 

[Deleted User]

Never again will I update, even if the big guys say its okay

 

[Intronaut]

Maybe the users with 10.1 should compile the PoC and test if they receive the same output...

I think that is more useful than posts like "IT WILL WORK ON 10.X?" or "WHY THE F**K I UPDATED?"

 

[OctopusRift]

The larger you make your letters, the more people will consider you a noob. But perhaps the more I enlarge the text, the better chance MassExplosion213 has of seeing this thread.

found you on a Super Kool Youthful Portable Entertainment website..

 

[Jwiz33]

found you on a Super Kool Youthful Portable Entertainment website..

I don't have Skype. Maybe it's someone else.

 

[MassExplosion213]

Ok. I'm back. And now there's this. I'm going to look into it, however, this may or may not help with the sploit I was working on.

 

[NoNoNeko]

Never again will I update, even if the big guys say its okay

Same...

 

[OctopusRift]

I don't have Skype. Maybe it's someone else.

damn. i will find you.

 

[Jwiz33]

damn. i will find you.

I live by @Retr0Capez

 

[OctopusRift]

I live by @Retr0Capez

FOUND YA ON SKYPE. or nah.

 

[machinamentum]

[snip]
Usually 3dbrew writers don't provide actual unknown vulnerabilities, so I'm still wondering the following description is correct.

Yellows8 doesn't mention about the possibility of the case that s32_processorid is negative. It can result in kernel memory corruption, and eventually kernel code execution.

So, I wrote this simple PoC by modifying an example included in ctrulib.
[snip]
svcCreateThread actually returned 0 and the created thread didn't seem to work. So, my experiment is successful, probably.

Anyway, notice the following things.

• It has so many limitations and is not so easy to exploit.
• It's just ARM11 kernel vulnerability, not ARM9.

I assume the reason negative values aren't specified by yellows8 is because negative values don't need to be ranged checked since they're not used to index the MMU-table and a few negative values have semantic meaning to the kernel. From svc.h:

Value -1 means all CPUs and -2 read from the Exheader.

I am highly doubtful that any other negative values will overwrite kernel memory. Of course, you could always dump the vulnerable kernel and disassemble the thread scheduler to verify if yellows8 left details out.

 

[GoodCookie88]

Could he post in this thread too to say that?

There ya go

 

[Jwiz33]

FOUND YA ON SKYPE. or nah.

What's the username? I swear me no Skype
Sponsored by Krazy Youtube Poop and Endorsed by yo mama

 

[OctopusRift]

What's the username? I swear me no Skype
Sponsored by Krazy Youtube Poop and Endorsed by yo mama

ouch babe.