[Unconfirmed] ARM11 Kernel Vulnerability under 10.0.0-X

173210 · Oct 6, 2015

Hello, I found something. I just found something and it may not be useful. Anyway, I'll post this because I don't know SVC handler well and have no idea where the function is. If you know how to find the actual code of SVC, please tell me. I'm a noob for 3DS.

3DS System Flaws - 3dbrew
http://www.3dbrew.org/wiki/3DS_System_Flaws

Usually 3dbrew writers don't provide actual unknown vulnerabilities, so I'm still wondering the following description is correct.

Yellows8 said:
The svcCreateThread changes with 10.0.0-Xdefinitely did fix a security issue.

Original code: "if(s32_processorid > <total_cores>)return 0xd8e007fd;"

New code: "if(s32_processorid >= <total_cores> || s32_processorid <= -4)return 0xd8e007fd;"

This fixed an off-by-one issue: if one would use processorid=total_cores, which isn't actually a valid value, svcCreateThread would accept that value on <10.0.0-X. This results in data being written out-of-bounds(baseaddr = arrayaddr + entrysize*processorid), which has the following result:

Old3DS: Useless kernel-mode crash due to accessing unmapped memory.

New3DS: uncontrolled data write into a kernel-mode L1 MMU-table. This isn't really useful: the data can't be controlled, and the data which gets overwritten is all-zero anyway(this isn't anywhere near MMU L1 entries for actually mapped memory).

Yellows8 doesn't mention about the possibility of the case that s32_processorid is negative. It can result in kernel memory corruption, and eventually kernel code execution.

So, I wrote this simple PoC by modifying an example included in ctrulib.

Code:

diff --git a/examples/threads/event/source/main.c b/examples/threads/event/source/main.c
index 1fcec86..dbe1d9e 100644
--- a/examples/threads/event/source/main.c
+++ b/examples/threads/event/source/main.c
@@ -36,7 +36,7 @@ int main(int argc, char** argv) {

        svcCreateEvent(&threadRequest,0);
        u32 *threadStack = memalign(32, STACKSIZE);
-       Result ret = svcCreateThread(&threadHandle, threadMain, 0, &threadStack[STACKSIZE/4], 0x3f, 0);
+       Result ret = svcCreateThread(&threadHandle, threadMain, 0, &threadStack[STACKSIZE/4], 0x3f, -2147483647);

        printf("thread create returned %x\n", ret);

svcCreateThread actually returned 0 and the created thread didn't seem to work. So, my experiment is successful, probably.

Anyway, notice the following things.

It has so many limitations and is not so easy to exploit.
It's just an ARM11 kernel vulnerability, not ARM9.

Status:
KTR 9.2: Confirmed it accepts a negative value.
CTR 9.9: Confirmed it has the vulnerable code at 0xfff079b4.
CTR 4.5: Confirmed it has the vulnerable code at 0xfff07b2c.

Update on 3dbrew.org

The previous version also allowed large negative s32_processorid values(negative processorid values are special values not actual procids), but it appears using values like that won't actually do anything(meaning no crash) besides the thread not running / thread not running for a while(besides triggering a kernelpanic with certain s32_processorid value(s)).

According to 3dbrew.org, s32_processorid should be larger than -4, which is the code-reversed value of the number of n3ds core.
So I carried out another experiment. It crashed when it took -4 as processorid on n3ds. So it may write the data in the same place as it does when it took 4 as processorid. It's still not clear whether it's exploitable or not.

I may have to develop ARM11 debugger...

zoogie · Oct 6, 2015

"It's just ARM11 kernel vulnerability, not ARM9."
but with arm11 kernel you could downgrade and gain arm9.

Deleted User · Oct 6, 2015

literally 1 hour after i updated.
well that's nice

OctopusRift · Oct 6, 2015

zoogie said:
"It's just ARM11 kernel vulnerability, not ARM9."
but with arm11 kernel you could downgrade and gain arm9.

Really? That's fucking amazing. Today is a good day. But. One question... when we had 9.5.0 why did no-one write a downgrader.

zoogie · Oct 6, 2015

OctopusRift said:
Really? That's fucking amazing. Today is a good day. But. One question... when we had 9.5.0 why did no-one write a downgrader.

Because the only known (at the time) arm11 kernel exploit was patched in 9.3.

Deleted User · Oct 6, 2015

FUUUUUUUUUUUUUUUUUUUUUUUUUUUUUCKKKKKKKKKKKKKKKKKK THHHIIIIIIIIIIISSSSSSSSSSSSS
I LITERALLY POSTED A THREAD YESTERDAY WHETHER OR NOT I SHOULD UPDATE AND EVERYONE SAID I SHOULD
LOOK GUYS NEW KERNAL VULNERABILITY
FUCK

The_Meistro · Oct 6, 2015

O COME ON! I just updated from 9.9 to 10.0x last night!!!!!
They said: if "theres gonna be an exploit for 9.3+ Then its gonna be for 10.0x also! No need to stay at 9.9!"
GOSH DANG IT

OctopusRift · Oct 6, 2015

Robfozz said:
FUUUUUUUUUUUUUUUUUUUUUUUUUUUUUCKKKKKKKKKKKKKKKKKK THHHIIIIIIIIIIISSSSSSSSSSSSS
I LITERALLY POSTED A THREAD YESTERDAY WHETHER OR NOT I SHOULD UPDATE AND EVERYONE SAID I SHOULD
LOOK GUYS NEW KERNAL VULNERABILITY
FUCK

butthurt

The_Meistro · Oct 6, 2015

Robfozz said:
FUUUUUUUUUUUUUUUUUUUUUUUUUUUUUCKKKKKKKKKKKKKKKKKK THHHIIIIIIIIIIISSSSSSSSSSSSS
I LITERALLY POSTED A THREAD YESTERDAY WHETHER OR NOT I SHOULD UPDATE AND EVERYONE SAID I SHOULD
LOOK GUYS NEW KERNAL VULNERABILITY
FUCK

OMG THIS GUY GETS ME!

lemanuel · Oct 6, 2015

So far no one has even proved that this actually works or if it actually gets Kernel Arm11 access. So you all don't start throwing fireworks yet until someone actually says something relevant about it

OctopusRift · Oct 6, 2015

zoogie said:
Because the only known (at the time) arm11 kernel exploit was patched in 9.3.

ok cool!

The_Meistro · Oct 6, 2015

You know what this means...
"KERNEL EXPLOIT ON 9.3+
OMG OMG OMG!"
Just wait.....

GeneticMars · Oct 6, 2015

Then what if im in 9.9 version?? will this benefit me??

Deleted User · Oct 6, 2015

Could someone explain why this wouldnt work on 10.0+? It might be in the OP but looking at that stuff makes my normie head hurt

zoogie · Oct 6, 2015

The_Meistro said:
You know what this means...
"KERNEL EXPLOIT ON 9.3+
OMG OMG OMG!"
Just wait.....

173210 actually has a track record (mostly PSP side but still). So maybe we should open our ears just a little.

Randomdude0 · Oct 6, 2015

The_Meistro said:
You know what this means...
"KERNEL EXPLOIT ON 9.3+
OMG OMG OMG!"
Just wait.....

And, in the random case it does lead to a kernel exploit the countless posts and comments...

"WILL THIS WORK ON MY RECENT FW 10.1+?????? OMG I SO NOOB PLZ HALP"

ArmoredGuns1 · Oct 6, 2015

I hope someone figures it out. Having a 9.5 and a 9.9 O3DS in the waiting list.

ultramario1998 · Oct 6, 2015

Oh wow, hopefully somebody gets this into a workable state sometime soon. So happy I didn't update my o3ds!

AutumnWolf · Oct 6, 2015

Humm??
Are you planning to work on this?

mungry · Oct 6, 2015

Yes! Wow.... I'm so happy I told myself to stay on 9.9! :grog:

[Unconfirmed] ARM11 Kernel Vulnerability under 10.0.0-X

Well-Known Member

playing around in the end of life

Deleted User

Guest

GBATemp's Local Octopus, Open 9am-2am. "Not Yet"

playing around in the end of life

Deleted User

Guest

GBATemp's "Official" Hank Hill

GBATemp's Local Octopus, Open 9am-2am. "Not Yet"

GBATemp's "Official" Hank Hill

Maxconsole's All-Knowing Lurker

GBATemp's Local Octopus, Open 9am-2am. "Not Yet"

GBATemp's "Official" Hank Hill

Member

Deleted User

Guest

playing around in the end of life

Well-Known Member

Well-Known Member

no woof tipsic

JRPG enjoyer, Xenoblade, YS and DQ connoisseur

Well-Known Member

Similar threads

Popular threads in this forum