WiiBrew

Changes

Wii system flaws (view source)

Revision as of 14:11, 29 July 2022

660 bytes added ,  14:11, 29 July 2022
m
Add information about the /dev/sha IOS vulnerability - see https://github.com/TheLordScruffy/saoirse/blob/master/channel/Main/IOSBoot.cpp#L66
Line 118: Line 118:  
| {{SortableMonth}}
 
| {{SortableMonth}}
 
| Unknown
 
| Unknown
 +
|-
 +
| Kernel
 +
| /dev/sha does not correctly validate the destination vector {{Anchor|ios-shaaddr}}
 +
| /dev/sha does not check the length of an output vector for ioctlv 0 (SHA_Init), allowing the IOS memory bounds check to be bypassed by setting the length to 0. SHA_Init will attempt to initialise a context into the destination address regardless, and in doing so sets a few values within to 0. By providing the thread context of the kernel idle thread as the destination vector, IOS's kernel will branch to memory address 0.
 +
| Running IOS kernel-mode code in memory controllable via the PowerPC.
 +
| Unfixed
 +
| {{SortableMonth|May|2021}}
 +
| {{User|TheLordScruffy}}
 
|-
 
|-
 
|  ES
 
|  ES
Retrieved from "https://wiibrew.org/wiki/Special:MobileDiff/117620"