5,579
edits
Changes
ββIOS: added the hackmii installer syscall bug (probably the only one that was ever used)
Line 110:
Line 110:
| [[fail0verflow]]
| [[fail0verflow]]
|-
|-
β| Kernel
+| Kernel (IOSC)
| Default keys exist in the kernel binary. {{Anchor|ios-defaultkey}}
| Default keys exist in the kernel binary. {{Anchor|ios-defaultkey}}
| The Wii includes an [[Hardware/OTP|OTP]] bank of memory, which contains securely stored keys. However, IOS includes a copy of these keys, which it falls back to if the OTP keys are missing. Because these keys are identical, the OTP keys can easily be extracted from the IOS kernel binary if it is dumped.
| The Wii includes an [[Hardware/OTP|OTP]] bank of memory, which contains securely stored keys. However, IOS includes a copy of these keys, which it falls back to if the OTP keys are missing. Because these keys are identical, the OTP keys can easily be extracted from the IOS kernel binary if it is dumped.
Line 121:
Line 121:
| IOS_CreateMessageQueue does not verify the address {{Anchor|ios-mqaddr}}
| IOS_CreateMessageQueue does not verify the address {{Anchor|ios-mqaddr}}
| The IOS_CreateMessageQueue syscall does not call the verifyRange function that many syscalls call, despite taking a pointer and causing data to be written to it. Because data can be written there with IOS_SendMessage, this allows for arbitrary writes.
| The IOS_CreateMessageQueue syscall does not call the verifyRange function that many syscalls call, despite taking a pointer and causing data to be written to it. Because data can be written there with IOS_SendMessage, this allows for arbitrary writes.
β| Arbitrary writes to IOS memory (possibly used in [[HackMii Installer]] 0.5-0.6)
+| Arbitrary writes to IOS memory
| 4.3
| 4.3
| {{SortableMonth}}
| {{SortableMonth}}
| Unknown
| Unknown
|-
|-
β| Kernel
+| Kernel (IOSC)
| /dev/sha does not correctly validate the destination vector {{Anchor|ios-shaaddr}}
| /dev/sha does not correctly validate the destination vector {{Anchor|ios-shaaddr}}
| /dev/sha does not check the length of an output vector for ioctlv 0 (SHA_Init), allowing the IOS memory bounds check to be bypassed by setting the length to 0. SHA_Init will attempt to initialise a context into the destination address regardless, and in doing so sets a few values within to 0. By providing the thread context of the kernel idle thread as the destination vector, IOS's kernel will branch to memory address 0.
| /dev/sha does not check the length of an output vector for ioctlv 0 (SHA_Init), allowing the IOS memory bounds check to be bypassed by setting the length to 0. SHA_Init will attempt to initialise a context into the destination address regardless, and in doing so sets a few values within to 0. By providing the thread context of the kernel idle thread as the destination vector, IOS's kernel will branch to memory address 0.
Line 141:
Line 141:
| {{SortableMonth}}
| {{SortableMonth}}
| {{User|segher}} and xt5 (independently)
| {{User|segher}} and xt5 (independently)
+|-
+| Kernel
+| free_iobuf does not check the address
+| The free_iobuf syscall takes an iobuf pointer as a parameter and modifies it as a linked list. By passing an address outside the iobuf region to this syscall, arbitrary writes can be achieved.
+| Arbitrary write as the kernel (used by [[HackMii Installer]]s before v0.7)
+| [[4.3]]
+| {{SortableMonth|March 2008}}
+| fail0verflow; {{User|Hallowizer}} and {{User|GalaxyMaster}} (from reverse engineering the HackMii Installer)
|-
|-
| ES
| ES