Difference between revisions of "DSiWare VulnList"

From DSiBrew
Jump to navigation Jump to search
m
Line 9: Line 9:
 
!  Status
 
!  Status
 
!  Description
 
!  Description
 +
|-
 +
|  Bookworm
 +
|  High-scores and word list
 +
|  None
 +
|  Has ASCII null-terminated high-score list names and null-terminated word list strings.
 +
|-
 +
|  Escapee Go
 +
|  None
 +
|  None
 +
|  Has high-scores without names, scores are ASCII null-terminated strings.
 
|-
 
|-
 
|  Frogger Returns
 
|  Frogger Returns
Line 14: Line 24:
 
|  None
 
|  None
 
|  Has ASCII null-terminated high-scores.
 
|  Has ASCII null-terminated high-scores.
|-
 
|  Bookworm
 
|  High-scores and word list
 
|  None
 
|  Has ASCII null-terminated high-score list names and null-terminated word list strings.
 
 
|-
 
|-
 
|  Legends of Exidia
 
|  Legends of Exidia
Line 24: Line 29:
 
|  None
 
|  None
 
|  Has ASCII player name in one file, and UCS-2 player name in a profile file.
 
|  Has ASCII player name in one file, and UCS-2 player name in a profile file.
|-
 
|  Escapee Go
 
|  None
 
|  None
 
|  Has high-scores without names, scores are ASCII null-terminated strings.
 
 
|}
 
|}
  
Line 39: Line 39:
 
!  Input type(s)
 
!  Input type(s)
 
!  Description
 
!  Description
 +
|-
 +
|  Arcade Hoops Basketball
 +
|  High-Scores, names via settings
 +
|  Has ASCII high-scores with null terminated strings, no string bugs.
 
|-
 
|-
 
|  Dark Void Zero
 
|  Dark Void Zero
Line 47: Line 51:
 
|  No manual input
 
|  No manual input
 
|  Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups.  High-scores doesn't have string bugs.
 
|  Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups.  High-scores doesn't have string bugs.
|-
 
|  Arcade Hoops Basketball
 
|  High-Scores, names via settings
 
|  Has ASCII high-scores with null terminated strings, no string bugs.
 
 
|-
 
|-
 
|  Paul's Shooting Adventure
 
|  Paul's Shooting Adventure
Line 66: Line 66:
 
!  Description
 
!  Description
 
|-
 
|-
FIZZ
+
24/7 Solitaire
|  High-scores
 
|  Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
 
|-
 
|  Photo Dojo
 
|  Handwritten character name via stylus
 
|  Savedata only contains .jpg files and some tiny "save"/"info" files.
 
|-
 
|  Photo Clock
 
 
|  None
 
|  None
Small savedata, no strings at all.
+
No high-scores or string input.
 
|-
 
|-
 
|  Brain Age Express: Arts & Letters
 
|  Brain Age Express: Arts & Letters
Line 86: Line 78:
 
|  No strings in savedata.
 
|  No strings in savedata.
 
|-
 
|-
WarioWare: Snapped
+
FIZZ
None
+
High-scores
No high-scores or string input.
+
Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
 
|-
 
|-
 
|  Gene Labs
 
|  Gene Labs
Line 94: Line 86:
 
|  Small savedata with no strings.
 
|  Small savedata with no strings.
 
|-
 
|-
24/7 Solitaire
+
Photo Clock
 +
|  None
 +
|  Small savedata, no strings at all.
 +
|-
 +
|  Photo Dojo
 +
|  Handwritten character name via stylus
 +
|  Savedata only contains .jpg files and some tiny "save"/"info" files.
 +
|-
 +
|  WarioWare: Snapped
 
|  None
 
|  None
 
|  No high-scores or string input.
 
|  No high-scores or string input.
 
|}
 
|}

Revision as of 19:50, 14 November 2010

This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.

List of DSiWare with incomplete analysis

Name Input type(s) Status Description
Bookworm High-scores and word list None Has ASCII null-terminated high-score list names and null-terminated word list strings.
Escapee Go None None Has high-scores without names, scores are ASCII null-terminated strings.
Frogger Returns High-scores None Has ASCII null-terminated high-scores.
Legends of Exidia Player name None Has ASCII player name in one file, and UCS-2 player name in a profile file.

List of DSiWare with finished analysis

Name Input type(s) Description
Arcade Hoops Basketball High-Scores, names via settings Has ASCII high-scores with null terminated strings, no string bugs.
Dark Void Zero High-Scores No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields, and that var is used with level class init. Level class init fail is most likely the cause of the crash which isn't exploitable, level paths are determined by if statements and the level object is used uninitialized when the level var is out-of-bounds.
Dracula No manual input Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs.
Paul's Shooting Adventure High-Scores Records are entered when you complete the game, names are ASCII strings null-terminated. Not exploitable.

List of DSiWare that probably don't have vulnerabilities

Name Input type(s) Description
24/7 Solitaire None No high-scores or string input.
Brain Age Express: Arts & Letters None No strings in savedata.
Brain Age Express: Math None No strings in savedata.
FIZZ High-scores Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely.
Gene Labs None Small savedata with no strings.
Photo Clock None Small savedata, no strings at all.
Photo Dojo Handwritten character name via stylus Savedata only contains .jpg files and some tiny "save"/"info" files.
WarioWare: Snapped None No high-scores or string input.