Difference between revisions of "DSiWare VulnList"
Jump to navigation
Jump to search
| Line 9: | Line 9: | ||
! Status | ! Status | ||
! Description | ! Description | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
|} | |} | ||
| Line 27: | Line 22: | ||
| Dark Void Zero | | Dark Void Zero | ||
| High-Scores | | High-Scores | ||
| − | | No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields. | + | | No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields, and that var is used with level class init. Level class init fail is most likely the cause of the crash which isn't exploitable, level paths are determined by if statements and the level object is used uninitialized when the level var is out-of-bounds. |
|- | |- | ||
| Dracula | | Dracula | ||
| Line 40: | Line 35: | ||
| None | | None | ||
| No high-scores or string input. | | No high-scores or string input. | ||
| + | |- | ||
| + | | Paul's Shooting Adventure | ||
| + | | None | ||
| + | | No string input. | ||
|} | |} | ||
Revision as of 18:10, 13 November 2010
This lists DSiWare that might have vulnerabilities, like strcpy or sprintf from savedata. If you know of DSiWare that has English-only string(high-scores, player name, high-scores that use username from system settings, etc) input, mention it on IRC EFNet #dsidev. Or contact yellowstar 6 at gmail dot com.
List of DSiWare with incomplete analysis
| Name | Input type(s) | Status | Description |
|---|
List of DSiWare with finished analysis
| Name | Input type(s) | Description |
|---|---|---|
| Dark Void Zero | High-Scores | No limit on length of drawn record names, no vuln with high-scores. The level var from savedata doesn't have any bounds check, this is used with array indexes. This is not exploitable since the array structs only contain char* strings and other fields, and that var is used with level class init. Level class init fail is most likely the cause of the crash which isn't exploitable, level paths are determined by if statements and the level object is used uninitialized when the level var is out-of-bounds. |
| Dracula | No manual input | Savedata contains ASCII high-scores from DSi username, and ASCII perks/powerups. High-scores doesn't have string bugs. |
| Arcade Hoops Basketball | High-Scores, names via settings | Has ASCII high-scores with null terminated strings, no string bugs. |
| 24/7 Solitaire | None | No high-scores or string input. |
| Paul's Shooting Adventure | None | No string input. |
List of DSiWare that probably don't have vulnerabilities
| Name | Input type(s) | Description |
|---|---|---|
| FIZZ | High-scores | Savedata contains ASCII high-scores, but all the high-scores are contained in the same string without a null terminator. A vuln is unlikely. |
| Photo Dojo | Handwritten character name via stylus | Savedata only contains .jpg files and some tiny "save"/"info" files. |
| Photo Clock | None | Small savedata, no strings at all. |
| Brain Age Express: Arts & Letters | None | No strings in savedata. |
| Brain Age Express: Math | None | No strings in savedata. |
| WarioWare: Snapped | None | No high-scores or string input. |
| Gene Labs | None | Small savedata with no strings. |