Changes

Jump to navigation Jump to search
229 bytes added ,  16:41, 1 July 2010
m
no edit summary
Line 16: Line 16:  
DS Station's web browser uses NetFront 3.3. This browser version has a stack smash bug in a function writing the URL from a tag field's value to the stack. This bug is present in at least one function, other functions don't seem to have this bug.
 
DS Station's web browser uses NetFront 3.3. This browser version has a stack smash bug in a function writing the URL from a tag field's value to the stack. This bug is present in at least one function, other functions don't seem to have this bug.
 
Nintendo Zone v3.0 has the bug. The layout of the Nintendo Zone binary NetFront html tag attribute strings were significantly changed, meaning NetFront was probably updated. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. A Nintendo Zone exploit couldn't be easily used by everyone, as Linux and a compatible hostapd wireless NIC is required. An SSID, and the WEP key generated from the SSID, from a real Nintendo Zone/DS Station AP is required.
 
Nintendo Zone v3.0 has the bug. The layout of the Nintendo Zone binary NetFront html tag attribute strings were significantly changed, meaning NetFront was probably updated. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. A Nintendo Zone exploit couldn't be easily used by everyone, as Linux and a compatible hostapd wireless NIC is required. An SSID, and the WEP key generated from the SSID, from a real Nintendo Zone/DS Station AP is required.
At real Nintendo Zone APs, a laptop running Linux with a wireless NIC supporting monitor mode would be needed to use the exploit at the NZone AP location.
+
At real Nintendo Zone APs, a laptop running Linux with a wireless NIC supporting monitor mode would be needed to use the exploit at the NZone AP location. If the NZone router model is found by capturing and sending a probe request, it should be possible to fake a NZone AP by using the router model used by NZone instead of using hostapd. (Unless the tag data is added by custom fw?)
 
This exploit would be meant more for reverse engineers.
 
This exploit would be meant more for reverse engineers.
  

Navigation menu