Nintendo hacker PabloMK7 has released ENLBufferPwn, an exploit including proof of concept code, which demonstrates a critical vulnerability in multiple Nintendo first party games. Demo videos of the exploit show that it is possible to take full control of a target’s console, simply by having them join a multiplayer game.
Impacted games include Mario Kart 7, Mario Kart 8, Splatoon 1, 2, 3, Nintendo Switch Sports, and other Nintendo first party titles. The hacker explains that the vulnerability can be used as part of an exploit chain to run custom code on the consoles. However Nintendo have patched the vulnerability in most games already, following disclosure through their bounty program late last year.
What is ENLBufferPwn for Nintendo Switch, Wii U, and 3DS?
ENLBufferPwn is a vulnerability in the common network code of several first party Nintendo games since the Nintendo 3DS that allows an attacker to execute code remotely in the victim’s console by just having an online game with them (remote code execution). It was dicovered by multiple people independently during 2021 and reported to Nintendo during 2021 and 2022. Since the initial report, Nintendo has patched the vulnerability in many vulnerable games. The information in this repository has been safely disclosed after getting permission from Nintendo.
The vulnerability has scored a 9.8/10 (Critical) in the CVSS 3.1 calculator.
Here is a list of games that are known to have had the vulnerability at some point (all the Switch and 3DS games listed have received updates that patch the vulnerability, so they are no longer affected):
- Mario Kart 7 (fixed in v1.2)
- Mario Kart 8 (still not fixed)
- Mario Kart 8 Deluxe (fixed in v2.1.0)
- Animal Crossing: New Horizons (fixed in v2.0.6)
- ARMS (fixed in v5.4.1)
- Splatoon (still not fixed)
- Splatoon 2 (fixed in v5.5.1)
- Splatoon 3 (fixed in late 2022, exact version unknown)
- Super Mario Maker 2 (fixed in v3.0.2)
- Nintendo Switch Sports (fixed in late 2022, exact version unknown)
- Probably more…
Combined with other OS vulnerabilities, full remote console takeover can be achieved. This has been demonstrated in the case of Mario Kart 7, where a payload is sent to launch SafeB9SInstaller. However, it is theoretically possible to do other malicious activities, such as stealing account/credit card information or taking unauthorized audio/video recordings using the console built-in mic/cameras.
The hacker provided proof of concept videos to showcase the vulnerability, in Mario Kart 7 and Mario Kart 8
Technical Details of ENLBufferPwn
From the exploit’s readme:
The ENLBufferPwn vulnerability exploits a buffer overflow in the C++ class
NetworkBuffer present in the network library
Net in Mario Kart 7) used by many first party Nintendo games. This class contains two methods
Set which fill a network buffer with data coming from other players. However, none of those methods check that the input data actually fits in the network buffer. Since the input data is controllable, a buffer overflow can be triggered on a remote console by just having an online game session with the attacker. If done properly, the victim user may not even notice a vulnerability was triggered in their console. The consequences of this buffer overflow vary on the game, from simple inoffensive modifications to the game’s memory (like repeatedly opening and closing the home menu on the 3DS) to more severe actions like taking full control of the console
Can I hack my Nintendo Switch with ENLBufferPwn?
Setting the 3DS and Wii U aside for a minute, I do not think this exploit can easily be leveraged to hack the Nintendo Switch:
- First of all, it would require to be chained with other vulnerabilities to get privilege escalation, and to my knowledge there are no publicly known kernel exploits in the latest firmware (some were allegedly patched recently, though)
- But ore importantly, the fact that this requires to join online games probably means Nintendo has multiple ways to prevent this, patching the games being the obvious, but not the only one. In other words, by the time the exploit was publicly disclosed, it was already dead. Unlike your typical “offline” exploit were people who stayed on a lower firmware could hope for a Jailbreak, online access (to Nintendo’s servers) usually means having the latest firmware and the latest patch for your specific game installed, meaning a patched vulnerability.
In other words, although the vulnerability is critical, and could impact other games, I do not see personally how this could be used for a “beneficial” exploit on the Nintendo Switch. The best (and only) way to hack your Switch as 2022 comes to an end, remains modchips for newer revisions of the hardware.
As far as the 3DS and the Wii U are concerned, those can be hacked fairly easily, so the benefits of the hack are limited in that context, from an end user perspective.
Nonetheless, it’s a pretty remarkable achievement to come up with an exploit that can target multiple console generations at once!
You can download the ENLBufferPwn code for Mario Kart 7 and Mario Kart 8 on the project’s github here.