Front-page Updated

ENLBufferPwn: Severe vulnerability in first party 3DS, Wii U and Switch games

enlbufferpwn_logo.png

ENLBufferPwn (CVE-2022-47949) is a vulnerability in the network code used in many first party Nintendo games since the 3DS. Combined with the right techniques, it allows remote code execution in the victim's console by just having an online game session with the attacker. The vulnerability was discovered by multiple people independently during 2021 and reported to Nintendo during 2021/2022. The severity of the vulnerability has been calculated as 9.8/10 (Critical) by the CVSS 3.1 calculator.

Combined with other OS vulnerabilities, full remote console takeover can be achieved. This has been demonstrated in the case of Mario Kart 7, where a payload is sent to launch SafeB9SInstaller. However, it is theoretically possible to do other malicious activities, such as stealing account/credit card information or taking unauthorized audio/video recordings using the console built-in mic/cameras.

Here is a list of games that are known to have had the vulnerability at some point (all the Switch and 3DS games listed have received updates that patch the vulnerability, so they are no longer affected):
  • Mario Kart 7 (fixed in v1.2)
  • Mario Kart 8 (still not fixed)
  • Mario Kart 8 Deluxe (fixed in v2.1.0)
  • Animal Crossing: New Horizons (fixed in v2.0.6)
  • ARMS (fixed in v5.4.1)
  • Splatoon (still not fixed)
  • Splatoon 2 (fixed in v5.5.1)
  • Splatoon 3 (fixed in late 2022, exact version unknown)
  • Super Mario Maker 2 (fixed in v3.0.2)
  • Nintendo Switch Sports (fixed in late 2022, exact version unknown)
  • Probably more...
Below you can find proof of concept videos showcasing the vulnerability in Mario Kart 7 and Mario Kart 8.





A full report of the vulnerability can be found in the following GitHub repository.
:arrow: Full vulnerability report (GitHub)
 
Last edited by PabloMK7,
  • Like
  • Wow
  • Haha
Reactions: Deleted member 546149, Deleted member 610824, Deleted member 585853 and 47 others
Click to expand...
K

kb7cxWMSrPwL

Member
Newcomer
Level 10
Joined
Dec 3, 2016
Messages
24
Trophies
0
XP
2,031
Country
New Zealand
Could you imagine a self replicating worm that pollutes legit users with false install and error logs on the switch?
Potentially 10s of millions of users would risk false bans to the point Nintendo would probably have to stop banning even hacked consoles due to sheer volume of complaints
 
  • Like
Reactions: impeeza and Halbour
Guacaholey

Guacaholey

Well-Known Member
Member
Level 7
Joined
Nov 7, 2021
Messages
469
Trophies
0
Age
27
XP
1,222
Country
United States
DarkCoffe64 said:
Lmao, not only is their online services complete ass, now this too! Has this crap like ever happened on them Sony consoles or Microsoft? Genuinely asking because I'm not sure, heh.
At least it seems they've been stepping up their game to fix this shit, but damn, just... Craptendo and anything regarding the internet are basically opposites of each other, heh.
Click to expand...
Those companies have had servers hacked, and Steam had a huge exploit a few years back where hackers could use other user's saved credit cards for purchases.
 
  • Like
Reactions: impeeza, Halbour and DarkCoffe64
N7Kopper

N7Kopper

Lest we forget... what Nazi stood for.
Member
Level 8
Joined
Aug 24, 2014
Messages
975
Trophies
0
Age
30
XP
1,296
Country
United Kingdom
Guacaholey said:
Gateway 3DS already did that.
Click to expand...
That was local, not remote. You installed Gateway's shitty hacks and used their shitty card firmwares. Remote would be me bricking your 3DS from halfway around the world because you had the misfortune to be matchmade with me.
 
W

wolf-snake

Well-Known Member
Member
Level 12
Joined
Feb 5, 2009
Messages
1,556
Trophies
2
XP
3,012
Country
Mexico
DarkCoffe64 said:
Lmao, not only is their online services complete ass, now this too! Has this crap like ever happened on them Sony consoles or Microsoft? Genuinely asking because I'm not sure, heh.
At least it seems they've been stepping up their game to fix this shit, but damn, just... Craptendo and anything regarding the internet are basically opposites of each other, heh.
Click to expand...
This is how you can tell someone's like 11... Or lives under a rock on the seafloor of the Mariana Trench.
 
  • Haha
Reactions: impeeza
S

Sowden

Well-Known Member
Member
Level 7
Joined
Sep 21, 2021
Messages
245
Trophies
0
Age
57
XP
975
Country
United States
Well its a black eye for Nintendo to be ignoring us Wii U users, but I'm thankful to the kind people at Pretendo for creating a Aroma plugin to help protect us. But I'm wondering, has anyone tried testing the first Super Mario Maker, or maybe Dr Luigi on the Wii U? Or does anyone here have the capability to test?
 
  • Like
Reactions: impeeza
Ducolamia

Ducolamia

Active Member
Newcomer
Level 2
Joined
Jan 5, 2023
Messages
38
Trophies
0
Age
25
XP
147
Country
United States
Would be nice if this would be a breakthrough for CFW. I really want to soft-mod my OLED, but time will tell.

That being said, don't store credit card info on game systems ever. Lol
 
xoxo25

xoxo25

Member
Newcomer
Level 1
Joined
Feb 1, 2023
Messages
7
Trophies
0
Age
26
XP
25
Country
France
i try the sendfile.py i dont understand this error :
Opening Gambit.rtx
2023-02-05 21:51:59 : /!\ An error occured. /!\
2023-02-05 21:51:59 : Moving to: ftp://storage_mlc/usr/title/0005000e/code
2023-02-05 21:51:59 : Couldn't retrieve file list
2023-02-05 21:51:59 : Sending file
2023-02-05 21:51:59 : /!\ An error occured. /!\
 
PabloMK7

PabloMK7

Red Yoshi! ^ω^
OP
Developer
Level 15
Joined
Feb 21, 2014
Messages
2,604
Trophies
2
Age
24
Location
Yoshi's Island
XP
5,032
Country
Spain
xoxo25 said:
i try the sendfile.py i dont understand this error :
Opening Gambit.rtx
2023-02-05 21:51:59 : /!\ An error occured. /!\
2023-02-05 21:51:59 : Moving to: ftp://storage_mlc/usr/title/0005000e/code
2023-02-05 21:51:59 : Couldn't retrieve file list
2023-02-05 21:51:59 : Sending file
2023-02-05 21:51:59 : /!\ An error occured. /!\
Click to expand...
`sendfile.py` is a python script for sending files to the 3ds SD. In this case, it is used to help testing the 3GX plugin during its development. It's not related to the exploit in any way. x)
 
  • Like
Reactions: impeeza

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Gaming Homebrew Homebrew app  SUYU Discord get deleted

Disney's New X-Files Reboot Already Has A Mulder & Scully Return Problem

Hero Shooter GUNDAM EVOLUTION revived in private server project following End of Service

Mig switch flashcard clones are coming

"Apple has lifted its restriction on retro game emulators on the iOS App Store"

Gaming  Nintendo Switch 2 OFFICIAL IMAGES LEAKED Mod edit: Confirmed FAKE!

Nintendo themed items taken down from Steam Workshop (Garry’s Mod)

Backdoor in `xz` found, affects ssh (linux remote desktop connections)

General chit-chat
Help Users
  • No one is chatting at the moment.
    AncientBoi @ AncientBoi: [goes back to 🛌 ] zzzzzzzzzzzzzz +1