ENLBufferPwn: Critical vulnerability discovered in 3DS, Wii U, and Switch games

ENLBufferPwn: Critical vulnerability discovered in 3DS, Wii U, and Switch games
Written by admin

Nintendo hacker PabloMK7 has been released ENLBufferPwn, an exploit including proof of concept code that demonstrates a critical vulnerability in numerous Nintendo first-party games. Demo videos of the exploit show that it is possible to take full control of a target’s console simply by joining a multiplayer game.

includes affected games Mario Kart 7, Mario Kart 8, Splatoon 1, 2, 3, Nintendo Switch Sports, and other Nintendo first-party titles. The hacker explains that the vulnerability can be used as part of an exploit chain to run custom code on consoles. However, Nintendo has patched the vulnerability in most games since it was disclosed through a bounty program late last year.

What is ENLBufferPwn for Nintendo Switch, Wii U and 3DS?

ENLBufferPwn Since the Nintendo 3DS, several first-party Nintendo games share a vulnerability in their network code that allows an attacker to remotely execute code on a victim’s console simply by playing with them online (remote code execution). It was independently discovered by multiple people in 2021 and reported to Nintendo in 2021 and 2022. Since the initial report, Nintendo has patched the vulnerability in many vulnerable games. The information in this repository has been released securely after receiving permission from Nintendo.

Weakness earned one point 9.8/10 (Critical) In the CVSS 3.1 calculator.

Here’s a list of games known to have the vulnerability at some point (all Switch and 3DS games listed have received updates that fix the vulnerability, so they’re no longer affected):

    • Mario Kart 7 (fixed in v1.2)
    • Mario Kart 8 (not patched yet)
    • Mario Kart 8 Deluxe (fixed in v2.1.0)
    • Animal Crossing: New Horizons (fixed in v2.0.6)
    • ARMS (fixed in v5.4.1)
    • Splatoon (not patched yet)
    • Splatoon 2 (fixed in v5.5.1)
    • Splatoon 3 (fixed in late 2022, exact version unknown)
    • Super Mario Maker 2 (fixed in v3.0.2)
    • Nintendo Switch Sports (fixed in late 2022, exact version unknown)
    • Probably more…

PabloMK7 adds:

In combination with other OS vulnerabilities, a complete remote console takeover can be achieved. This was demonstrated in Mario Kart 7, where a payload was sent to launch SafeB9SInstaller. However, it is theoretically possible to do other malicious activities, e.g account/credit card information theft or make unauthorized audio/video recordings using console built-in microphones/camerasπŸ‡§πŸ‡·

The hacker has released proof of concept videos to demonstrate the vulnerability in Mario Kart 7 and Mario Kart 8.

Technical Details of ENLBufferPwn

From exploitation read meπŸ‡§πŸ‡·

The ENLBufferPwn The vulnerability exploits a buffer overflow in the C++ class NetworkBuffer available in the network library enl πŸ‡§πŸ‡·Net Mario Kart 7) is used by many first-party Nintendo games. This class contains two methods Add and Set which fills the network buffer with data from other players. However, none of these methods check whether the input data actually fits into the network buffer. Because the input data can be manipulated, simply having an online game session with an attacker can cause a buffer overflow on the remote console. If done correctly, the victim user may not even notice that a vulnerability has been triggered on their console. The consequences of this buffer overflow vary by game, ranging from simple harmless mods to game memory (Like repeatedly opening and closing the main menu on the 3DS) to more serious measures such as taking full control of the console

The exploit can be used to disrupt other players in online games, such as remotely pressing a controller’s home button in the middle of a game.

Can I jailbreak Nintendo Switch with ENLBufferPwn?

Leaving the 3DS and Wii U aside for a minute, I don’t think this exploit can easily be used to hack the Nintendo Switch:

  • First of all, elevation of privilege requires chaining with other vulnerabilities, and as far as I know, there are no publicly known kernel exploits in the latest firmware (there were some). it is claimed to have been patched recentlythough)
  • But more importantly, the fact that it requires connecting to online games, Nintendo probably has many ways to avoid this, their games are patched, but not the only one. In other words, the exploit was already dead by the time it was made public. Unlike your typical “offline” exploit where people stuck on low firmware could hope for a Jailbreak, online access (to Nintendo’s servers) usually means you have the latest firmware and the latest patch for your particular game installed, meaning a patched vulnerability.

In other words, while the vulnerability is critical and may affect other games, I personally don’t see how this could be used for a “useful” exploit on the Nintendo Switch. As 2022 comes to a close, the best (and only) way to hack the Switch remains Modchips for newer versions of hardwareπŸ‡§πŸ‡·

As for the 3DS and Wii U, they can be hacked fairly easily, so the benefits of the hack are limited in this context from an end-user perspective.

Nevertheless, to be introduced to an exploit that can target multiple console generations at the same time is quite a remarkable achievement!

Download ENLBufferPwn

You can download the ENLBufferPwn code for Mario Kart 7 and Mario Kart 8 here on the project’s githubπŸ‡§πŸ‡·

source: PaulMK7

About the author


Leave a Comment