ENLBufferPwn: Critical vulnerability exposed in 3DS, Wii U and Switch games
Nintendo hacker PabloMK7 has released ENBufferPwn, an exploit including proof of concept code, which demonstrates a critical vulnerability in several Nintendo first-party games. Demo videos of the exploit show that it is possible to take full control of a target’s console, simply by allowing them to join a multiplayer game.
Affected games include Mario Kart 7, Mario Kart 8, Splatoon 1, 2, 3, Nintendo Switch Sports, and other Nintendo first-party titles. The hacker explains that the vulnerability can be used as part of an exploit chain to run custom code on the consoles. However, Nintendo has patched the vulnerability in most games already, after disclosure through their bounty program late last year.
What is ENLBufferPwn for Nintendo Switch, Wii U and 3DS?
ENBufferPwn is a vulnerability in the common network code of several first-party Nintendo games since the Nintendo 3DS that allows an attacker to execute code remotely in the victim’s console by simply having an online game with them (remote code execution). It was discovered by several people independently during 2021 and reported to Nintendo during 2021 and 2022. Since the first report, Nintendo has patched the vulnerability in many vulnerable games. The information in this repository is safely disclosed after obtaining permission from Nintendo.
The vulnerability has been rated 9.8/10 (Critical) in the CVSS 3.1 calculator.
Here’s a list of games known to have had the vulnerability at some point (all the Switch and 3DS games listed have received updates that fix the vulnerability, so they’re no longer affected):
- Mario Kart 7 (fixed in v1.2)
- Mario Kart 8 (still not fixed)
- Mario Kart 8 Deluxe (fixed in v2.1.0)
- Animal Crossing: New Horizons (fixed in v2.0.6)
- ARMS (fixed in v5.4.1)
- Splatoon (still not fixed)
- Splatoon 2 (fixed in v5.5.1)
- Splatoon 3 (fixed in late 2022, exact version unknown)
- Super Mario Maker 2 (fixed in v3.0.2)
- Nintendo Switch Sports (fixed in late 2022, exact version unknown)
- Probably more…
Combined with other OS vulnerabilities, full remote console takeover can be achieved. This has been demonstrated in the case of Mario Kart 7, where a payload is sent to launch SafeB9SInstaller. However, it is theoretically possible to do other malicious activities, such as steal account/credit card information or take unauthorized audio/video recordings using the console’s built-in microphone/cameras.
The hacker provided proof of concept videos to showcase the vulnerability, in Mario Kart 7 and Mario Kart 8
Technical details for ENLBufferPwn
From the exploit’s readme:
The ENBufferPwn vulnerability exploits a buffer overflow in the C++ class
NetworkBuffer can be found in the network library
Net in Mario Kart 7) used by many first-party Nintendo games. This class contains two methods
Set which fills a network buffer with data coming from other players. However, none of these methods check that the input actually fits in the network buffer. Since the input data is controllable, a buffer overflow can be triggered on a remote console simply by having an online game session with the attacker. If done correctly, the victim user may not even notice that a vulnerability was triggered in their console. The consequences of this buffer overflow vary on the game, from simple inoffensive modifications to the game’s memory (such as repeatedly opening and closing the home menu on the 3DS) to more severe actions such as taking full control of the console
Can I hack my Nintendo Switch with ENLBufferPwn?
Putting the 3DS and Wii U aside for a minute, I don’t think this exploit can easily be exploited to hack the Nintendo Switch:
- First of all, it would require being chained with other vulnerabilities to gain privilege escalation, and as far as I know there are no publicly known core exploits in the latest firmware (some were reportedly updated recently, though)
- But more importantly, the fact that this requires joining online games probably means that Nintendo has several ways to prevent this, and the games are the obvious one, but not the only one. In other words, by the time the exploit was made public, it was already dead. Unlike your typical “offline” exploit where people staying on a lower firmware could hope for a Jailbreak, online access (to Nintendo’s servers) usually means having the latest firmware and update for your specific game installed, which means a patched vulnerability.
In other words, while the vulnerability is critical and could affect other games, I personally don’t see how this could be used for a “beneficial” exploit on the Nintendo Switch. The best (and only) way to hack the Switch as 2022 draws to a close remains modchips for newer revisions of the hardware.
As for the 3DS and Wii U, they can be hacked fairly easily, so the benefits of the hack are limited in that regard, from an end-user perspective.
Nevertheless, coming up with an exploit that can target multiple console generations at the same time is quite a remarkable achievement!
You can download the ENNLBufferPwn code for Mario Kart 7 and Mario Kart 8 on the project’s github here.