Update [Fri 3rd Mar, 2023 15:30 GMT]: Nintendo has announced that it has begun temporary emergency maintenance on Splatoon and Mario Kart 8 for the Wii U.
While unconfirmed, it's heavily speculated that the maintenance - which at the time of writing has no time frame attached to it - is linked to the 'ENLBufferPwn' exploit detailed in the article below.
As a quick reminder, the exploit effectively allows attackers to gain control of target Wii U and 3DS consoles by simply connecting to players online.
Hopefully the maintenance will prevent the exploit from being used in the future, however it's currently unknown when exactly the online services for Splatoon and Mario Kart 8 will be back up and running.
Original Article [Wed 28th Dec, 2022 11:15 GMT]:
A severe vulnerability affecting several Nintendo consoles was found recently, with the potential to allow unauthorised access to Switch, 3DS, and Wii U via a host of online games. It's reported that for some time Nintendo has been working to patch games to eliminate the exploit known as 'ENLBufferPwn', with several updates already live to address the situation (thanks, Nintendo Everything).
The vulnerability, which has been categorised as 'Critical' on the Common Vulnerability Scoring System (CVSS) and detailed in full on GitHub by PabloMK7, Rambo6Glaz, and Fishguy6564, reportedly exposes a victim's device to complete remote control by simply playing an online game with a potential attacker. This means that attackers may gain access to sensitive information or take audio and video recordings by remotely executing code.
The vulnerability was reported to Nintendo in "2021/2022" by @Pablomf6 — who says they received a $1000 "bounty" via Nintendo's HackerOne program — and it is now understood that the company has taken action to fix the issue in some of the affected games, including Mario Kart 7, which was recently updated after more than a decade.
It seems most high-profile Switch titles have already been fixed, but it looks like Mario Kart 8 and Splatoon on Wii U have yet to be addressed and may still be affected by the vulnerability.
Here's a list of affected titles, as per the GitHub page:
- Mario Kart 7 (fixed in v1.2)
- Mario Kart 8
- Mario Kart 8 Deluxe (fixed in v2.1.0)
- Animal Crossing: New Horizons (fixed in v2.0.6)
- ARMS (fixed in v5.4.1)
- Splatoon 2 (fixed in v5.5.1)
- Splatoon 3 (fixed in late 2022, exact version unknown)
- Super Mario Maker 2 (fixed in v3.0.2)
- Nintendo Switch Sports (fixed in late 2022, exact version unknown)
It's speculated that other games may also be affected by the vulnerability, although that's unconfirmed at present.
For a look at the exploit in action, take a peek at the below video from PabloMK7 which demonstrates an attacker (left console) remotely taking over an unmodified 3DS (right side) by copying a return-oriented programming (ROP) payload and executing it remotely. The victim console is then forced to run a custom firmware installer and it's thought that the same technique would allow an attacker to steal sensitive information from a remote console. Thankfully, this has now been fixed and can no longer be carried out if you're running the latest version of the software, so be sure to update if you haven't!
Nintendo's relatively limited approach to online play seems to have its advantages when it comes to security issues like this, as pointed out by @LuigiBlood discussing the exploit:
Those two games mentioned are Mario Kart 8 and Splatoon, so if you still play either of those titles online on your Wii U, we recommend exercising extreme caution or avoiding them altogether until more information is available. We'll update this article if further details come to light.
What do you make of this? Share your thoughts in the comments below.
[source github.com, via nintendoeverything.com]
Get em patched I say.. more security is always welcomed.
Can you use this to take control of your own hardware?
Tom Nook tried to take over the kart industry by introducing the squid slime based fuel. Good thing Nintendo nipped that in the bud.
Weird it's only first party Nintendough titles lol. Quality work guys.
NL covered something a little more objectively than My Nintendo News, for once. They just put on their list "probably more!" at the bottom and left it at that. But they're not exactly known for being subtle...
@theModestMouse Why would Nintendo patch vulnerabilities in somebody else’s game?
Awesome. I was hoping for a way to soft mod my patched switch. If this turns into a viable way of installing CFW, then i'm all for it. Once again, Not condoning piracy at all, but if there's a way to dump the games you've paid for and own to a PC for personal use in an emulator, then yes please. I don't play online switch games so, I'm happy not to update.
@theModestMouse How do you wanna know that?
Wait so this has been a thing for A DECADE? That’s terrifying
Anyone else remember when the 3DS launch and Nintendo thought it was a good idea to have users share system updates through StreetPass? (luckily, I don't think they ever actually USED that, but I do remember it was an announced use of StreetPass)
@Munchlax From the article - The vulnerability was reported to Nintendo in "2021/2022" by @Pablomf6
@BabyYoda71 The NDF would have you think otherwise, since they don't care.
Finally, a stability update with purpose.
@SonOfDracula I’m sorry, but I don’t understand the point you are trying to make.
Removed - flaming/arguing
It's a good thing somebody told Nintendo about it and got a good payment out of it too. Though I don't play multiplayer online games on my Super NES, GBA, Nintendo DS, 3DS, GameCube, Wii, and Wii U anymore I'm glad someone found an exploit that needs to be rid of.
@Luigi05 That made me laugh a lot
@Serpenterror Since when did SNES or GBA games have online? 🤣
I was responding to ModestMouse, who was questioning why the list only includes 1st party titles. I was saying why wouldn’t there only be 1st party titles, why would Nintendo release a patch for a game by another developer. I do not see how the time period in which the vulnerabilities were reported is relevant to my point.
Thank you for the stability.
Oh, that explains the ARMS update out of nowhere.
@Munchlax It was reported TO Nintendo lmfao, that’s the key point you’re missing 😂
@SonOfDracula I know? What was wrong with my original point?
@TowaHerschel7 They do have online play, just not in the USA. I play GBA game like Mario Kart: Super Circuit online in Japan against my fellow follower via a Japanese server. Though it act like an alternative to link play, it does require an internet server similar to Kaillera in able to do it. Super NES games like Doom, Mortal Kombat II, WeaponLord, and Super Street Fighter II had online play via a service called XBand. It's only available for a short time, only in North America, and only for the Super NES and Sega Genesis.
@Munchlax I think he (Son of Drac) just wants to argue and didn’t read the comments well enough to understand what your original comment was about 🙂
@Serpenterror finding such errors is hard work, which might take weeks or month of research and trial&error. 1.000 $ is not a good payment. Considering how critical this issue is, other big companies would have payed probably 10.000 $
But it is good: If Nintendo does not pay well, the next easy to use security issue (with less critical impact for users) might be used for homebrew.
@Munchlax here's an entire list of 3DS hacks that Nintendo patched on their firmware end. They didn't patch the games themselves, just the routes they took to access the sysdata. https://wiki.gbatemp.net/wiki/List_of_3DS_exploits. they even patched browserhax as recently as 2020
Removed - flaming/arguing
@coconut-gun My bad. The OP I was replying to edited his initial reply so that he doesn’t sound like he didn’t read the article anymore.
@Munchlax You edited it so it’s moot now. Glad I could help you come to terms with it!
Is it because I originally said that they “announced” they were patching it, and edited it because the patch notes just say “fixed issues” rather than explicitly listing it? If so 1) that’s a minor nitpick, 2) how does your quote change anything about what I said?
Whilst I did edit my post due to your response, it wasn’t to “hide” anything, I was just trying to clear up the phrasing, because it seemed to me that you didn’t understand my point.
@Gitface I’ve been here a while it feels like all he wants to do is start pointless arguments
Amazed at what hackers can do and thanks for actually including an example video!
@Munchlax More like they couldn't patch a vulnerability in someone else's game.
if only they didn't patch this
then I could homebrew my switch
but security is better
Wait, they haven't done anything about this until now? The original article was in December
Still, it’s nice to know Nintendo is taking action, whether it’s in their self interest or not. People still play these games online, and making an effort to fix these servers for an older generation is great on Nintendo’s part!
that's a bit philosophical for me right now.
So what exactly can people gain by accessing our consoles from a distance?
Credit card information maybe but if your system is turned on you'll likely see what's going on and you can take action right?
I'm not sure how that would work. Seems like a weird thing to take advantage of beyond just troll actions.
Ahh it's always stupidity like this that ruins the fun. I've been wanting to go back to Splatoon 1 but I'll now have to wait until Nintendo fixes it. I don't think it will take too long though. Respect to Nintendo for making the effort, I hope this is a sign that the Wii U & 3ds online stays around for a while.
For those wondering, I still play Splatoon 1 online now and again. Good game, Inkstrike using the gamepad feels amazing, and it's always easy to get a match. Think the last time I was on about a month ago. And yes, I have Splatoon 2 (which I still play sometimes) and Splatoon 3 (which is the version I play the most).
The homebrew crew ruining another console, just a repeat of the DS.
No wonder they are shutting the shops
@Yosher Depends. Say they gain control of your console and you decide to go AFK, they could start to delete things, run malicious software and brick your system, make a bunch of expensive purchases on the eShop...stuff like that. It’s not something you may even become immediate aware of if they use tools to run things in the background. It’s not like they are going to take control of your console and then run your Mario off a cliff and lul. I highly recommend you do a couple of quick google searches about what is possible during a remote control exploit, and learn how to prevent something like that from happening. Imagine if you don’t understand it while using a PC; the results could be devastating.
@dew12333 They shut down shops because it’s no longer in their interest to spend money on their continued maintenance.
Im a little worried this might be permanent. Mario maker was already taken offline for seemingly no reason. That’s not to mention a very similar issue with the dark souls PC versions.
@Deemo37 My thoughts exactly, this could be permanent in my view unfortunately... 🤔
We were so obsessed with stability we lost track of security.
This is fair, I don't care about online but if someone is able to control or access your personal information or hardware while online in a fair match that doesn't sound pleasant at all
@AmazonianBeauty don't put it all out to see on public sites, you wonder why any "opportunities" goes to waste, of course I hate the people who use these situations for obvious nefarious intention and that is not going to stop but with the advantage of legacy consoles being able to personalise your console the way you see fit should not be in the same discussion in something like this it is and it's an fustrstion
@SonOfDracula yep the cost in maintaining security for something that’s not profitable enough, that’s business.
@dew12333 Exactly, which means it has nothing to do with anything that homebrew folks are doing.
@SonOfDracula I must disagree, the ds was dead the minute you could buy a memory card with 150 games on it for a couple of quid. The shutting down of the shop is the beginning of the end, too much money is required to pour into old hardware in order to stop the home brew crew making it the same for those consoles. So they giving up on it and moving on.
@Yosher they can brick your system. It's the dark satisfaction of wrecking someone's out of production console, who either really likes it if they're still using it or they're someone who doesn't have the means to get a newer console.
Tap here to load 54 comments
Leave A Comment
Hold on there, you need to login to post a comment...