ENLBufferPwn (CVE-2022-47949) is a vulnerability in the network code used in many first party Nintendo games since the 3DS. Combined with the right techniques, it allows remote code execution in the victim's console by just having an online game session with the attacker. The vulnerability was discovered by multiple people independently during 2021 and reported to Nintendo during 2021/2022. The severity of the vulnerability has been calculated as 9.8/10 (Critical) by the CVSS 3.1 calculator.

Combined with other OS vulnerabilities, full remote console takeover can be achieved. This has been demonstrated in the case of Mario Kart 7, where a payload is sent to launch SafeB9SInstaller. However, it is theoretically possible to do other malicious activities, such as stealing account/credit card information or taking unauthorized audio/video recordings using the console built-in mic/cameras.

Here is a list of games that are known to have had the vulnerability at some point (all the Switch and 3DS games listed have received updates that patch the vulnerability, so they are no longer affected):

• Mario Kart 7 (fixed in v1.2)
• Mario Kart 8 (still not fixed)
• Mario Kart 8 Deluxe (fixed in v2.1.0)
• Animal Crossing: New Horizons (fixed in v2.0.6)
• ARMS (fixed in v5.4.1)
• Splatoon (still not fixed)
• Splatoon 2 (fixed in v5.5.1)
• Splatoon 3 (fixed in late 2022, exact version unknown)
• Super Mario Maker 2 (fixed in v3.0.2)
• Nintendo Switch Sports (fixed in late 2022, exact version unknown)
• Probably more...

Below you can find proof of concept videos showcasing the vulnerability in Mario Kart 7 and Mario Kart 8.





A full report of the vulnerability can be found in the following GitHub repository.
Full vulnerability report (GitHub)

 

[Halbour]

I wonder how far up the line it can go on the Switch.

Mmmmm I think it will be kinda fun to mess with it... I want a hacked switch

Post automatically merged: Dec 24, 2022

All i know is that both Sony and Microsoft got their servers hacked a couple or times (especially in the PS3/X360 era

The PS3 is very vulnerable...

 

[slaphappygamer]

I’m glad that my switch is banned now.

 

[SylverReZ]

There was the Sony 2011 hack. Their PSN internet was down for almost a whole month, 23 days. I remember that.

 

[DKB]

Ah, shit.

 

[RichardTheKing]

I wonder if Nintendo's gonna bother releasing updates for games on consoles they're close to killing off for good, what with the eShop closure early next year...

 

[Dimensional]

So sounds like they need to release an update to their SDK too.

 

[Osakasan]

I wonder if Nintendo's gonna bother releasing updates for games on consoles they're close to killing off for good, what with the eShop closure early next year...

Dude, we just had a patch for MK7 last week fixing this very same exploit

 

[chrisrlink]

well at least they were wise and gave us infamous 1 for free after they restored psn and to think this all practicly started over the 3.55 hack/geohotz fiasco plus sony was an idiot company who stored user/pass hell even CC #'s in plain text

 

[J-Lin]

For, hmm.... research purposes, could someone tell me how one could use this on Mario Kart 8?

 

[linuxares]

For, hmm.... research purposes, could someone tell me how one could use this on Mario Kart 8?

Sure, here!

https://github.com/PabloMK7/ENLBufferPwn

 

[CloudStrife190100]

Your telling me it's possible people were watching me playing Mario Kart 7 naked through the 0.2 megapixel inner cameras?

I've always wondered how my 1 incher got leaked

 

[pustal]

those don't exist in some countries, like canada

Revolut doesn't service there?

 

[M7L7NK7]

Mmmmm I think it will be kinda fun to mess with it... I want a hacked switch

Without other exploits it's pretty useless

 

[toolazytosearchitmyself]

Mmmmm I think it will be kinda fun to mess with it... I want a hacked switch

I got my hopes up too then re-read the first post.

Combined with other OS vulnerabilities

Which as far as I know, there are none on the Switch.

 

[Latiodile]

Revolut doesn't service there?

nope, neither does privacy, or paypal debit

 

[pustal]

nope, neither does privacy, or paypal debit

Is this a legal issue?

 

[Latiodile]

Is this a legal issue?

no clue, all i know is that it pisses me off and prevents me from using sites like amazon because i don't have a credit card and canadian amazon doesn't support paypal in any way
and debit isn't an option either, long story

 

[susbaconhairman]

Don’t store payment details on your console, use 2FA - always been my policy. Recommend that others do the same.

i cant lmao, they shut down the ability to add credit cards

 

[rvtr]

So sounds like they need to release an update to their SDK too.

I was gonna say "why would they update the SDK for a console they pulled the plug on", but they sent out updated dev unit firmware this summer. Very odd.

 

[CommanderCool]

so the only games i should avoid right now are a really terribly designed third person shooter and an outdated mario kart...on the wii u. got it.