ESLBufferPwn: Critical vulnerability in 3DS, Wii U and Switch games revealed

Nintendo hacker PabloMK7 has released ESLBufferPwn, an exploit that includes proof-of-concept code, which demonstrates a critical vulnerability in a number of Nintendo’s own games. The exploit demo videos show that it is possible to take full control of a target’s console, simply by having them join a multiplayer game.

Affected games include Mario Kart 7, Mario Kart 8, Splatoon 1, 2, 3, Nintendo Switch Sports, and other Nintendo titles. The hacker explains that the vulnerability can be used as part of an exploit chain to execute custom code on consoles. However, Nintendo has already patched the vulnerability in most games, following disclosure through its bounty program late last year.

What is ENLBufferPwn for Nintendo Switch, Wii U and 3DS?

ESLBufferPwn is a vulnerability in the network code common to several Nintendo first-party games since the Nintendo 3DS that allows an attacker to remotely execute code on a victim’s console simply by having a game online with them (remote code execution). It was discovered by several people independently during 2021 and reported to Nintendo during 2021 and 2022. Since the initial report, Nintendo has patched the vulnerability in many vulnerable games. The information in this repository has been disclosed in a secure manner after obtaining permission from Nintendo.

The vulnerability has obtained a 9.8/10 (critical) in the CVSS 3.1 calculator.

Here’s a list of games known to have had the vulnerability at some point (all Switch and 3DS games listed have received updates that fix the vulnerability, so they are no longer affected):

- Mario Kart 7 (fixed in v1.2)
- Mario Kart 8 (not fixed yet)
- Mario Kart 8 Deluxe (fixed in v2.1.0)
- Animal Crossing: New Horizons (fixed in v2.0.6)
- ARMS (fixed in v5.4.1)
- Splatoon (not fixed yet)
- Splatoon 2 (fixed in v5.5.1)
- Splatoon 3 (fixed late 2022, exact version unknown)
- Super Mario Maker 2 (fixed in v3.0.2)
- Nintendo Switch Sports (fixed late 2022, exact version unknown)
- Probably more…

PabloMK7 adds:

In combination with other operating system vulnerabilities, full remote console takeover can be achieved. This has been demonstrated in the case of Mario Kart 7, where a payload is sent to start SafeB9SInstaller. However, it is theoretically possible to perform other malicious activities, such as steal account/credit card information either take unauthorized audio/video recordings using the console’s built-in microphone/cameras.

The hacker provided proof-of-concept videos to demonstrate the vulnerability, in Mario Kart 7 and Mario Kart 8.

ENLBufferPwn Technical Details

Of the exploits readme:

The ESLBufferPwn vulnerability exploits a buffer overflow in the C++ class NetworkBuffer present in the network library enl (Net in Mario Kart 7) used by many of Nintendo’s own games. This class contains two methods. Add Y Set that fill a network buffer with data from other players. However, none of those methods check that the input data actually fits into the network buffer. Since input data is controllable, a buffer overflow can be triggered on a remote console simply by having an online game session with the attacker. If done correctly, the victim user may not even notice that a vulnerability has been activated on their console. The consequences of this buffer overflow vary in-game, from simple harmless modifications to game memory (How to repeatedly open and close the start menu on the 3DS) to more severe actions such as taking full control of the console

The exploit can be used to disrupt other players in online games, such as remotely pressing the start button on your controller mid-game.

Can I hack my Nintendo Switch with ENLBufferPwn?

Putting the 3DS and Wii U aside for a minute, I don’t think this exploit can be easily leveraged to hack the Nintendo Switch:

It would need to be chained with other vulnerabilities in the first place to gain privilege escalation and as far as I know there are no publicly known kernel vulnerabilities in the latest firmware (some were supposedly recently patchedhowever)
But more importantly, the fact that this requires joining online games probably means that Nintendo has a number of ways around this, patching games being the obvious one, but not the only one. In other words, when the exploit was publicly revealed, it was already dead. Unlike your typical “offline” exploit where people who stayed on lower firmware could hope for a Jailbreak, online access (to Nintendo’s servers) usually means having the latest firmware installed and the latest patch for your specific game, which means a patched vulnerability.

In other words, while the vulnerability is critical and could affect other games, I personally don’t see how it could be used for a “beneficial” exploit on Nintendo Switch. The best (and only) way to hack your Switch as 2022 draws to a close remains modchips for latest hardware revisions.

As far as the 3DS and Wii U are concerned, they can be hacked quite easily, so the benefits of hacking are limited in that context, from an end-user perspective.

Nonetheless, it’s quite a remarkable achievement to come up with an exploit that can target multiple console generations at once.