CVE-2022-47949: Critical RCE flaw affects multiple Nintendo games

by do son · December 28, 2022

A proof-of-concept (PoC) exploit and technical detail related to a remote code execution vulnerability affecting multiple Nintendo games and patched by Nintendo during 2021 and 2022 was published online.

Identified as CVE-2022-47949, the security issue could allow an attacker to execute code remotely in the victim’s console by just having an online game with them. The vulnerability has scored a 9.8/10 (Critical) in the CVSS 3.1 calculator.

The C++ class NetworkBuffer is present in the network library enl (Net in Mario Kart 7) used by many first-party Nintendo games. The vulnerability is caused by improper bounds checking by the NetworkBuffer class. By sending a specially-crafted UDP packet, a remote attacker could overflow a buffer and execute arbitrary code on the system. Researchers codenamed the vulnerability “ENLBufferPwn.”

“The ENLBufferPwn vulnerability exploits a buffer overflow in the C++ class NetworkBuffer present in the network library enl(Netin Mario Kart 7) used by many first party Nintendo games. This class contains two methods Add and Set which fill a network buffer with data coming from other players. However, none of those methods check that the input data actually fits in the network buffer. Since the input data is controllable, a buffer overflow can be triggered on a remote console by just having an online game session with the attacker,” PabloMK7 wrote.

PabloMK7 also shared a proof-of-concept video showing how to exploit ENLBufferPwn in Mario Kart 7.