Information and PoC about the ENLBufferPwn vulnerability

We discussed this vulnerability during Episode 182 on 24 January 2023

Straight-forward issue, but kinda fun as it impacts the network code in several first-part Nintendo games across multiple consoles (3DS, Wii U, Switch). The NetworkBuffer in the network library has two methods Add and Set which are used to fill the backing buffer with data from the network. None of the methods check that the data actually fits within the network buffer allowing for an overflow with attacker-controlled data.

Exploitation on devices with ASLR should be possible by corrupting the NetworkBuffer used to send data back to the attacker, however the author focused on Mario Kart 7 (3DS) and Mario Kart 8 (Wii U), neither of which have ASLR present, Without ASLR the exploitation was reasonably straight forward.

They found that the allocated around receiving Mii data would result in the buffer headers and data being placed in contiguous memory. So the overflow from the first buffer could corrupt the header of second buffer. This gave control over the dataPtr which is where the second buffer would write data to. Providing an arbitrary write primitive.

This primitive could be used to store a ROP payload, and then target the stack to trigger the ROP chain.