A security researcher, identified as @regginator, has disclosed a vulnerability in “Mario Kart 8 Deluxe” that could have allowed remote code execution through a buffer overflow in the game's LAN play functionality. This exploit, named “KartLANPwn” and registered as CVE-2024-45200, impacted all versions of the game up to v3.0.1 and was recently patched in v3.0.3.
KartLANPwn details
The vulnerability in “Mario Kart 8 Deluxe” is related to the improper use of the Pia P2P networking library, particularly within the “CopyAppData” function, which is used during both LAN and online multiplayer sessions.
When consoles join a LAN session, the host sends a “browse-reply” packet containing session information, and this packet includes a length value for the data to be copied to an output buffer. The vulnerability arises when the “outBufSize” parameter exceeds the actual output buffer size, allowing for a stack-based buffer overflow. If an attacker chains this overflow with an information leak, they could potentially execute user-mode remote code on peers' consoles.
This flaw, discovered on July 2nd, 2024, could be triggered specifically through the LAN Play feature of “Mario Kart 8 Deluxe” v3.0.1. A proof-of-concept (PoC) was developed, written in Python, which acts as a fake room host sending a specially crafted “browse-reply” packet that crashes the game process when other consoles on the same network access the LAN Play menu.
Despite this, attempts to exploit the overflow for arbitrary code execution were thwarted by the Nintendo Switch’s robust security features, including address space layout randomization (ASLR) and enforced no-execute memory protections. A video demonstration and GDB screenshots confirmed the process segmentation fault caused by the exploit.
Impact on Mario Kart
“Mario Kart 8 Deluxe,” a widely popular racing game developed by Nintendo for the Switch, uses the proprietary Pia networking library to support both local (LAN/LDN) and online multiplayer sessions via the NEX protocol. The vulnerability was related to the “browse-reply” packet construction in the LAN protocol, where a length value of up to 150 bytes could be specified for application data in an out buffer only 128 bytes wide. This led to a stack-based buffer overflow, with the potential to crash the game or alter its execution under specific conditions.
Although the exploit was serious, the complexity and limitations of the Switch's user-mode security mechanisms prevented it from becoming a full-fledged RCE vulnerability. Despite this, the potential for denial-of-service (DoS) attacks in LAN multiplayer sessions prompted a swift response from Nintendo.
Disclosure and patch timeline
Nintendo fixed the vulnerability on September 11th, 2024, by releasing the v3.0.3 update for “Mario Kart 8 Deluxe,” addressing the issue in all regions except China. The Chinese region received the fix on September 27th, and the vulnerability details were safely disclosed on September 29th after receiving Nintendo's permission. The National Vulnerability Database (NVD) published the CVE-2024-45200 identifier to track the flaw just yesterday.
The researcher was rewarded a $512 bounty through Nintendo's HackerOne program. While this payout was lower than expected, the disclosure process was smooth, and the researcher noted the significant security improvements Nintendo has implemented over the years, highlighting the robust measures taken to secure the Switch console.
User action required
Nintendo Switch users are strongly advised to update “Mario Kart 8 Deluxe” to version 3.0.3 or later to ensure they are protected against CVE-2024-45200. Additionally, users should be cautious when joining LAN sessions on shared or untrusted networks, as malicious actors could potentially exploit any future vulnerabilities in similar ways. Regularly updating both the game and console firmware is crucial to mitigate any security risks.
Rhadamanthys Stealer v0.7 Adds AI-Powered OCR for Password Extraction
Leave a Reply