[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Plumber Injection Attack in Bowser's Castle

Advisory Name: Plumber Injection Attack in Bowser's Castle
 Release Date: 2011-04-01
  Application: Bowser's Castle
     Versions: Super Mario Bros., Super Mario Bros.: The Lost Levels
   Identifier: SMB-1985-0001
     Advisory: http://blog.ksplice.com/2011/04/smb-1985-0001-advisory/

-----------------------------------------------------------------------

Vulnerability Overview
----------------------

  Multiple versions of Bowser's Castle are vulnerable to a plumber injection
  attack. An Italian plumber could exploit this bug to bypass security measures
  (walk through walls) in order to rescue Peach, to defeat Bowser, or for
  unspecified other impact.

Exploit
-------

  http://www.youtube.com/watch?v=rGshxZ1dYjA

  This vulnerability is demonstrated by
  "happylee-supermariobros,warped.fm2" [1]. Attacks using this
  exploit have been observed in the wild, and multiple other exploits
  are publicly available.

Affected Versions
-----------------

  Versions of Bowser's Castle as shipped in Super Mario Bros. [2] and Super
  Mario Bros.: The Lost Levels [3] are affected.

Solution
--------

  http://www.youtube.com/watch?v=nacFU7ozeZA

  An independently developed patch [4] is available.

  A binary hot patch [5] to apply the update to an existing version is also
  available.

  All users are advised to upgrade.

Mitigations
-----------

  For users unable to apply the recommended fix, a number of
  mitigations are possible to reduce the impact of the vulnerability.

  NOTE THAT NO MITIGATION IS BELIEVED TO BE COMPLETELY EFFECTIVE.

  Potential mitigations include:

  - Employing standard defense-in-depth strategies incorporating
    multiple layers of defense, including Goombas [6], Koopa Troopas [7],
    Bullet Bills [8], and others.
  - Installing poison mushrooms outside your castle [9].
  - Installing a firewall to limit access to affected systems. [10]
  - Frequently moving your princess between different castles [11].

Credit
------

  The vulnerability was originally discovered by Mario and Luigi, of Mario
  Bros. Security Research.

  The provided patch and this advisory were prepared by Lakitu Cloud
  Security, Inc. The hot patch was developed in collaboration with
  Ksplice, Inc. [12]

Product Overview
----------------

  Bowser's Castle is King Bowser's home and the base of operations
  for the Koopa Troop. Bowser's Castle is the final defense against
  assaults by Mario to kidnap Princess Peach, and is guarded by
  Bowser's most powerful minions. [13]

References
----------

 [1] http://tasvideos.org/1715M.html
 [2] http://en.wikipedia.org/wiki/Super_Mario_Bros.
 [3] http://en.wikipedia.org/wiki/Super_Mario_Bros.:_The_Lost_Levels
 [4] http://blog.ksplice.com/wp-content/uploads/2011/04/smb-1985-0001.patch
 [5] http://blog.ksplice.com/wp-content/uploads/2011/04/patch-smb-1985-0001.sh
 [6] http://www.mariowiki.com/Goomba
 [7] http://www.mariowiki.com/Koopa_Troopa
 [8] http://www.mariowiki.com/Bullet_Bill
 [9] http://www.mariowiki.com/Firebar
 [10] http://tvtropes.org/pmwiki/pmwiki.php/Main/YourPrincessIsInAnotherCastle
 [11] http://www.mariowiki.com/Poison_Mushrooms
 [12] http://www.ksplice.com/
 [13] http://www.mariowiki.com/Bowser%27s_Castle

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/