Re: Plumber Injection Attack in Bowser's Castle

[Dan Kaminsky <dan () doxpara com>]

Super Mario Brothers 2 is not vulnerable to this exploit, as it does not
ship with a Bowser.

It is possible to use the Plumber to inject Wart, but only during sleep(3).

On Fri, Apr 1, 2011 at 6:59 AM, Nelson Elhage <nelhage () ksplice com> wrote:

> Advisory Name: Plumber Injection Attack in Bowser's Castle
>  Release Date: 2011-04-01
>  Application: Bowser's Castle
>     Versions: Super Mario Bros., Super Mario Bros.: The Lost Levels
>   Identifier: SMB-1985-0001
>     Advisory: http://blog.ksplice.com/2011/04/smb-1985-0001-advisory/
>
> -----------------------------------------------------------------------
>
> Vulnerability Overview
> ----------------------
>
>  Multiple versions of Bowser's Castle are vulnerable to a plumber injection
>  attack. An Italian plumber could exploit this bug to bypass security
> measures
>  (walk through walls) in order to rescue Peach, to defeat Bowser, or for
>  unspecified other impact.
>
> Exploit
> -------
>
>  http://www.youtube.com/watch?v=rGshxZ1dYjA
>
>  This vulnerability is demonstrated by
>  "happylee-supermariobros,warped.fm2" [1]. Attacks using this
>  exploit have been observed in the wild, and multiple other exploits
>  are publicly available.
>
> Affected Versions
> -----------------
>
>  Versions of Bowser's Castle as shipped in Super Mario Bros. [2] and Super
>  Mario Bros.: The Lost Levels [3] are affected.
>
> Solution
> --------
>
>  http://www.youtube.com/watch?v=nacFU7ozeZA
>
>  An independently developed patch [4] is available.
>
>  A binary hot patch [5] to apply the update to an existing version is also
>  available.
>
>  All users are advised to upgrade.
>
> Mitigations
> -----------
>
>  For users unable to apply the recommended fix, a number of
>  mitigations are possible to reduce the impact of the vulnerability.
>
>  NOTE THAT NO MITIGATION IS BELIEVED TO BE COMPLETELY EFFECTIVE.
>
>  Potential mitigations include:
>
>  - Employing standard defense-in-depth strategies incorporating
>    multiple layers of defense, including Goombas [6], Koopa Troopas [7],
>    Bullet Bills [8], and others.
>  - Installing poison mushrooms outside your castle [9].
>  - Installing a firewall to limit access to affected systems. [10]
>  - Frequently moving your princess between different castles [11].
>
> Credit
> ------
>
>  The vulnerability was originally discovered by Mario and Luigi, of Mario
>  Bros. Security Research.
>
>  The provided patch and this advisory were prepared by Lakitu Cloud
>  Security, Inc. The hot patch was developed in collaboration with
>  Ksplice, Inc. [12]
>
> Product Overview
> ----------------
>
>  Bowser's Castle is King Bowser's home and the base of operations
>  for the Koopa Troop. Bowser's Castle is the final defense against
>  assaults by Mario to kidnap Princess Peach, and is guarded by
>  Bowser's most powerful minions. [13]
>
> References
> ----------
>
>  [1] http://tasvideos.org/1715M.html
>  [2] http://en.wikipedia.org/wiki/Super_Mario_Bros.
>  [3] http://en.wikipedia.org/wiki/Super_Mario_Bros.:_The_Lost_Levels
>  [4]
> http://blog.ksplice.com/wp-content/uploads/2011/04/smb-1985-0001.patch
>  [5]
> http://blog.ksplice.com/wp-content/uploads/2011/04/patch-smb-1985-0001.sh
>  [6] http://www.mariowiki.com/Goomba
>  [7] http://www.mariowiki.com/Koopa_Troopa
>  [8] http://www.mariowiki.com/Bullet_Bill
>  [9] http://www.mariowiki.com/Firebar
>  [10]
> http://tvtropes.org/pmwiki/pmwiki.php/Main/YourPrincessIsInAnotherCastle
>  [11] http://www.mariowiki.com/Poison_Mushrooms
>  [12] http://www.ksplice.com/
>  [13] http://www.mariowiki.com/Bowser%27s_Castle
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/