Re: Plumber Injection Attack in Bowser's Castle

["Zach C." <fxchip () gmail com>]

Lakitu Cloud Security, Inc. Heh. That is an awesome company name actually.

On Apr 1, 2011 8:46 AM, "Nelson Elhage" <nelhage () ksplice com> wrote:
> Advisory Name: Plumber Injection Attack in Bowser's Castle
> Release Date: 2011-04-01
> Application: Bowser's Castle
> Versions: Super Mario Bros., Super Mario Bros.: The Lost Levels
> Identifier: SMB-1985-0001
> Advisory: http://blog.ksplice.com/2011/04/smb-1985-0001-advisory/
>
> -----------------------------------------------------------------------
>
> Vulnerability Overview
> ----------------------
>
> Multiple versions of Bowser's Castle are vulnerable to a plumber injection
> attack. An Italian plumber could exploit this bug to bypass security
measures
> (walk through walls) in order to rescue Peach, to defeat Bowser, or for
> unspecified other impact.
>
> Exploit
> -------
>
> http://www.youtube.com/watch?v=rGshxZ1dYjA
>
> This vulnerability is demonstrated by
> "happylee-supermariobros,warped.fm2" [1]. Attacks using this
> exploit have been observed in the wild, and multiple other exploits
> are publicly available.
>
> Affected Versions
> -----------------
>
> Versions of Bowser's Castle as shipped in Super Mario Bros. [2] and Super
> Mario Bros.: The Lost Levels [3] are affected.
>
> Solution
> --------
>
> http://www.youtube.com/watch?v=nacFU7ozeZA
>
> An independently developed patch [4] is available.
>
> A binary hot patch [5] to apply the update to an existing version is also
> available.
>
> All users are advised to upgrade.
>
> Mitigations
> -----------
>
> For users unable to apply the recommended fix, a number of
> mitigations are possible to reduce the impact of the vulnerability.
>
> NOTE THAT NO MITIGATION IS BELIEVED TO BE COMPLETELY EFFECTIVE.
>
> Potential mitigations include:
>
> - Employing standard defense-in-depth strategies incorporating
> multiple layers of defense, including Goombas [6], Koopa Troopas [7],
> Bullet Bills [8], and others.
> - Installing poison mushrooms outside your castle [9].
> - Installing a firewall to limit access to affected systems. [10]
> - Frequently moving your princess between different castles [11].
>
> Credit
> ------
>
> The vulnerability was originally discovered by Mario and Luigi, of Mario
> Bros. Security Research.
>
> The provided patch and this advisory were prepared by Lakitu Cloud
> Security, Inc. The hot patch was developed in collaboration with
> Ksplice, Inc. [12]
>
> Product Overview
> ----------------
>
> Bowser's Castle is King Bowser's home and the base of operations
> for the Koopa Troop. Bowser's Castle is the final defense against
> assaults by Mario to kidnap Princess Peach, and is guarded by
> Bowser's most powerful minions. [13]
>
> References
> ----------
>
> [1] http://tasvideos.org/1715M.html
> [2] http://en.wikipedia.org/wiki/Super_Mario_Bros.
> [3] http://en.wikipedia.org/wiki/Super_Mario_Bros.:_The_Lost_Levels
> [4] http://blog.ksplice.com/wp-content/uploads/2011/04/smb-1985-0001.patch
> [5]
http://blog.ksplice.com/wp-content/uploads/2011/04/patch-smb-1985-0001.sh
> [6] http://www.mariowiki.com/Goomba
> [7] http://www.mariowiki.com/Koopa_Troopa
> [8] http://www.mariowiki.com/Bullet_Bill
> [9] http://www.mariowiki.com/Firebar
> [10]
http://tvtropes.org/pmwiki/pmwiki.php/Main/YourPrincessIsInAnotherCastle
> [11] http://www.mariowiki.com/Poison_Mushrooms
> [12] http://www.ksplice.com/
> [13] http://www.mariowiki.com/Bowser%27s_Castle
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/