- Advisory Name:
- Plumber Injection Attack in Bowser’s Castle
- Release Date:
- Bowser’s Castle
- Affected Versions:
- Super Mario Bros., Super Mario Bros.: The Lost Levels
- Advisory URL:
Multiple versions of Bowser’s Castle are vulnerable to a plumber injection
attack. An Italian plumber could exploit this bug to bypass security measures
(walk through walls) in order to rescue Peach, to defeat Bowser, or for
unspecified other impact.
This vulnerability is demonstrated by
“happylee-supermariobros,warped.fm2”. Attacks using this exploit have been
observed in the wild, and multiple other exploits are publicly available.
An independently developed patch is available:
--- a/smb.asm 1985-09-13 12:00:00.000000000 +0900 +++ b/smb.asm 2011-04-01 12:00:00.000000000 -0400 @@ -12009,12015 +12009,12015 @@ ldy $04 cpy #$05 bcc *+$09 - lda $45 + lda #$01 sta $00 jmp $df4b jsr $dec4
A binary hot patch to apply the update to an existing version is also available.
All users are advised to upgrade.
For users unable to apply the recommended fix, a number of
mitigations are possible to reduce the impact of the vulnerability.
NOTE THAT NO MITIGATION IS BELIEVED TO BE COMPLETELY EFFECTIVE.
Potential mitigations include:
- Employing standard defense-in-depth strategies incorporating
multiple layers of defense, including Goombas, Koopa Troopas,
Bullet Bills, and others.
- Installing poison mushrooms outside your castle.
- Installing a firewall to limit access to affected systems.
- Frequently moving your princess between different castles.
The vulnerability was originally discovered by Mario and Luigi, of Mario
Bros. Security Research.
The provided patch and this advisory were prepared by Lakitu Cloud Security,
Inc. The hot patch was developed in collaboration with Ksplice, Inc.
Bowser’s Castle is King Bowser’s home and the base of operations for the
Koopa Troop. Bowser’s Castle is the final defense against assaults by Mario to
kidnap Princess Peach, and is guarded by Bowser’s most powerful minions.