Borked browser baked into Nintendo Switch

How about switching to a recent version that's actually secure, Nintendo?

A couple of console enthusiasts have run up a proof-of-concept showing a Nintendo's new games machine, the "Switch", being p0wned thanks to an old Webkit vulnerability.

When CVE-2016-4657 emerged last year, it was used to jailbreak iOS before version 9.3.5.

The Switch has a built-in browser that carries the vuln, and as LiveOverflow explains in the 18-minute-long video walk-through below, getting the browser opened up is a first step to let other enthusiasts find ways to look at the console's ROM and firmware.

Hacker fail0verflow's video followed a Tweet by @qwertyoruiop showing off the exploit (that's a private Twitter account, so we won't steal the screenshot).

fail0verflow was tipped off to the browser's presence in the Switch by what happens when you use the device to access a WiFi network with a captive portal: up comes the obligatory landing and sign-in page.

With a proxy and a suitable entry in /etc/hosts, the Nintendo Switch can be directed to a local server.

The Webkit bug is triggered by a crafted Web page, fail0verflow explained, and that was the vector they used to get at the Switch (specifically via JavaScript pushed into the browser).

As this piece at Wololo explains, the proof-of-concept will have others trying to comb through libraries in the device to find a privilege escalation bug.

That would be the Holy Grail to kernel hackers, since it would get them pretty close to the kind of attack that lets them load whatever Linux they please.

fail0verflow's files are at GitHub.

Youtube Video

Sony's probably sending messages of sympathy to Nintendo: a different Webkit bug let fail0verflow break into the PlayStation 4 last year. ®

Keep Reading

Biting the hand that feeds IT © 1998–2021