Stack smashing lives on (in Zelda for the Nintendo Wii)


Over a decade ago, physiotherapy
I remember printing out and reading a text by Aleph1 entitled Smashing the Stack for Fun and Profit. Back then, stack-based buffer overflows were a hot topic and the tide was turning as programmers began to realize that null termination of strings was not a good security measure and bounds checking was becoming necessary for the security-minded programs.

The issue was that many people were used to using a function like strcpy() to copy a string from one memory location to a dynamically allocated memory segment on the stack. The strcpy() function simply started copying from the supplied address and stopped when it reached a null character without knowing how much space was allocated for the string at the destination. As a result, segments of the stack that were not allocated for the “local” variable, like the return address of a function, could be overwritten with arbitrary values. With the properly formatted string, even executable code could be put somewhere on the stack and the return address could be overwritten so that this code could be executed, for fun and profit as they say. Programmers became wiser and started using strncpy() instead, which only copied a fixed amount of data and therefore guaranteed that the allocated space would not be exceeded. Furthermore, most modern operating systems can now set areas of the memory dedicated to the stack as non-executable, so the above routine would be foiled. Individuals have found some ways around these security features, however, the stack smashing exploit (as described by Aleph1) has mostly been considered a thing of the past.

I use the term mostly since Nintendo has preserved the knowledge and allowed practice of this exploit with their release of the latest Zelda game for the Wii. Through a cleverly crafted save file, the name of the main characters horse can contain a string as mentioned above and lead to execution of arbitrary code. There are a few tricks to maintain the integrity of the save file, however, after a decade the above exploit still lives on, almost in the same form as described by Aleph1.

( Although the picture is not from the Twilight Princess game, it is a good game none the less. )

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>