CVE-2023-45887
published 2023-12-20CVE-2023-45887: DS Wireless Communication (DWC) with DWC_VERSION_3 and DWC_VERSION_11 allows remote attackers to execute arbitrary code on a game-playing client's machine via…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.57%
72.2th percentile
DS Wireless Communication (DWC) with DWC_VERSION_3 and DWC_VERSION_11 allows remote attackers to execute arbitrary code on a game-playing client's machine via a modified GPCM message.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nintendo | ds_wireless_communication | — | — |
| nintendo | ds_wireless_communication | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xFE (DWC_MATCH_COMMAND_INVALID)
bytes↗
LR_SAVE = \x41\x41\x41\x41
bytes↗
PADDING = 'MikeStar' (repeated to 0x23C bytes)
- →Detect malformed GPCM messages matching the regex pattern for DWC exploit traffic: message starts with '\msg\GPCM' followed by 1-2 digits and 'vMAT', then is immediately followed by byte 0xFE and a 0x23C-byte padding block. ↗
- →The exploit appends a '\final\' key after the 0x23C-byte padding and 4-byte LR_SAVE (0x41414141) in the modified GPCM TCP payload. Inspect TCP payloads for this sequence as a high-confidence indicator. ↗
- →The exploit uses WinDivert to intercept and modify outbound TCP packets with non-zero payload length. Presence of WinDivert driver/process on a game client host may indicate exploit tooling. ↗
- →The attack vector is a modified GPCM message sent over TCP to a game-playing client. Monitor for GPCM protocol messages containing 0xFE immediately after the 'vMAT' token, which is not valid in normal DWC traffic. ↗
- ·The exploit targets DWC_VERSION_3 and DWC_VERSION_11 specifically; other versions are not confirmed vulnerable. ↗
- ·The LR_SAVE value (0x41414141) in the published PoC is a placeholder ('AAAA') and would be replaced with a real return address in a weaponized exploit; detections based solely on this value may miss targeted variants. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://packetstormsecurity.com/files/177135/DS-Wireless-Communication-Code-Execution.htmlhttps://github.com/MikeIsAStar/DS-Wireless-Communication-Remote-Code-Executionhttps://pastebin.com/ukRzztv0http://packetstormsecurity.com/files/177135/DS-Wireless-Communication-Code-Execution.htmlhttps://github.com/MikeIsAStar/DS-Wireless-Communication-Remote-Code-Executionhttps://pastebin.com/ukRzztv0
2023-12-20
Published