Security Hole in Nintendo Switch Firmware Pre 3.0.1 Allows For Exploit With Increased Permissions
It appears that all Nintendo Switch firmware versions below 3.0.1 are vulnerable to a exploit that grants increased permissions to the user.
Access to the platform’s full system privileges are required to run future exploits on the Switch. According to homebrew website Switchbrew.org, full permissions can be granted by creating a new "sm:" port session:
Prior to 3.0.1, the service manager (sm) built-in system module treats a user as though it has full permissions if the user creates a new "sm:" port session but bypasses initialization. This is due to the other sm commands skipping the service ACL check for Pids <= 7 (i.e. all kernel bundled modules) and that skipping the initialization command leaves the Pid field uninitialized.
While an exploit appears to have been discovered for Nintendo’s latest platform, no actual exploits have been written for it. For those with the latest Switch firmware – downgrading to firmware version 3.0 isn’t an option as the platform uses eFuses which are burnt through updates. Each time the firmware is updated, the Switch checks whether the right amount of eFuses have been used or not. If this is not the case, the Switch will prompt for a firmware update.
Nintendo released the Switch back in March of this year. Firmware version 3.0.1 was released last month, but it appears that older firmware is still present on Switch’s at retailers.