An exploit in DNS parsing (not sure if it’s related?) is used on Wii to patch games like Mario Kart Wii and Smash Brothers to use third party online servers.
Since the Nintendo servers shut down, hacks have been the only way to play Wii games online - and this one is by far the easiest to use. Just change your DNS servers and you can play online again!
There’s still a thriving Mario Kart Wii scene because of this! You can play Mario Kart online basically any time. I’d bet there are hundreds of players online right now (really brings home just how large the human population is…). Here are the current online stats: https://wiimmfi.de/stat?m=8
That link does not say that it uses a exploit with DNS parsing. DNS just lets you point the game at 3rd party servers run by a third party. It just happens that 3rd party servers can exploit the client.
You’re right! I misremembered this - it’s an SSL bug that’s really the first step in the chain in this case.
When you try to connect to the Nintendo WFC using this DNS server, the DNS redirects your login request to Wiimmfi instead. Wiimmfi then uses a specially crafted SSL certificate which some games consider valid due to an IOS bug, and then lets you go online.
After you are online, Wiimmfi is using a different bug in Mario Kart Wii in order to send and execute the rest of the Mario-Kart-specific Wiimmfi patches to your game, which is what happens during the loading screen when you are online.
There’s a big 3rd party server scene for the PS2 as well using alternate DNS servers. Pretty awesome to see people care enough about these old games to set stuff up like this
This is actually the namewreck vulnerability which also affected thousands of devices running in production plants and using the Siemens tech stack.
Pretty interesting that they made the same naive implementation mistakes when it comes to message compression and the bytewise pointers resolution.
A simple fix for that is something like only accepting pointers that point to a lower position and never to a higher one, to prevent stack overflows and buffer overflows for the parsed label arrays.
> A simple fix for that is something like only accepting pointers that point to a lower position and never to a higher one, to prevent stack overflows and buffer overflows for the parsed label arrays.
Wouldn't the simpler fix be to perform bounds checking before writing to any buffer?
Absolutely. Nor would that entail particularly onerous performance penalties in this instance, as DNS interrogation happens relatively rarely.
That said, I'd guess this is related to the use of string/array deserialization facilities that are either more general than the DNS parser or were copy/pasted from a domain that makes different assumptions re: the safety and inbound data provenance.
So this exploit requires control of the local network, since such a request isn't valid DNS and therefore wouldn't get forwarded through a typical users DNS resolver?
Yeh, that's typical for the console homebrew exploits though.
(Or at least control of the resolver - the instructions looks like the author has a exploit server running for ease)
At the very least (beyond the extra TCP DNS fields) you need to ignore/drop the two UDP DNS requests the Wii U makes before failing to TCP.
Very nice - so this is the perfect exploit - pretty hard for evil people to do, but easy for the device owner to do to regain control of their own hardware.
No, you define a connection on the WiiU and provide the DNS server as a parameter. The author has a DNS server up there sending your WiiU a request that causes it to run a payload (which resides on your SD card).
> At this point I was interested and decided to take a look if the Wii U implementation suffers from the same issue. To my surprise the Wii U implementation looks something like this instead
So, how does the author got hold of Wii's code, is it publicly available or was it some kind of reverse engineering?
Someone should probably write something about the importance of turning off updates if you want to keep this functionality, because Nintendo is probably working right now on wrestling your hardware back into their control...
Doubtful. Wii U has been thrown open for years, the last update was 13 months ago and weirdly only for North America and didn't break any current exploits. The store is dead, it loses online play in a few months and the hardware is long discontinued. I don't think they really care about it.
Since the Nintendo servers shut down, hacks have been the only way to play Wii games online - and this one is by far the easiest to use. Just change your DNS servers and you can play online again!
https://wiimmfi.de/patcher/dnspatch
There’s still a thriving Mario Kart Wii scene because of this! You can play Mario Kart online basically any time. I’d bet there are hundreds of players online right now (really brings home just how large the human population is…). Here are the current online stats: https://wiimmfi.de/stat?m=8