[HN Gopher] Exploiting DNS response parsing on the Wii U
___________________________________________________________________
Exploiting DNS response parsing on the Wii U
Author : bertman
Score : 184 points
Date : 2023-10-29 07:51 UTC (15 hours ago)
(HTM) web link (garyodernichts.blogspot.com)
(TXT) w3m dump (garyodernichts.blogspot.com)
| londons_explore wrote:
| So this exploit requires control of the local network, since such
| a request isn't valid DNS and therefore wouldn't get forwarded
| through a typical users DNS resolver?
| moritzruth wrote:
| It seems like you can set the DNS server directly on the device
| itself, bypassing the local DNS resolver.
|
| See https://github.com/GaryOderNichts/DNSpresso#instructions
| londons_explore wrote:
| Very nice - so this is the perfect exploit - pretty hard for
| evil people to do, but easy for the device owner to do to
| regain control of their own hardware.
| acheong08 wrote:
| ARP spoofing allows this attack to be run. Still needs to
| be in the local network though. (Pretend to be the router
| and intercept the DNS.)
| resonanttoe wrote:
| Yeh, that's typical for the console homebrew exploits though.
| (Or at least control of the resolver - the instructions looks
| like the author has a exploit server running for ease)
|
| At the very least (beyond the extra TCP DNS fields) you need to
| ignore/drop the two UDP DNS requests the Wii U makes before
| failing to TCP.
| maratc wrote:
| No, you define a connection on the WiiU and provide the DNS
| server as a parameter. The author has a DNS server up there
| sending your WiiU a request that causes it to run a payload
| (which resides on your SD card).
| haunter wrote:
| Is this similar how str2hax works? That's the most common
| jailbreak method nowadays https://wii.guide/str2hax
| TheDong wrote:
| No, str2hax isn't a DNS exploit. str2hax exploits CVE-2009-0689
| in opera. See https://wiibrew.org/wiki/Str2hax#How_it_works
| londons_explore wrote:
| Someone should probably write something about the importance of
| turning off updates if you want to keep this functionality,
| because Nintendo is probably working right now on wrestling your
| hardware back into their control...
| goosedragons wrote:
| Doubtful. Wii U has been thrown open for years, the last update
| was 13 months ago and weirdly only for North America and didn't
| break any current exploits. The store is dead, it loses online
| play in a few months and the hardware is long discontinued. I
| don't think they really care about it.
| hobs wrote:
| It was also a source of major shame and embarrassment for
| Nintendo and I would not be surprised if they just wanted to
| forget it.
| mackal wrote:
| They fixed the easy to use exploits on the 3DS not too long
| ago after it had been discontinued and store shutdown etc
|
| It wouldn't surprise me if Nintendo went back and fixed
| something that wouldn't make sense like this.
| random_ wrote:
| > At this point I was interested and decided to take a look if
| the Wii U implementation suffers from the same issue. To my
| surprise the Wii U implementation looks something like this
| instead
|
| So, how does the author got hold of Wii's code, is it publicly
| available or was it some kind of reverse engineering?
| alin23 wrote:
| Reverse engineering: After reverse
| engineering parts of the Wii Us' NET stack for another project
| I was working on, I realized it's using a modified version of
| NicheStack.
|
| That part of the code was reproduced from the author's
| understanding of the assembly.
| random_ wrote:
| oh, I have missed this and right at the top of the article,
| thanks!
| IntelMiner wrote:
| It's also possible it was released depending on the DNS server
| license
|
| Since a lot of embedded devices these days rely on software
| like Webkit they typically have a firmware release zip
| _somewhere_ for license compliance
| cookiengineer wrote:
| This is actually the namewreck vulnerability which also affected
| thousands of devices running in production plants and using the
| Siemens tech stack.
|
| Pretty interesting that they made the same naive implementation
| mistakes when it comes to message compression and the bytewise
| pointers resolution.
|
| A simple fix for that is something like only accepting pointers
| that point to a lower position and never to a higher one, to
| prevent stack overflows and buffer overflows for the parsed label
| arrays.
| blincoln wrote:
| > A simple fix for that is something like only accepting
| pointers that point to a lower position and never to a higher
| one, to prevent stack overflows and buffer overflows for the
| parsed label arrays.
|
| Wouldn't the simpler fix be to perform bounds checking before
| writing to any buffer?
| zbentley wrote:
| Absolutely. Nor would that entail particularly onerous
| performance penalties in this instance, as DNS interrogation
| happens relatively rarely.
|
| That said, I'd guess this is related to the use of
| string/array deserialization facilities that are either more
| general than the DNS parser or were copy/pasted from a domain
| that makes different assumptions re: the safety and inbound
| data provenance.
| jrmg wrote:
| An exploit in DNS parsing (not sure if it's related?) is used on
| Wii to patch games like Mario Kart Wii and Smash Brothers to use
| third party online servers.
|
| Since the Nintendo servers shut down, hacks have been the only
| way to play Wii games online - and this one is by far the easiest
| to use. Just change your DNS servers and you can play online
| again!
|
| https://wiimmfi.de/patcher/dnspatch
|
| There's still a thriving Mario Kart Wii scene because of this!
| You can play Mario Kart online basically any time. I'd bet there
| are hundreds of players online right now (really brings home just
| how large the human population is...). Here are the current
| online stats: https://wiimmfi.de/stat?m=8
| ozarker wrote:
| There's a big 3rd party server scene for the PS2 as well using
| alternate DNS servers. Pretty awesome to see people care enough
| about these old games to set stuff up like this
| charcircuit wrote:
| That link does not say that it uses a exploit with DNS parsing.
| DNS just lets you point the game at 3rd party servers run by a
| third party. It just happens that 3rd party servers can exploit
| the client.
| jrmg wrote:
| You're right! I misremembered this - it's an SSL bug that's
| really the first step in the chain in this case.
|
| _When you try to connect to the Nintendo WFC using this DNS
| server, the DNS redirects your login request to Wiimmfi
| instead. Wiimmfi then uses a specially crafted SSL
| certificate which some games consider valid due to an IOS
| bug, and then lets you go online._
|
| _After you are online, Wiimmfi is using a different bug in
| Mario Kart Wii in order to send and execute the rest of the
| Mario-Kart-specific Wiimmfi patches to your game, which is
| what happens during the loading screen when you are online._
___________________________________________________________________
(page generated 2023-10-29 23:01 UTC)