Security issues regarding AltWFC servers

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

      Security issues regarding AltWFC servers

      Security issues regarding AltWFC servers or malicious DNS entries


      Important things first: If you are playing on Wiimmfi, either using automatic DNS, the Wiimmfi DNS (95.217.77.151), the RiiConnect24 DNS (164.132.44.106) or other trustworthy DNS servers like the ones from Google, this message does NOT apply to you.
      It only applies if you play on an AltWFC clone, or if you are using untrustworthy DNS servers or networks.

      TL;DR at the bottom.

      The Wii (and WiiU) is a relatively old console (14 years Wii, 8 years WiiU), and both of them haven't been receiving security updates from Nintendo in a long time. While that is a good thing when you are trying to mod / homebrew your own console or play online on Wiimmfi (easy access through the license agreement), it also means that more and more security issues are found in the console(s) and/or the games that can be abused.

      In 2018, we noticed that there was a critical bug in Mario Kart Wii which could, in theory, be abused to run cheat codes / executable code on *other* consoles, just by being in the same Mario Kart Wii race as them. Obviously, that's a bad thing, because it would allow hackers / cheaters to brick your Wii if they wanted to. This critical bug was the main reason why we introduced new Wiimmfi patchers back then which fixed this bug. This means, when you play on Wiimmfi this bug cannot be abused and is no risk to your console anymore.

      Also, in 2018, Fullmetal5 created the "str2hax" exploit, which is what is used to load the Wiimmfi patcher from the Wii End User License Agreement to let you play on Wiimmfi without homebrew. This works by abusing the License Agreement display, by sending executable code to the console instead of an HTML page. We (on the Wiimmfi server) are using that to send a Wiimmfi patcher to the console and autostart it, but a malicious attacker (if you were using a malicious DNS Sserver) could theoretically send bricking codes instead of a Wiimmfi patcher.

      In addition to these two main bugs there have been a couple smaller ones as well, that could in theory be abused for similar things. All of them have been patched on Wiimmfi as well.
      _____________________________________________________________________________

      Until very recently, the bug that we've fixed with the new Wiimmfi patchers wasn't widely known. The codes needed to abuse that bug weren't public, and only a few people (MrBean (who first found the security issue), Chadderz, Wiimm and me; plus Star, a hacker who later found the security issue as well) knew how exactly the bug worked. We didn't want to make it widely known how it worked.

      However, Star (sadly) decided to make his exploit code public, which means, that on unpatched servers (ANY non-Wiimmfi server) a malicious attacker could now brick your Wii just by being in the same Mario Kart Wii room as you; and the operators of that server could brick your console when you connect to their server. Similarly, if you use a malicious DNS server provided to you by an attacker, he could brick your Wii when you try to view the License Agreement.

      Now what I'm saying does not mean that connecting to an AltWFC server will instantly brick your console. However, if the operator of that server would decide to do that, for whatever reason, they *could* absolutely do that. Similarly for playing on an AltWFC server. This announcement doesn't mean that your Wii will instantly be bricked when you play a race on AltWFC - but in theory, every player in your race would have the theoretical opportunity to do so.

      TL;DR (Summary of the above)

      • If you are playing on Wiimmfi, on a trustworthy network, with a trustworthy DNS server (Wiimmfi or RiiConnect24, or "standard" ones like Google), you are safe.
      • If you are using a malicious DNS server operated by an attacker (or if the attacker controls your network), that attacker could brick your console when you view the EULA, visit a web page in the Internet Channel, or try to connect to an AltWFC-based server.
      • If you are playing Mario Kart Wii on an AltWFC-based server, any player in your race could theoretically brick your console if they wanted to. This does NOT apply to Wiimmfi!
      We are strongly recommending the use of Wiimmfi instead of any other AltWFC-based server for Wii online gameplay, and we also recommend sticking to well-known DNS servers (like Wiimmfi (95.217.77.151), RiiConnect24 (164.132.44.106), or public DNS servers like Google). Otherwise, there is a risk of getting your Wii bricked.

      DevkitPro Archiv (alte Versionen / old versions): wii.leseratte10.de/devkitPro/
      Want to donate for Wiimmfi and Wii-Homebrew.com? Patreon / PayPal

      Dieser Beitrag wurde bereits 0 mal editiert, zuletzt von Leseratte ()

      Yeah, that's why that risk is mentioned as well.

      But I'd imagine that getting people to enter a malicious DNS server would still get you less "victims" than going on an AltWFC clone and just leave your console running for a while. We are just announcing that there is this theoretical risk, so nobody can say afterwards "why has nobody warned me".

      Never underestimate the amount of time that cheaters or hackers put into inconveniencing other players...

      DevkitPro Archiv (alte Versionen / old versions): wii.leseratte10.de/devkitPro/
      Want to donate for Wiimmfi and Wii-Homebrew.com? Patreon / PayPal

      Dieser Beitrag wurde bereits 0 mal editiert, zuletzt von Leseratte ()

      @FancyDolphin Nope. A cheat code to brick your own Wii has existed publicly for quite some time. And now there also is public source code on how to abuse this exploit to run codes on another player's console (on servers other than Wiimmfi). It's not plug-and-play, but a malicious person / hacker or anyone who has ever made any kind of cheat code will probably be able to put 2 and 2 together and get a code to brick other players consoles; that's why I made that announcement - so people are aware that playing on AltWFC servers is dangerous.

      @Varon Yeah, it is unlikely, but not that unlikely. There's a bunch of cheaters that annoy other players or even freeze their consoles, it's not that far off that one of them would also try to brick Wiis. It's still your decision, if you want to you can play on AltWFC all you want; I'm just warning people that that *can* happen.

      DevkitPro Archiv (alte Versionen / old versions): wii.leseratte10.de/devkitPro/
      Want to donate for Wiimmfi and Wii-Homebrew.com? Patreon / PayPal

      Dieser Beitrag wurde bereits 0 mal editiert, zuletzt von Leseratte ()

      FancyDolphin wrote:

      @Leseratte Fair enough, though Seeky has made a code to protect against RCE. AFAIK PAL at least works.
      While useful, that's not automatically added to every user's Wii, so if someone forgets to run it (or doesnt know how - NoSSL patchers dont auto-inject it) then :/
      I currently host the DLS1, GAMESTATS, and Peerchat server for Wiimmfi. if you have any issues with leaderboards (excluding MKW!), Mystery Gifts or other in-game downloadables, or Pokémon Wi-Fi Plaza, I can try to help! :P
      What if the attack for this vulnerability was executed on a Dolphin emulator?
      Can my device be at risk from such behavior?


      I play Wiimmfi only on the console, but I plan to do Hacking on Altwfc with dolphin emulator in the future.

      Lana Mach bike Player :3 MKWii FC 1164 1814 7415 Lana4Life♥
      It is highly unlikely that attackers will be able to "escape" the Dolphin Emulator and run malicious code on your computer with this exploit. That would require another bug in Dolphin (not in the game) that would allow you to break out of the emulated machine onto the host.

      DevkitPro Archiv (alte Versionen / old versions): wii.leseratte10.de/devkitPro/
      Want to donate for Wiimmfi and Wii-Homebrew.com? Patreon / PayPal

      Dieser Beitrag wurde bereits 0 mal editiert, zuletzt von Leseratte ()

      I'm a little bit suspicious with you Lesseratte after making this announcement. Even though this is a security vulnerability for altwfc or any other dwc emulated server, why would you care about those servers a lot instead of Wiimmfi? Unless you don’t want anyone but Wiimmfi to have this patch to ensure that people only use their server. What do you say on sharing the patch?
      ...Words cannot describe how stupid that response is. No, the point is to make sure that people don't get their consoles damaged, not to attempt to maintain some monopoly on MKW usership, you dolt. He's doing the responsible thing by telling people what the risks are. The vulnerability is not actually fixable server-side, hence we wrote a custom patching service for Wiimmfi to mitigate the problem, along with specialised patchers to allow the server to patch the game on-the-fly. It's not easy to simply "share" that, given it's highly specific to this server (and Wiimmfi is not at all based on the open source dwc emulator that altwfc and other clones are).

      Maybe next time you should just ask nicely instead of spinning conspiracy theories.
      What are the chances that the old Wiimmfi DNS address (46.4.79.141) could be obtained by an attacker to brick anyone who attempts to use it?

      I'm concerned that if someone sees a tutorial that is not updated, they could connect to the malicious DNS and get their console bricked if that IP no longer controlled to Wiimmfi, and is obtained by a malicious 3rd party.
      @Varon I believe that MrBean has already said almost everything there is to say about this topic, but just a quick addition: You did notice that a couple posts above yours a patch was posted for the RCE vulnerability? That fix is not identical to the one on Wiimmfi, but it'll have the same effect.

      @Gamebuster Yes, theoretically if an attacker were able to obtain that IP address, he'd be able to host malicious stuff on that server, which could then run malicious code on consoles when the License Agreement is opened. However, there is no way to ask the hoster for that specific IP address, so the only people who would be able to abuse that would be the one random person who currently rents the server with that particular IP; or maybe employees of Hetzner (the company which operates the data centers where Wiimmfi is hosted).

      @Zak Yes, using the Wiimmfi option in an USB Loader is safe, same as any other Wiimmfi patchers.

      DevkitPro Archiv (alte Versionen / old versions): wii.leseratte10.de/devkitPro/
      Want to donate for Wiimmfi and Wii-Homebrew.com? Patreon / PayPal

      Dieser Beitrag wurde bereits 0 mal editiert, zuletzt von Leseratte ()