Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

0-Day Exploits Could Wreak Havoc on Linux Desktops

Researcher Reveals 0-Day Linux Exploit Leveraging SNES

Researcher Reveals 0-Day Linux Exploit Leveraging SNES

Security researcher Chris Evans this week made public a full 0-day drive-by download exploit impacting Ubuntu and Fedora and possibly other current Linux distributions as well.

The full 0-day drive-by exploit was tested to work against Fedora 25 + Google Chrome and Ubuntu 16.04 LTS, and relies on breaking out of Super Nintendo Entertainment System (SNES) emulation via subtle cascading side effects from an emulation error.

The issue, Evans says, lies within the Sony SPC700 emulated processor and abuses cascading subtle side effects of an emulation misstep. This is possible because the Linux GStreamer media playback framework offers support for the playback of SNES music files by emulating the SNES CPU and audio processor.

The library that makes all this possible is Game_Music_Emu, which works in C and C++ and is very easy to use. 

The core emulation logic of the faulty Sony SPC700 processor contains at least two vulnerabilities: a missing X register value clamp for the MOV (X)+,A instruction; and a missing SP register value clamp for the RET1 instruction. By cascading the first vulnerability, the Evans managed to achieve reliable exploitation, with all of the technical details published on his blog.

For the exploit to work and the drive-by to be successful, the user has to visit a malicious webpage, where audio files encoded in the SPC music format but saved with the .flac and .mp3 extensions are located.

The files can be used to load and run the attacker’s code with the same privileges as those of the current user. Depending on the privileges the user has, the exploit could result in the theft of personal data, including photos, videos, or documents, as well as data stored in the browser.

To offer a glimpse of the exploit, the security researcher also published two videos, showing the vulnerability being leveraged in both Fedora 25 and Ubuntu 16.04 LTS. Evans also made available the files needed to test the exploit and decided to offer a glimpse at different exploitation contexts in the second clip, although the same exploit file is used for all of them.

“The strong reliability of this exploit makes it work inside Fedora’s tracker-extract process, which has highly variable heap state,” the researcher says.

The impact on Linux distributions is mixed, with Ubuntu being impacted the most, as the faulty code is installed and present on the attack surface by default, though the user needs to select the ‘mp3’ option during install. On Fedora, the attack surface is limited, because gstreamer1-plugins-bad is split into multiple packages, and only gstreamer1-plugins-bad-free is installed by default.

However, the general lack of sandboxing contributes to the severity of the issue. “I think we inhabit a world where media parsing sandboxes should be mandatory these days. There’s hope: some of my other recent disclosures appear to have motivated a sandbox for Gnome’s tracker,” the researcher explains.

A few weeks ago, Evans detailed another Linux exploit leveraging Nintendo Entertainment System, one that leveraged a vulnerability and a separate logic error in the gstreamer 0.10.x player. The two issues would result in the bypass of 64-bit ASLR, DEP, but the exploit would work only on very old Linux distributions.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.