Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

0-Day Exploits Could Wreak Havoc on Linux Desktops

Researcher Reveals 0-Day Linux Exploit Leveraging SNES

Researcher Reveals 0-Day Linux Exploit Leveraging SNES

Security researcher Chris Evans this week made public a full 0-day drive-by download exploit impacting Ubuntu and Fedora and possibly other current Linux distributions as well.

The full 0-day drive-by exploit was tested to work against Fedora 25 + Google Chrome and Ubuntu 16.04 LTS, and relies on breaking out of Super Nintendo Entertainment System (SNES) emulation via subtle cascading side effects from an emulation error.

The issue, Evans says, lies within the Sony SPC700 emulated processor and abuses cascading subtle side effects of an emulation misstep. This is possible because the Linux GStreamer media playback framework offers support for the playback of SNES music files by emulating the SNES CPU and audio processor.

The library that makes all this possible is Game_Music_Emu, which works in C and C++ and is very easy to use. 

The core emulation logic of the faulty Sony SPC700 processor contains at least two vulnerabilities: a missing X register value clamp for the MOV (X)+,A instruction; and a missing SP register value clamp for the RET1 instruction. By cascading the first vulnerability, the Evans managed to achieve reliable exploitation, with all of the technical details published on his blog.

For the exploit to work and the drive-by to be successful, the user has to visit a malicious webpage, where audio files encoded in the SPC music format but saved with the .flac and .mp3 extensions are located.

The files can be used to load and run the attacker’s code with the same privileges as those of the current user. Depending on the privileges the user has, the exploit could result in the theft of personal data, including photos, videos, or documents, as well as data stored in the browser.

To offer a glimpse of the exploit, the security researcher also published two videos, showing the vulnerability being leveraged in both Fedora 25 and Ubuntu 16.04 LTS. Evans also made available the files needed to test the exploit and decided to offer a glimpse at different exploitation contexts in the second clip, although the same exploit file is used for all of them.

“The strong reliability of this exploit makes it work inside Fedora’s tracker-extract process, which has highly variable heap state,” the researcher says.

The impact on Linux distributions is mixed, with Ubuntu being impacted the most, as the faulty code is installed and present on the attack surface by default, though the user needs to select the ‘mp3’ option during install. On Fedora, the attack surface is limited, because gstreamer1-plugins-bad is split into multiple packages, and only gstreamer1-plugins-bad-free is installed by default.

However, the general lack of sandboxing contributes to the severity of the issue. “I think we inhabit a world where media parsing sandboxes should be mandatory these days. There’s hope: some of my other recent disclosures appear to have motivated a sandbox for Gnome’s tracker,” the researcher explains.

A few weeks ago, Evans detailed another Linux exploit leveraging Nintendo Entertainment System, one that leveraged a vulnerability and a separate logic error in the gstreamer 0.10.x player. The two issues would result in the bypass of 64-bit ASLR, DEP, but the exploit would work only on very old Linux distributions.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet