Exploiting SNES code to compromise GStreamer...

menace690

https://scarybeastsecurity.blogspot.com.au/2016/12/redux-compromising-linux-using-snes.html

Squirrel

A case of ask and you shall receive, I guess.

From what I gather here, the author is exploiting bugs in the SPC700 emulation to figure out where in memory he can place system calls in order to get them run. It's not full-on arbitrary code exploitation nor breaking any system security, but it's still scary this is possible.

Thanks for finding and posting this, menace690!

menace690

It is and isn't. Its designed as proof of concept. As such it just breaks out of the browser and launches gcalc. It COULD get more malicious by instead of simply calling gcalc, it could launch any other exploit that runs on the local system.

_Em

The other scary bit here is that this is a bug in the generic SPC700 emulation, and isn't specific to any product, such as gstreamer. However, the security analyst who wrote this just used it as a proof of concept to show that even with the OS nailed down and all the security checks in place, attacks are still easy. There's a LOT of third party library code out there that hasn't been security hardened. Easy to fuzz for, not so easy to fix.

A good thing for us to remember when using other people's emulation libraries to get a job done.

seanstar

This... is some kinds of glorious. I can easily see how the opcodes in question may not have received any further polish after they tested-working for all release games. More worried about security holes in the OS that would allow one process to blindly launch other malicious processes...

seanstar

In similar news, https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html

Squirrel

More bad gstreamer plugins, yay!

I can't figure out where gstreamer got their NSF playback code from. Did they write up their own?

Regarding the previous SPC700 vulnerability, they got their SPC playback code from Game Music Emu, but gstreamer isn't using this project's NSF code.

menace690

Its from http://nosefart.sourceforge.net/

Squirrel

menace690 wrote:
Its from http://nosefart.sourceforge.net/

Thanks! I just tried the Nosefart Winamp plugin with the malicious NSF file and it crashes.
Meanwhile the Mac programs Audio Overload and Game Music Box refuse to play the malicious file.

menace690

Umm its getting a bit crazy now

https://www.wired.com/story/malware-dna-hack

_Em

They also encoded a movie and a car. It's not executable in DNA format though, so not really an issue ;)