Researcher Reveals 0-Day Linux Exploit Leveraging SNES
Security researcher Chris Evans this week made public a full 0-day drive-by download exploit impacting Ubuntu and Fedora and possibly other current Linux distributions as well.
The full 0-day drive-by exploit was tested to work on Fedora 25 + Google Chrome and Ubuntu 16.04 LTS and relies on breaking out of Super Nintendo Entertainment System (SNES) emulation via subtle cascading side effects from an emulation error.
The issue, Evans says, lies within the Sony SPC700 emulated processor and abuses cascading subtle side effects of an emulation misstep. This is possible because the Linux GStreamer media playback framework offers support for the playback of SNES music files by emulating the SNES CPU and audio processor.
The library that makes all this possible is Game_Music_Emu, which works in C and C++ and is very easy to use.
The core emulation logic of the faulty Sony SPC700 processor contains at least two vulnerabilities: a missing X register value clamp for the MOV (X)+,An instruction; and a missing SP register value clamp for the RET1 instruction. By cascading the first vulnerability, the Evans managed to achieve reliable exploitation, with all of the technical details published on his blog.
For the exploit to work and the drive-by to be successful, the user has to visit a malicious webpage, where audio files encoded in the SPC music format but saved with the .flac and .mp3 extensions are located.
The files can be used to load and run the attacker’s code with the same privileges as those of the current user. Depending on the privileges the user has, the exploit could result in the theft of personal data, including photos, videos, or documents, as well as data stored in the browser.
To offer a glimpse of the exploit, the security researcher also published two videos, showing the vulnerability being leveraged in both Fedora 25 and Ubuntu 16.04 LTS. Evans also made available the files needed to test the exploit and decided to offer a glimpse at different exploitation contexts in the second clip, although the same exploit file is used for all of them.
“The strong reliability of this exploit makes it work inside Fedora’s tracker-extract process, which has highly variable heap state,” the researcher says.
The impact on Linux distributions is mixed, with Ubuntu being impacted the most, as the faulty code is installed and present on the attack surface by default, though the user needs to select the ‘mp3’ option during install. On Fedora, the attack surface is limited, because gstreamer1-plugins-bad is split into multiple packages, and only gstreamer1-plugins-bad-freeis installed by default.
However, the general lack of sandboxing contributes to the severity of the issue. “I think we inhabit the world where media parsing sandboxes should be mandatory these days. There’s hope: some of my other recent disclosures appear to have motivated a sandbox for Gnome’s tracker,” the researcher explains.
A few weeks ago, Evans detailed another Linux exploit leveraging Nintendo Entertainment System, one that leveraged a vulnerability and a separate logic error in the gstreamer 0.10.x player. The two issues would result in the bypass of 64-bit ASLR, DEP, but the exploit would work only on very old Linux distributions.