Security expert disclosed a full zero-day drive-by exploit for Linux leveraging SNES

Pierluigi Paganini December 18, 2016

The security expert Chris Evans has disclosed a zero-day exploit successfully tested on Ubuntu and Fedora distributions that may affect other distros.

The security expert Chris Evans has disclosed a zero-day exploit for Ubuntu and Fedora distributions. The flaw is a full drive-by download exploit that may impact also other Linux distributions.

The researcher successfully the full zero-day drive-by exploit against Fedora 25 + Google Chrome and Ubuntu 16.04 LTS, and relies on breaking out of Super Nintendo Entertainment System (SNES) emulation “via subtle cascading side effects from an emulation error.”

“full reliable 0day drive-by exploit against Fedora 25 + Google Chrome, by breaking out of Super Nintendo Entertainment System emulation via cascading side effects from a subtle and interesting emulation error.” explained Evans in a blog post.

The problem lies within the Sony SPC700 emulated processor and exploits cascading subtle side effects of an emulation hole.

The Linux GStreamer media playback framework supports the playback of SNES music files by emulating the SNES CPU and audio processor due to an agreement with Game Music Emu.

Linux zero-day

The emulation process supported by the Sony SPC700 processor is affected by at least two flaws, a missing X register value clamp for the MOV (X)+, A instruction, and a missing SP register value clamp for the RET1 instruction.

Evans chained the two issues for his attack, he demonstrated that it possible to compromise the target system by tricking the user into visiting a malicious web page that contains audio files encoded in the SPC music format, but saved with the. flac and. mp3 extensions.

The files work as the vector for the malicious code that loaded and executed by the victims with the same privileges as those of the current user.

The full drive-by download exploit could allow the attacker to steal personal data, including photos, videos, or documents, as well as data stored in the browser.

Evans published the following video PoC videos working on Fedora 25 and Ubuntu 16.04 LTS alongside the files needed to test the exploit.

Evans provided further details on the impact of the hack on both Linux distribution he tested, he highlighted that the general lack of sandboxing contributes to the severity of the issue.

“Impact is mixed. On Ubuntu, the faulty code is installed and on the attack surface by default, if you select the “mp3” option during install — which I certainly always do. On Fedora, there’s a very sensible decision to split gstreamer1-plugins-bad into multiple packages, with only gstreamer1-plugins-bad-free installed by default. This limits the attack surface and does not include Game Music Emu. Of course, the gstreamer framework will happily offer to install gstreamer1-plugins-bad-free-extras, with a very nice UI, if the victim simply tries to open the relevant media file.” added Evans.
“As always, the general lack of sandboxing here contributes to the severity. I think we inhabit a world where media parsing sandboxes should be mandatory these days. There’s hope: some of my other recent disclosures appear to have motivated a sandbox for Gnome’s tracker.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – full zero-day drive-by exploit, Linux hacking)

you might also like

leave a comment