Sunday, 18 December 2016

Researcher Found Zero-Day in Linux That Impacts Ubuntu and Fedora



Researcher Reveals 0-Day Linux Exploit Leveraging SNES

Security researcher Chris Evans this week made public a full 0-day drive-by download exploit impacting Ubuntu and Fedora and possibly other current Linux distributions as well.

The full 0-day drive-by exploit was tested to work on Fedora 25 + Google Chrome and Ubuntu 16.04 LTS and relies on breaking out of Super Nintendo Entertainment System (SNES) emulation via subtle cascading side effects from an emulation error.

The issue, Evans says, lies within the Sony SPC700 emulated processor and abuses cascading subtle side effects of an emulation misstep. This is possible because the Linux GStreamer media playback framework offers support for the playback of SNES music files by emulating the SNES CPU and audio processor.

The library that makes all this possible is Game_Music_Emu, which works in C and C++ and is very easy to use.

The core emulation logic of the faulty Sony SPC700 processor contains at least two vulnerabilities: a missing X register value clamp for the MOV (X)+,An instruction; and a missing SP register value clamp for the RET1 instruction. By cascading the first vulnerability, the Evans managed to achieve reliable exploitation, with all of the technical details published on his blog.

For the exploit to work and the drive-by to be successful, the user has to visit a malicious webpage, where audio files encoded in the SPC music format but saved with the .flac and .mp3 extensions are located.

The files can be used to load and run the attacker’s code with the same privileges as those of the current user. Depending on the privileges the user has, the exploit could result in the theft of personal data, including photos, videos, or documents, as well as data stored in the browser.

To offer a glimpse of the exploit, the security researcher also published two videos, showing the vulnerability being leveraged in both Fedora 25 and Ubuntu 16.04 LTS. Evans also made available the files needed to test the exploit and decided to offer a glimpse at different exploitation contexts in the second clip, although the same exploit file is used for all of them.

“The strong reliability of this exploit makes it work inside Fedora’s tracker-extract process, which has highly variable heap state,” the researcher says.

No comments:

Post a Comment