On Tue, 14 Jul 2015 18:57:02 +0200 Etienne Millon <m...@emillon.org> wrote:
> * Paul Wise <p...@debian.org> [150714 18:20]:
> > According to this Youtube video and forum post, there are at least 3
> > vulnerabilities in zsnes that allow ROMs to escape the zsnes
> > emulator and execute arbitrary code on the host running zsnes. The
> > known issues will be fixed in 1.52 but there may be more issues.
> > This may or may not be related to the cppcheck warnings from bug
> > #610313.
>
> Thanks for the report.
>
> While neither the exploit code nor a fix is out, I believe that the
> best course of action is indeed to write a patch for #610313.
>
> It may also be possible that due to hardening patches, this bug is not
> exploitable in Debian.
>
> --
> Etienne Millon
I am the one who created that PoC, so I know all relevant facts about
these vulns.
#610313 is irrelevant, these vulns are all in assembly. Whatever
hardening you're thinking of is also insufficient, there isn't even any
ASLR in this program.
The three aforementioned vulns (along with something in the C code, not
sure if it's exploitable) are patched upstream:
http://svn.zsnes.com/comp.php?repname=zsnes&path=%2F&compare[]=%2F@5307&compare[]=%2F@5308
http://svn.zsnes.com/comp.php?repname=zsnes&path=%2F&compare[]=%2F@5310&compare[]=%2F@5311
There is also a fourth vuln that they didn't patch yet:
http://svn.zsnes.com/filedetails.php?repname=zsnes&path=%2Ftrunk%2Fsrc%2Fcpu%2Fspc700.asm&rev=4492&sc=1
Op4E should use SPCRAM, not [spcRamDP]. This leads to an exploitable
buffer overflow.
Vuln 5: A crafted savestate can set wramrwadr to something impossible,
leading to yet another exploitable overflow.
And yes, it is very likely that more exploits exist. ZSNES is an
enormous pile of decades-old code, written more for performance than
security and correctness. I'm surprised they've remained hidden for so long.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
