It is currently Wed Dec 13, 2017 4:18 am

All times are UTC - 7 hours



Forum rules


Related:



Post new topic Reply to topic  [ 13 posts ] 
Author Message
PostPosted: Tue Dec 13, 2016 9:19 am 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 19335
Location: NE Indiana, USA (NTSC)
Some instructions in Game_Music_Emu's SPC700 core are so broken with respect to clamping of X and Y values that an SPC file can pwn the user account.

Source: "Redux: compromising Linux using... SNES Ricoh 5A22 [sic] processor opcodes?!" by Chris Evans, via a tweet by Hector Martin

tl;dr: CPU registers in the SPC core are 32-bit for speed, and instruction $AF (MOV (X)+,A) doesn't clamp the values it writes to register X. Nor does the aaaa,X addressing mode wrap within $0000-$FFFF; it continues on to $10000-$100FE. These vulnerabilities and some clever coding involving MUL and DIV instructions allow building up huge and/or negative values in the X and Y registers to read the virtual method table, corrupt other parts of the emulator state to find free(), find system(), and build a new virtual method table in A-RAM through which the SPC700 code can call anything.


Top
 Profile  
 
PostPosted: Tue Dec 13, 2016 12:17 pm 
Offline
User avatar

Joined: Fri May 08, 2015 7:17 pm
Posts: 1866
Location: DIGDUG
I remember a similar discussion a year ago, about vulnerability with another SNES emulator... being able to embed malware in an SNES ROM. I couldn't find the exact link I was thinking of, but here's a reddit discussion, apparently started by byuu...

https://m.reddit.com/r/emulation/commen ... erability/

_________________
nesdoug.com -- blog/tutorial on programming for the NES


Top
 Profile  
 
PostPosted: Tue Dec 13, 2016 12:59 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 336
Location: FL
I wonder if there should be a database of emulation exploits somewhere. This one makes three that I can think of from this year alone.

It looks like the author already screened my comment (and another person's) about the entire article constantly naming the wrong processor (and describing it incorrectly as a result, despite multiple Wikipedia links), but hasn't actually amended the article. Bah :(


Top
 Profile  
 
PostPosted: Tue Dec 13, 2016 1:05 pm 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
Revenant wrote:
I wonder if there should be a database of emulation exploits somewhere. This one makes three that I can think of from this year alone.

File a CVE with the National Vulnerability Database -- because that's exactly what it's for! :-) It doesn't matter if it's for emulators or anything else; vulnerabilities are vulnerabilities (here's an example for SNES9x). You're also encouraged to send Email to the bugtraq seclists.org mailing list with details if applicable.


Top
 Profile  
 
PostPosted: Tue Dec 13, 2016 1:26 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 336
Location: FL
Of course CVEs and mailing lists exist, but I'd be interested in having smaller lists dedicated to emulation and other similarly niche(-ish) stuff.


Top
 Profile  
 
PostPosted: Tue Dec 13, 2016 3:13 pm 
Offline

Joined: Wed Jul 09, 2008 8:46 pm
Posts: 241
I happen to know of an entire .spc set that could potentially trigger this problem on the fly, since I discovered that two SPC players on my end (Game Music Box and Audio Overload on versions newer than... I don't remember, but it was around 2.0?, and on Audio Overload, the sound would corrupt, while on Game Music Box, the SPC would simply stop playing instantaneously) has that very vulnerability (although, as it was discovered, turned out to be with stack pointer wraparound): Shin Togenkyo (or as it is known on superfamicom.org, Shichuusui Meigaku Nyuumon Shin Tougenkyou).


Top
 Profile  
 
PostPosted: Tue Dec 13, 2016 3:30 pm 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
Revenant wrote:
Of course CVEs and mailing lists exist, but I'd be interested in having smaller lists dedicated to emulation and other similarly niche(-ish) stuff.

Considering emulators (including for audio) are mainstream and provided via many packaging systems per OS (Linux, BSD, etc.), I really must advise against "niche security" of this sort. Wider audience (hence filing a CVE + bugtraq) = better, in this case anyway.


Top
 Profile  
 
PostPosted: Tue Dec 13, 2016 3:31 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 336
Location: FL
I really ought to write a newer WinAmp SPC plugin or something for the sake of sets like those (and other sets that just play back really badly with the Alpha-II plugin)...

koitsu wrote:
Considering emulators (including for audio) are mainstream and provided via many packaging systems per OS (Linux, BSD, etc.), I really must advise against "niche security" of this sort. Wider audience (hence bugtraq) = better, in this case anyway.

I wasn't trying to suggest that they should be mutually exclusive.


Top
 Profile  
 
PostPosted: Tue Dec 13, 2016 4:24 pm 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
Also, as I asked a person on Twitter, I'd love to know why the author of that article/discovery didn't try to reach out to blargg. He's responsive and friendly. I've no problem with disclosures, but when things like that make no mention of trying to contact the author or maintainer, it never sits well with me.


Top
 Profile  
 
PostPosted: Tue Dec 13, 2016 5:44 pm 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 19335
Location: NE Indiana, USA (NTSC)
koitsu wrote:
I'd love to know why the author of that article/discovery didn't try to reach out to blargg. He's responsive and friendly.

Responsive through which channel? Because blargg hasn't been active here lately (4 posts in past 33 months).


Top
 Profile  
 
PostPosted: Tue Dec 13, 2016 5:56 pm 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
tepples wrote:
Responsive through which channel? Because blargg hasn't been active here lately (4 posts in past 33 months).

He answers Email, like a normal human being. His Email address is in both the readme.txt and gme.txt that comes with GME.


Top
 Profile  
 
PostPosted: Tue Dec 13, 2016 7:22 pm 
Offline

Joined: Mon Mar 27, 2006 5:23 pm
Posts: 1339
I should add that Snes9X v1.50 - v1.53 uses blargg's SMP core as well, so they will definitely be vulnerable to this same attack. If you use Snes9X, upgrade to v1.54 if you haven't already.

koitsu wrote:
Considering emulators (including for audio) are mainstream and provided via many packaging systems per OS (Linux, BSD, etc.), I really must advise against "niche security" of this sort. Wider audience (hence filing a CVE + bugtraq) = better, in this case anyway.


Completely agree. Not only does it easily get bundled into default OS installs (via its inclusion into things like gstreamer), they're connecting these things into web browsers for god knows what reason.

So yes, this is a very serious issue.


Top
 Profile  
 
PostPosted: Tue Dec 13, 2016 11:24 pm 
Offline

Joined: Mon Jul 02, 2012 7:46 am
Posts: 760
byuu wrote:
If you use Snes9X, upgrade to v1.54 if you haven't already.


Just a minor detail, 1.54 had issues, 1.54.1 is what you'd want if you're upgrading. Or, if you want MSU-1 support, there's more recent git builds


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 

All times are UTC - 7 hours


Who is online

Users browsing this forum: creaothceann, Nicole and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group