Hacking a Linux PC through blargg's SPC700 core

Discussion of hardware and software development for Super NES and Super Famicom. See the SNESdev wiki for more information.

Moderator: Moderators

Forum rules
  • For making cartridges of your Super NES games, see Reproduction.
Post Reply
tepples
Posts: 22708
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Hacking a Linux PC through blargg's SPC700 core

Post by tepples »

Some instructions in Game_Music_Emu's SPC700 core are so broken with respect to clamping of X and Y values that an SPC file can pwn the user account.

Source: "Redux: compromising Linux using... SNES Ricoh 5A22 [sic] processor opcodes?!" by Chris Evans, via a tweet by Hector Martin

tl;dr: CPU registers in the SPC core are 32-bit for speed, and instruction $AF (MOV (X)+,A) doesn't clamp the values it writes to register X. Nor does the aaaa,X addressing mode wrap within $0000-$FFFF; it continues on to $10000-$100FE. These vulnerabilities and some clever coding involving MUL and DIV instructions allow building up huge and/or negative values in the X and Y registers to read the virtual method table, corrupt other parts of the emulator state to find free(), find system(), and build a new virtual method table in A-RAM through which the SPC700 code can call anything.
User avatar
dougeff
Posts: 3079
Joined: Fri May 08, 2015 7:17 pm

Re: Hacking a Linux PC through blargg's SPC700 core

Post by dougeff »

I remember a similar discussion a year ago, about vulnerability with another SNES emulator... being able to embed malware in an SNES ROM. I couldn't find the exact link I was thinking of, but here's a reddit discussion, apparently started by byuu...

https://m.reddit.com/r/emulation/commen ... erability/
nesdoug.com -- blog/tutorial on programming for the NES
Revenant
Posts: 462
Joined: Sat Apr 25, 2015 1:47 pm
Location: FL

Re: Hacking a Linux PC through blargg's SPC700 core

Post by Revenant »

I wonder if there should be a database of emulation exploits somewhere. This one makes three that I can think of from this year alone.

It looks like the author already screened my comment (and another person's) about the entire article constantly naming the wrong processor (and describing it incorrectly as a result, despite multiple Wikipedia links), but hasn't actually amended the article. Bah :(
User avatar
koitsu
Posts: 4201
Joined: Sun Sep 19, 2004 9:28 pm
Location: A world gone mad

Re: Hacking a Linux PC through blargg's SPC700 core

Post by koitsu »

Revenant wrote:I wonder if there should be a database of emulation exploits somewhere. This one makes three that I can think of from this year alone.
File a CVE with the National Vulnerability Database -- because that's exactly what it's for! :-) It doesn't matter if it's for emulators or anything else; vulnerabilities are vulnerabilities (here's an example for SNES9x). You're also encouraged to send Email to the bugtraq seclists.org mailing list with details if applicable.
Revenant
Posts: 462
Joined: Sat Apr 25, 2015 1:47 pm
Location: FL

Re: Hacking a Linux PC through blargg's SPC700 core

Post by Revenant »

Of course CVEs and mailing lists exist, but I'd be interested in having smaller lists dedicated to emulation and other similarly niche(-ish) stuff.
KungFuFurby
Posts: 275
Joined: Wed Jul 09, 2008 8:46 pm

Re: Hacking a Linux PC through blargg's SPC700 core

Post by KungFuFurby »

I happen to know of an entire .spc set that could potentially trigger this problem on the fly, since I discovered that two SPC players on my end (Game Music Box and Audio Overload on versions newer than... I don't remember, but it was around 2.0?, and on Audio Overload, the sound would corrupt, while on Game Music Box, the SPC would simply stop playing instantaneously) has that very vulnerability (although, as it was discovered, turned out to be with stack pointer wraparound): Shin Togenkyo (or as it is known on superfamicom.org, Shichuusui Meigaku Nyuumon Shin Tougenkyou).
User avatar
koitsu
Posts: 4201
Joined: Sun Sep 19, 2004 9:28 pm
Location: A world gone mad

Re: Hacking a Linux PC through blargg's SPC700 core

Post by koitsu »

Revenant wrote:Of course CVEs and mailing lists exist, but I'd be interested in having smaller lists dedicated to emulation and other similarly niche(-ish) stuff.
Considering emulators (including for audio) are mainstream and provided via many packaging systems per OS (Linux, BSD, etc.), I really must advise against "niche security" of this sort. Wider audience (hence filing a CVE + bugtraq) = better, in this case anyway.
Revenant
Posts: 462
Joined: Sat Apr 25, 2015 1:47 pm
Location: FL

Re: Hacking a Linux PC through blargg's SPC700 core

Post by Revenant »

I really ought to write a newer WinAmp SPC plugin or something for the sake of sets like those (and other sets that just play back really badly with the Alpha-II plugin)...
koitsu wrote:Considering emulators (including for audio) are mainstream and provided via many packaging systems per OS (Linux, BSD, etc.), I really must advise against "niche security" of this sort. Wider audience (hence bugtraq) = better, in this case anyway.
I wasn't trying to suggest that they should be mutually exclusive.
User avatar
koitsu
Posts: 4201
Joined: Sun Sep 19, 2004 9:28 pm
Location: A world gone mad

Re: Hacking a Linux PC through blargg's SPC700 core

Post by koitsu »

Also, as I asked a person on Twitter, I'd love to know why the author of that article/discovery didn't try to reach out to blargg. He's responsive and friendly. I've no problem with disclosures, but when things like that make no mention of trying to contact the author or maintainer, it never sits well with me.
tepples
Posts: 22708
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: Hacking a Linux PC through blargg's SPC700 core

Post by tepples »

koitsu wrote:I'd love to know why the author of that article/discovery didn't try to reach out to blargg. He's responsive and friendly.
Responsive through which channel? Because blargg hasn't been active here lately (4 posts in past 33 months).
User avatar
koitsu
Posts: 4201
Joined: Sun Sep 19, 2004 9:28 pm
Location: A world gone mad

Re: Hacking a Linux PC through blargg's SPC700 core

Post by koitsu »

tepples wrote:Responsive through which channel? Because blargg hasn't been active here lately (4 posts in past 33 months).
He answers Email, like a normal human being. His Email address is in both the readme.txt and gme.txt that comes with GME.
Near
Founder of higan project
Posts: 1553
Joined: Mon Mar 27, 2006 5:23 pm

Re: Hacking a Linux PC through blargg's SPC700 core

Post by Near »

I should add that Snes9X v1.50 - v1.53 uses blargg's SMP core as well, so they will definitely be vulnerable to this same attack. If you use Snes9X, upgrade to v1.54 if you haven't already.
koitsu wrote:Considering emulators (including for audio) are mainstream and provided via many packaging systems per OS (Linux, BSD, etc.), I really must advise against "niche security" of this sort. Wider audience (hence filing a CVE + bugtraq) = better, in this case anyway.
Completely agree. Not only does it easily get bundled into default OS installs (via its inclusion into things like gstreamer), they're connecting these things into web browsers for god knows what reason.

So yes, this is a very serious issue.
qwertymodo
Posts: 775
Joined: Mon Jul 02, 2012 7:46 am

Re: Hacking a Linux PC through blargg's SPC700 core

Post by qwertymodo »

byuu wrote:If you use Snes9X, upgrade to v1.54 if you haven't already.
Just a minor detail, 1.54 had issues, 1.54.1 is what you'd want if you're upgrading. Or, if you want MSU-1 support, there's more recent git builds
Post Reply