Debian Bug report logs - #792420
zsnes: emulator escape vulnerability

Package: zsnes; Maintainer for zsnes is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>; Source for zsnes is src:zsnes (PTS, buildd, popcon).

Reported by: Paul Wise <pabs@debian.org>

Date: Tue, 14 Jul 2015 16:18:02 UTC

Severity: important

Tags: security

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, sergio_br2@yahoo.com.br, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#792420; Package zsnes. (Tue, 14 Jul 2015 16:18:06 GMT) (full text, mbox, link).

Acknowledgement sent to Paul Wise <pabs@debian.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, sergio_br2@yahoo.com.br, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Tue, 14 Jul 2015 16:18:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: zsnes: emulator escape vulnerability
Date: Wed, 15 Jul 2015 00:14:09 +0800
[Message part 1 (text/plain, inline)]
Package: zsnes
Severity: important
Tags: security
X-Debbugs-CC: security@debian.org, sergio_br2@yahoo.com.br

According to this Youtube video and forum post, there are at least 3
vulnerabilities in zsnes that allow ROMs to escape the zsnes emulator
and execute arbitrary code on the host running zsnes. The known issues
will be fixed in 1.52 but there may be more issues. This may or may not
be related to the cppcheck warnings from bug #610313.

https://www.youtube.com/watch?v=Q3SOYneC7mU
http://www.smwcentral.net/?p=viewthread&t=79058
https://bugs.debian.org/610313

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#792420; Package zsnes. (Tue, 14 Jul 2015 17:00:03 GMT) (full text, mbox, link).

Acknowledgement sent to Etienne Millon <me@emillon.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Tue, 14 Jul 2015 17:00:03 GMT) (full text, mbox, link).

Message #10 received at 792420@bugs.debian.org (full text, mbox, reply):

From: Etienne Millon <me@emillon.org>
To: Paul Wise <pabs@debian.org>, 792420@bugs.debian.org
Subject: Re: Bug#792420: zsnes: emulator escape vulnerability
Date: Tue, 14 Jul 2015 18:57:02 +0200
[Message part 1 (text/plain, inline)]
* Paul Wise <pabs@debian.org> [150714 18:20]:
> According to this Youtube video and forum post, there are at least 3
> vulnerabilities in zsnes that allow ROMs to escape the zsnes
> emulator and execute arbitrary code on the host running zsnes. The
> known issues will be fixed in 1.52 but there may be more issues.
> This may or may not be related to the cppcheck warnings from bug
> #610313.

Thanks for the report.

While neither the exploit code nor a fix is out, I believe that the
best course of action is indeed to write a patch for #610313.

It may also be possible that due to hardening patches, this bug is not
exploitable in Debian.

-- 
Etienne Millon

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#792420; Package zsnes. (Tue, 14 Jul 2015 19:06:10 GMT) (full text, mbox, link).

Acknowledgement sent to Alfred Agrell <alfred@agrell.info>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Tue, 14 Jul 2015 19:06:10 GMT) (full text, mbox, link).

Message #15 received at 792420@bugs.debian.org (full text, mbox, reply):

From: Alfred Agrell <alfred@agrell.info>
To: 792420@bugs.debian.org, 792420-subscribe@bugs.debian.org
Subject: Re: Bug#792420: zsnes: emulator escape vulnerability
Date: Tue, 14 Jul 2015 21:03:04 +0200
On Tue, 14 Jul 2015 18:57:02 +0200 Etienne Millon <me@emillon.org> wrote:
> * Paul Wise <pabs@debian.org> [150714 18:20]:
> > According to this Youtube video and forum post, there are at least 3
> > vulnerabilities in zsnes that allow ROMs to escape the zsnes
> > emulator and execute arbitrary code on the host running zsnes. The
> > known issues will be fixed in 1.52 but there may be more issues.
> > This may or may not be related to the cppcheck warnings from bug
> > #610313.
>
> Thanks for the report.
>
> While neither the exploit code nor a fix is out, I believe that the
> best course of action is indeed to write a patch for #610313.
>
> It may also be possible that due to hardening patches, this bug is not
> exploitable in Debian.
>
> --
> Etienne Millon

I am the one who created that PoC, so I know all relevant facts about 
these vulns.

#610313 is irrelevant, these vulns are all in assembly. Whatever 
hardening you're thinking of is also insufficient, there isn't even any 
ASLR in this program.


The three aforementioned vulns (along with something in the C code, not 
sure if it's exploitable) are patched upstream:

http://svn.zsnes.com/comp.php?repname=zsnes&path=%2F&compare[]=%2F@5307&compare[]=%2F@5308
http://svn.zsnes.com/comp.php?repname=zsnes&path=%2F&compare[]=%2F@5310&compare[]=%2F@5311


There is also a fourth vuln that they didn't patch yet:

http://svn.zsnes.com/filedetails.php?repname=zsnes&path=%2Ftrunk%2Fsrc%2Fcpu%2Fspc700.asm&rev=4492&sc=1

Op4E should use SPCRAM, not [spcRamDP]. This leads to an exploitable 
buffer overflow.


Vuln 5: A crafted savestate can set wramrwadr to something impossible, 
leading to yet another exploitable overflow.


And yes, it is very likely that more exploits exist. ZSNES is an 
enormous pile of decades-old code, written more for performance than 
security and correctness. I'm surprised they've remained hidden for so long.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#792420; Package zsnes. (Wed, 15 Jul 2015 03:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Wed, 15 Jul 2015 03:21:04 GMT) (full text, mbox, link).

Message #20 received at 792420@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: Etienne Millon <me@emillon.org>, 792420@bugs.debian.org, sergio_br2 <sergio_br2@yahoo.com.br>
Subject: Re: Bug#792420: zsnes: emulator escape vulnerability
Date: Wed, 15 Jul 2015 11:16:57 +0800
[Message part 1 (text/plain, inline)]
On Tue, 2015-07-14 at 18:57 +0200, Etienne Millon wrote:

> While neither the exploit code nor a fix is out, I believe that the
> best course of action is indeed to write a patch for #610313.

Sergio confirmed with the author that the issues are not in the C code
but in the assembly, from the #debian-games IRC channel:

<sergio-br2> <Alcaro> not cppcheck, that's for sure, these are all in assembly.

> It may also be possible that due to hardening patches, this bug is not
> exploitable in Debian.

Seems unlikely given the above.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 5 00:10:58 2018; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.