------------------------------------------------------------------------
VICE Security Advisory                                        VSA-2004-1
------------------------------------------------------------------------

Summary:

           Severity: Low
              Title: VICE monitor memory dump format string vulnerability
               Date: June 14, 2004
            Version: 1
                 ID: VSA-2004-01
             Impact: Could allow arbitrary code execution
       Project site: http://www.viceteam.org/
  Affected Versions: VICE 1.6 up to 1.14 on all plattforms
           Revision: 1
          CVE Names: CAN-2004-0453

------------------------------------------------------------------------

What is VICE?

  VICE is a program that runs on a Unix, MS-DOS, Win32, OS/2, Acorn RISC
  OS or BeOS machine and executes programs intended for the old 8-bit
  Commodore computers. The current version emulates the C64, the C128,
  the VIC20, all the PET models (except the SuperPET 9000, which is out
  of line anyway), the PLUS4 and the CBM-II (aka C610).

  More information can be found on the VICE homepage:
  http://www.viceteam.org/


Affected VICE versions:

  At least VICE 1.6 up to VICE 1.14 on all plattforms are affected. The
  VICE team has not checked if older version are affected, too.


Description:

  There is a format string vulnerability in the handling of the monitor
  "memory dump" command. If the string to be output contains any % sign,
  it is interpreted as a command for the output, normally resulting in a
  crash. Even more sophisticated exploits, like arbitrary code execution
  on the host machine, are possible.


Impact:

  It is possible to crash the emulator or even execute arbitrary code on
  the host machine from the inside of the emulated machine. For this, an
  attacker needs to fill up parts of the memory with a specific value
  and wheedle the user to enter the monitor and type in a specific
  command.

  Without the user being wheedled to enter the monitor and type in that
  specific command, this vulnerability is not exploitable.


Proof-of-Concept:

  The VICE team will not publish exploit code.


Severity rating:

  This vulnerability can be used to execute arbitrary code on the host
  machine out of the emulated machine. Anyway, since it requires the
  user to enter the monitor and type a specific command, we find the
  risk low of exploiting this. It should be hard to wheedle the user to
  press exact this sequence.


Workaround:

  Don't use the VICE monitor.


Solution:

  Upgrade to a newer version of VICE as soon as it becomes available, or
  use the attached security patch at [2].


Updates:

  An online version of this document can be found at [3].


References:

  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0453
  [2] http://www.trikaliotis.net/vicekb/vice-1.14-mon-vuln.diff.gz
  [3] http://www.trikaliotis.net/vicekb/vsa-2004-1


Date line:

  June  8, 2004: The VICE team has been informed about this vulnerability
  June  8, 2004: The VICE team releases an internal patch the fix this
                 vulnerability
  June 10, 2004: First Linux distributors are being contacted.
  June 14, 2004: Publication of this flaw


------------------------------------------------------------------------

June 14, 2004                                              The VICE team

Regards,
   Spiro Trikaliotis.