NSF files used to compromise Ubuntu desktop

[thefox]

Thought I'd share this interesting/amusing/related post: https://scarybeastsecurity.blogspot.fi/ ... sktop.html

It has got some factual errors about 6502 bank switching (seems to imply that NES games were using 4 KB bank switching), but the actual exploit is a pretty cool one.

[Jarhmander]

I find rather funny that in the closing notes, he mentions that the critical reason this exploit is possible is because of a "scripting" language, embedded in the player. It doesn't say, however, that what makes the exploit possible in the first place is the sloppy coding, allowing an out of buffer memory access. It's just that, because of The "scripting" language, you can do much more harm than just crashing the player with invalid input (a non-conforming NSF). No software whatsoever should break with invalid input, and never allow a OOB memory access to occur!

[calima]

gstreamer is not known for its high quality.

[Myask]

It was patched before I returned to my computer that day. Otherwise, neat.

Odd calling a 2A03 emu a scripting language…

[zzo38]

I don't use that software anyways; I uninstalled it (as well as many other things) soon after I brought the computer home. I now use Mednafen to play NSF although I would prefer to instead use a pipe of three command-line programs to play it. Each program should do one thing and make every program a filter.

[koitsu]

I've been given said 0-day link several times by friends (what can I say, we sysadmins get handed cute things). Despite the technical inaccuracies about the NES described in the article, I do find it "neat". However, the most telling part of the article -- for me -- was this:

While at first glance, this “patch” would appear to remove functionality, it does not. Your wonderful NSF files will still play. WTF? Would you believe that Ubuntu 12 and 14 ship not one but two different code bases for playing NSF files? That’s a lot of code for a very fringe format. The second NSF player is based on libgme and does not appear to have the vulnerabilities of the first.

Situation seems easy enough to me to rectify: the maintainer of the relevant package needs to remove NSF support. Sadly, the article does not bother to actually track down what specific Ubuntu package is responsible for libgstnsf.so (Ubuntu package names are horrific); apparently output from dpkg -S /usr/lib/x86_64-linux-gnu/gstreamer-0.10/libgstnsf.so was just too hard. From what I can determine, Ubuntu 12.x and 14.x has some kind of "bad plugins list" and libgstnsf.so falls under that category. The package is called gstreamer0.10-plugins-bad (i386 has its own as well). I don't know why this package isn't installed or used by the reporter (the Ubuntu folks need to look into why that is).

Blindly removing a file on the system which is installed by a package is not how you solve this problem properly; yes, it will work as a very crappy "last resort" workaround, but it's laughable (especially when called "a patch") -- come any kind of package management involving that package, the shared library in question will be reinstalled. I really expect more from the author of the article who has a good history of being a quality security analyst. The way you solve this problem is by figuring out what package is responsible for its installation, then talking to the Ubuntu folks by filing a ticket. Both Ubuntu 12.x and 14.x LTS are still actively supported (this issue DOES classify as a "maintenance update").

[3gengames]

The updated packages with the fix will be updated in 3 months or so. It's what you get when you use Ubuntu. It's a non-issue. The package maintainer needs to updated the packages with the patch. Nothing to see here, except more reason to not use Ubuntu and move to a daily-updated rolling distro.

[B00daW]

I did some research into this if it would be possible to exploit Windows users. Turns out that the offending gstreamer 0.10 library is used in an XMPP/Jabber client called Gajim.

The Windows version has the affected libgstnsf.dll packaged with it. It uses libgstnsf.dll for inline media playing if someone where to send or link you a media file; such as NSF.

You would of course have to custom-tailor your NSF for the Windows environment, but it should work just the same as it does not appear to be detected currently as a vulnerable application/dll.

[Myask]

The updated packages with the fix will be updated in 3 months or so. It's what you get when you use Ubuntu. It's a non-issue. The package maintainer needs to updated the packages with the patch. Nothing to see here, except more reason to not use Ubuntu and move to a daily-updated rolling distro.

a patch for the vulnerability was released (to Ubuntu systems, even) the day of/after this topic was posted…as I mentioned earlier in this topic.