Bug#792420: zsnes: emulator escape vulnerability

[Alfred Agrell]

On Tue, 14 Jul 2015 18:57:02 +0200 Etienne Millon <me at emillon.org> wrote:
 > * Paul Wise <pabs at debian.org> [150714 18:20]:
 > > According to this Youtube video and forum post, there are at least 3
 > > vulnerabilities in zsnes that allow ROMs to escape the zsnes
 > > emulator and execute arbitrary code on the host running zsnes. The
 > > known issues will be fixed in 1.52 but there may be more issues.
 > > This may or may not be related to the cppcheck warnings from bug
 > > #610313.
 >
 > Thanks for the report.
 >
 > While neither the exploit code nor a fix is out, I believe that the
 > best course of action is indeed to write a patch for #610313.
 >
 > It may also be possible that due to hardening patches, this bug is not
 > exploitable in Debian.
 >
 > --
 > Etienne Millon

I am the one who created that PoC, so I know all relevant facts about 
these vulns.

#610313 is irrelevant, these vulns are all in assembly. Whatever 
hardening you're thinking of is also insufficient, there isn't even any 
ASLR in this program.


The three aforementioned vulns (along with something in the C code, not 
sure if it's exploitable) are patched upstream:

http://svn.zsnes.com/comp.php?repname=zsnes&path=%2F&compare[]=%2F at 5307&compare[]=%2F at 5308
http://svn.zsnes.com/comp.php?repname=zsnes&path=%2F&compare[]=%2F at 5310&compare[]=%2F at 5311


There is also a fourth vuln that they didn't patch yet:

http://svn.zsnes.com/filedetails.php?repname=zsnes&path=%2Ftrunk%2Fsrc%2Fcpu%2Fspc700.asm&rev=4492&sc=1

Op4E should use SPCRAM, not [spcRamDP]. This leads to an exploitable 
buffer overflow.


Vuln 5: A crafted savestate can set wramrwadr to something impossible, 
leading to yet another exploitable overflow.


And yes, it is very likely that more exploits exist. ZSNES is an 
enormous pile of decades-old code, written more for performance than 
security and correctness. I'm surprised they've remained hidden for so long.