
Compromising a Linux desktop using 6502 opcodes on the NES - scarybeast
http://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html
======
pdkl95
If you are interested in this kind of multi-level attack, I recommend watching
this[1] really fun talk by dwangoAC, which he originally gave at DEFCON 24. He
is the owner of "TASBot", a custom controller interface for sending high-speed
(and occasionally reliable) controller input into a SNES.

In this talk, he uses the controller interface on the SNES to send commands to
a Super GameBoy, which is running a real Pokemon Red cartridge. Commands are
sent to Pokemon Red to activate an arbitrary code execution bug to write a
bootloader that receives the rest of the attack program at high speed. Then -
form inside the GameBoy environment - he takes over the Super GameBoy and
gains arbitrary code execution on the SNES proper.

(for a finish, a Twitch chat client is written into RAM on the SNES that uses
a custom network protocol to send requests over the controller port, so the
livestream audience can ask questions live through the SNES).

[1]
[https://www.youtube.com/watch?v=s-bKWT9fj8Y](https://www.youtube.com/watch?v=s-bKWT9fj8Y)

~~~
Klathmon
That's so insane.

Not only is there a bug consistent enough to get arbitrary code execution in
the game, but to also be able to reliably breakout of the emulator and
literally reprogram the current game all in RAM to something completely
different.

I can't seem to think of words that would do what he did justice. It's
amazing.

~~~
qwertyuiop924
You thought that was cool? SethBling (of Super Mario World Credits Warp fame)
did a single nested version of this (in Super Mario World, of course), where
he reprogrammed the SNES to play Flappy Bird.

 _By hand_.

~~~
Klathmon
I actually saw that one a while ago.

IMO this is what the word "pwned" was meant to describe. When someone has not
only exploited a machine, but has literally become it's master to such an
extent that they are playing games at that point, abusing the original purpose
of the console into this tormented, bastardized version to display memes from
a twitch chat, or play a clone of a shitty phone game.

~~~
H4CK3RM4N
Expanding on what you said, I feel like in terms of personal attacks it should
only be used if you could alter someone's life through the accounts you gain
access to.

------
vilhelm_s
Which brings to mind this blogpost by Ted Unangst
[[http://www.tedunangst.com/flak/post/features-are-
faults](http://www.tedunangst.com/flak/post/features-are-faults)], in
particular this quote:

> Right now there is what I can only describe as a conspiracy to connect
> something called _gstreamer-plugins-bad_ to the internet. I do not want
> something called _gstreamer-plugins-bad_ to be connected to the internet
> because that doesn’t sound like a good idea, but apparently somebody decided
> to call it a feature, and just like that it had to happen. It’s as if
> somebody looked at the UML diagram for my browser and realized that the
> boxes labeled _malicious input_ and _gstreamer-plugins-bad_ weren’t yet
> connected, and in their utopian vision of the internet, all of the boxes
> must be connected.

~~~
scarybeast
Thanks for posting this quote! It's super awesome and is very close to my own
thoughts on the matter :) I'll be sure to cite this link in any future blog
posts on the topic.

------
makomk
"The attack surface of the Linux desktop does not appear to be under control,
or adequately monitored for regression." No kidding. I ran into an interesting
example for this a year or so back - the library used by KDE's search indexer
for reading image metadata added support for video files with a bunch of
classic buffer overflows in the new code, and even though it wasn't used to
index video files a similar filename trick could be used to get the indexer to
call it. Not sure how easy it would be to get code execution, but it wouldn't
require any user interaction thanks to Google Chrome.

~~~
pjmlp
Yes,

[http://arstechnica.com/security/2016/09/linux-kernel-
securit...](http://arstechnica.com/security/2016/09/linux-kernel-security-
needs-fixing/2/)

This is probably the only reason I can somehow understand Google's draconian
approach to the NDK APIs, versus what iOS and UWP allow for.

------
amyjess
On a similar note, last year three huge security holes were discovered in
ZSNES that allow an attacker to execute arbitrary x86 code using a malformed
ROM. [0] [1]

After seeing that and seeing this article, I'm thinking this might be the
start of a whole new era of finding security holes in emulators that allow PCs
to be compromised by running something shady in an emulator.

[0]
[https://www.reddit.com/r/emulation/comments/3aq0t3/psa_zsnes...](https://www.reddit.com/r/emulation/comments/3aq0t3/psa_zsnes_v151_native_code_execution_vulnerability/)

[1] Seriously, if you're still using ZSNES to emulate SNES games, don't.
That's a really scary vulnerability, it still hasn't been patched, and ZSNES
has been horrendously inaccurate and buggy since even before that. Do yourself
a favor and use Snes9X (or if you can, try something based on a bsnes core,
like Higan, bsnes-classic, or RetroArch configured with a bsnes core; they're
the most accurate, but the system requirements are high, and Higan's UI isn't
user-friendly).

~~~
emodendroket
Retroarch just uses cores from other emulators, doesn't it?

~~~
amyjess
Yeah, that section of my post was poorly worded. I might edit my post a bit
and fiddle with the wording.

------
gene-h
This reminds me of an old joke that the best way to make software that will
run 50 years from now is to write it as a NES cart.

~~~
WorldMaker
Between the NES, Gameboy, Commodore PET and 64, Apple I and II, Atari 2600,
and more, the MOS 6500 series of processors are truly immortal foundations in
the history of computing and videogames.

~~~
JonathonW
The Game Boy was actually a Z80 variant (or, probably more accurately, an 8080
variant supplemented with part of the Z80's instruction set).

Nintendo's hit most of the big personal computing CPU architectures through
the course of their history-- 6502 in NES and SNES, MIPS on the N64, PPC on
Gamecube/Wii/Wii U, and ARM on GBA/DS/3DS/Switch. The only ones they really
missed were 68k and x86.

~~~
swiley
It's also shockingly easy to write an 8080 emulator, on which you can run CP/M
complete with a C compiler.

~~~
WorldMaker
The MOS 6502 also has quite easy to emulate opcodes. Hence why it is perhaps
unsurprising to find one even embedded in an audio library as in the article
here.

When I had to write some 6502 code for a lab class in college I didn't like
the debugging options in most of the emulators I found and did write my own
mini-emulator in JS (or maybe it was PHP; it has been a while) to debug some
of the specific parts of code I was working on in that lab class.

------
boxfire
And hence the coding quality separation of gstreamer plugins. There is a
reason the plugin ended up in gstreamer-plugins-bad, and most of them it is
due to code quality or lack of maintainers or both.

~~~
ronjouch
Oh really, the -{good, bad, ugly} axis is coding quality? I always assumed it
was licensing status / patents clearance.

EDIT it's both:
[https://gstreamer.freedesktop.org/documentation/splitup.html](https://gstreamer.freedesktop.org/documentation/splitup.html)
, [http://askubuntu.com/questions/468875/plugins-ugly-and-
bad](http://askubuntu.com/questions/468875/plugins-ugly-and-bad)

~~~
NoGravitas
The good plugins have both acceptable code quality and acceptable
license/patent terms. The ugly plugins have acceptable code quality, but
unacceptable license/patent terms. Bad plugins are lacking code review,
documentation, or are unmaintained, or have other problems that keep them from
being moved to good or ugly.

~~~
gcb0
I would have expected that to be the "testing" branch, not a different
packages. but I guesd it makes sense if you gave up updating the code

~~~
phee
GStreamer is highly modular, so it makes totally sense to ship a set of
plugins with subpar code, unclear patent/licensing, barely maintained in a
dedicated package. They called it "bad", what do you expect?

The issue here is that distributions should offer more granularity with on
demand codec installation. Does it make sense that to play an mp3 (not that
sure this is the case) I get also the NSF decoder?

~~~
chipaca
This is in gstreamer0.10-plugins-bad, which isn't installed by default nor
pulled in by anything else AFAICT

~~~
phee
No idea, I don't use ubuntu. According to OP it's pulled by default in 12.04
and 14.04 as long as you choose to enable multimedia codecs at install time.

------
itsnotlupus
How would people pronounce "0day" in a way where the expression "an 0day"
would flow naturally?

I read it as "an zero day", and that feels wrong.

~~~
saganus
What about saying "a 0day" which I read as "a zero day <attack>".

This same thing happens with "MVP" I think. "An MVP" sounds good, but "An
Minimal Viable Product" doesn't. So I use a/an depending on whether using the
abbreviation or not, but I have no idea if there's a rule for this or not.

~~~
maket
As far as I'm aware, the rule is if the first syllable starts with a vowel,
phonetically.

In your example "MVP", the first syllable starts with an "em", so a vowel. In
"Minimal Viable Product" the first syllable starts with the consonant sound.

I had a major pain with this rule when dealing with auto-generation of some
API documentation. It ended up just being an issue of detecting/guessing if
the text was an abbreviation or some weird CamelCase thing.

~~~
saganus
Yeah, that's the way I've always done it because otherwise it sounds wrong. I
guess someone taught me the rule and I don't remember or something.

------
paulrpotts
As an old-school geek who still enjoys 6502 assembly, I find this fascinating
and disturbing. Nice work explaining the find!

~~~
barbs
If you haven't read this already, you might enjoy this article: A Great Old-
Timey Game-Programming Hack:

[http://blog.moertel.com/posts/2013-12-14-great-old-timey-
gam...](http://blog.moertel.com/posts/2013-12-14-great-old-timey-game-
programming-hack.html)

------
lifthrasiir
Classic:
[http://beza1e1.tuxen.de/articles/accidentally_turing_complet...](http://beza1e1.tuxen.de/articles/accidentally_turing_complete.html)
and [https://www.gwern.net/Turing-complete](https://www.gwern.net/Turing-
complete)

(Not to say that TC itself is bad, but unexpected/accidental TC is normally a
sign of bad omen)

~~~
stefs
doesn't look like this is _accidental TC_.

> NSF music files, on the other hands, are played by actually emulating the
> NES CPU and sound hardware in real time. Is that cool or what? The gstreamer
> plug-in creates a virtual 6502 CPU hardware environment and then plays the
> music by running a bit of 6502 code for a little while and then looking at
> the resulting values in the virtualized sound hardware registers and then
> rendering some sound samples based on that.

~~~
lifthrasiir
I would classify it as unexpected TC nevertheless. Audio decoding and CPU
emulation are very different things.

~~~
stefs
but in this case audio decoding by cpu emulation was the intent of the
developer. i'm sure she knew what she did.

------
qwertyuiop924
I should probably learn 6502 asm at some point. But I think I'll start with
ARM and Z80 first, because I have a physical ARM/Z80 machine (read: Gameboy
Advance).

~~~
barbs
The link he gives in the article, Easy 6502, is a great way to learn 6502. I
do recommend it.

[https://skilldrick.github.io/easy6502/](https://skilldrick.github.io/easy6502/)

~~~
qwertyuiop924
Thanks!

That was surprisingly simple, if a bit mind-bending.

------
chinathrow
Fixed in Ubuntu as of today.

[http://changelogs.ubuntu.com/changelogs/pool/universe/g/gst-...](http://changelogs.ubuntu.com/changelogs/pool/universe/g/gst-
plugins-bad0.10/gst-plugins-bad0.10_0.10.23-7.2ubuntu1.2/changelog)

------
gpvos
The title alone is already worth my upvote.

------
stefs
if i understood this right: code execution - yes, but no privilege escalation?

~~~
j_s
I too would appreciate further insight in this specific aspect of this
vulnerability. Perhaps with the amount of flexibility apparently available it
wouldn't take much work to gain root access.

There are many parallels here to the libstagefright media codec vulnerabilites
that were big news in the Android world back in 2015 - the primary problem
seems to be remote code execution, not privilege escalation.

~~~
mikeash
It gives you the ability to run arbitrary code with the same privileges as the
media player. Going beyond that would require exploiting some other
vulnerability to gain root access.

That _probably_ wouldn't be too hard. Local privilege escalation seems to be a
lot easier to accomplish. It's harder to secure a system from code running on
it than from data coming in from the outside. It's sort of a bigger version of
the article's suggestion to "watch out for scripting in unexpected places!"

You also don't necessarily need privilege escalation to do a lot of damage. If
the media player isn't sandboxed in some way, then it'll have full privileges
to access all your user's files. Traditional UNIX permissions means that you
need special access in order to write to the kernel, but not to read your
e-mails or that spreadsheet you have with your bank account details.

------
stefs
my system (linux mint, based on ubuntu 14.04.1) might be affected. the
versions match, the files are there.

i'm loath to download and execute the test file though.

while i'm almost completely sure this post is legit, i also don't want to
delete the gstreamer-0.1 in case it trashes something important. think of
trolls recommending the deletion of system32 to speed up the system and free
disk space.

can i remove this safely? is there more information from another credible
source?

~~~
skykooler
The test file, if your system is affected, will only open a calculator. (if
you are concerned whether it has been modified to an actual attack file, you
can compare it to the one on the page in a hex editor.)

Don't delete gstreamer-0.10, because many things rely on it. It is however
safe to delete libgstnsf.so.

~~~
scarybeast
It will likely only open a calculator if you run it against the exact version
of everything listed in the blog post, which is Ubuntu 12.04.5 without any
further patches.

Any different version of Ubuntu (such as 14.04.anything), will have a
different glibc binary. Among other issues, the exploit has a hard coded
offset of the delta between the memset() and system() functions inside glibc.
This offset will only be valid against the glibc binary for 12.04.5. With more
work, the exploit could be modified to dynamically calculate the correct
offset for almost any version of glibc.

If the offset is invalid, you're likely to still get a crash, just no
calculator. So the presence of a crash or not can be used to determine trouble
vs. ok.

That said, Ubuntu 14.04 isn't too badly affected. It does come with
gstreamer-0.10, but it does not appear to be used for much. As far as I could
tell, gstreamer-1.0 is used for the most important stuff (totem, totem-video-
thumbnailer, etc.).

------
bouvin
So, chiptunes are bad for you?

------
cjbprime
_stares at the screen with mouth open_

------
IshKebab
Vulnerability in gstreamer! News at 11!

Next you'll be telling me mplayer is riddled with vulnerabilities too...

------
partycoder
The UX should say: "This file is a NSF file, do you want to open it?"

~~~
alanh
1) Make an argument. This isn’t one.

2) Why suggest a prompt that doesn’t give the user an understanding of what
they are being asked and why it matters?

~~~
partycoder
Implicit information is what allowed millions of devices to be infected via
AUTORUN.INF files causing billions of dollars in damage.

People think in ways of making things simple and easy, but you end up harming
people. It's a leaky abstraction of trust.

This would fall into the same category. You don't expect risk from a MP3. But
then it's not an MP3, it's a NSF.

~~~
voltagex_
and continuously prompting people for input is a good way to train them to
always click "Yes".

[https://www.nist.gov/news-events/news/2016/10/security-
fatig...](https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-
cause-computer-users-feel-hopeless-and-act-recklessly)

~~~
partycoder
Would not be fatigue. If the extension is mp3 and the detected type is mp3, no
need to show a dialog. Only show a dialog if there might be something phony
going on.

