The security expert Chris Evans has disclosed a zero-day exploit for Ubuntu and Fedora distributions. The flaw is a full drive-by download exploit that may impact also other Linux distributions.
The researcher successfully the full zero-day drive-by exploit against Fedora 25 + Google Chrome and Ubuntu 16.04 LTS, and relies on breaking out of Super Nintendo Entertainment System (SNES) emulation “via subtle cascading side effects from an emulation error.”
“full reliable 0day drive-by exploit against Fedora 25 + Google Chrome, by breaking out of Super Nintendo Entertainment System emulation via cascading side effects from a subtle and interesting emulation error.” explained Evans in a blog post.
The problem lies within the Sony SPC700 emulated processor and exploits cascading subtle side effects of an emulation hole.
The Linux GStreamer media playback framework supports the playback of SNES music files by emulating the SNES CPU and audio processor due to an agreement with Game Music Emu.
The emulation process supported by the Sony SPC700 processor is affected by at least two flaws, a missing X register value clamp for the MOV (X)+, A instruction, and a missing SP register value clamp for the RET1 instruction.
Evans chained the two issues for his attack, he demonstrated that it possible to compromise the target system by tricking the user into visiting a malicious web page that contains audio files encoded in the SPC music format, but saved with the. flac and. mp3 extensions.
The files work as the vector for the malicious code that loaded and executed by the victims with the same privileges as those of the current user.
The full drive-by download exploit could allow the attacker to steal personal data, including photos, videos, or documents, as well as data stored in the browser.
Evans published the following video PoC videos working on Fedora 25 and Ubuntu 16.04 LTS alongside the files needed to test the exploit.
Evans provided further details on the impact of the hack on both Linux distribution he tested, he highlighted that the general lack of sandboxing contributes to the severity of the issue.
(Security Affairs – full zero-day drive-by exploit, Linux hacking)