Hacking a Linux PC through blargg's SPC700 core

This is an archive of a topic from NESdev BBS, taken in mid-October 2019 before a server upgrade.
View original topic
Hacking a Linux PC through blargg's SPC700 core
by on (#184675)
Some instructions in Game_Music_Emu's SPC700 core are so broken with respect to clamping of X and Y values that an SPC file can pwn the user account.

Source: "Redux: compromising Linux using... SNES Ricoh 5A22 [sic] processor opcodes?!" by Chris Evans, via a tweet by Hector Martin

tl;dr: CPU registers in the SPC core are 32-bit for speed, and instruction $AF (MOV (X)+,A) doesn't clamp the values it writes to register X. Nor does the aaaa,X addressing mode wrap within $0000-$FFFF; it continues on to $10000-$100FE. These vulnerabilities and some clever coding involving MUL and DIV instructions allow building up huge and/or negative values in the X and Y registers to read the virtual method table, corrupt other parts of the emulator state to find free(), find system(), and build a new virtual method table in A-RAM through which the SPC700 code can call anything.
Re: Hacking a Linux PC through blargg's SPC700 core
by on (#184681)
I remember a similar discussion a year ago, about vulnerability with another SNES emulator... being able to embed malware in an SNES ROM. I couldn't find the exact link I was thinking of, but here's a reddit discussion, apparently started by byuu...

https://m.reddit.com/r/emulation/commen ... erability/
Re: Hacking a Linux PC through blargg's SPC700 core
by on (#184687)
I wonder if there should be a database of emulation exploits somewhere. This one makes three that I can think of from this year alone.

It looks like the author already screened my comment (and another person's) about the entire article constantly naming the wrong processor (and describing it incorrectly as a result, despite multiple Wikipedia links), but hasn't actually amended the article. Bah :(
Re: Hacking a Linux PC through blargg's SPC700 core
by on (#184689)
Revenant wrote:
I wonder if there should be a database of emulation exploits somewhere. This one makes three that I can think of from this year alone.

File a CVE with the National Vulnerability Database -- because that's exactly what it's for! :-) It doesn't matter if it's for emulators or anything else; vulnerabilities are vulnerabilities (here's an example for SNES9x). You're also encouraged to send Email to the bugtraq seclists.org mailing list with details if applicable.
Re: Hacking a Linux PC through blargg's SPC700 core
by on (#184691)
Of course CVEs and mailing lists exist, but I'd be interested in having smaller lists dedicated to emulation and other similarly niche(-ish) stuff.
Re: Hacking a Linux PC through blargg's SPC700 core
by on (#184698)
I happen to know of an entire .spc set that could potentially trigger this problem on the fly, since I discovered that two SPC players on my end (Game Music Box and Audio Overload on versions newer than... I don't remember, but it was around 2.0?, and on Audio Overload, the sound would corrupt, while on Game Music Box, the SPC would simply stop playing instantaneously) has that very vulnerability (although, as it was discovered, turned out to be with stack pointer wraparound): Shin Togenkyo (or as it is known on superfamicom.org, Shichuusui Meigaku Nyuumon Shin Tougenkyou).
Re: Hacking a Linux PC through blargg's SPC700 core
by on (#184699)
Revenant wrote:
Of course CVEs and mailing lists exist, but I'd be interested in having smaller lists dedicated to emulation and other similarly niche(-ish) stuff.

Considering emulators (including for audio) are mainstream and provided via many packaging systems per OS (Linux, BSD, etc.), I really must advise against "niche security" of this sort. Wider audience (hence filing a CVE + bugtraq) = better, in this case anyway.
Re: Hacking a Linux PC through blargg's SPC700 core
by on (#184700)
I really ought to write a newer WinAmp SPC plugin or something for the sake of sets like those (and other sets that just play back really badly with the Alpha-II plugin)...

koitsu wrote:
Considering emulators (including for audio) are mainstream and provided via many packaging systems per OS (Linux, BSD, etc.), I really must advise against "niche security" of this sort. Wider audience (hence bugtraq) = better, in this case anyway.

I wasn't trying to suggest that they should be mutually exclusive.
Re: Hacking a Linux PC through blargg's SPC700 core
by on (#184704)
Also, as I asked a person on Twitter, I'd love to know why the author of that article/discovery didn't try to reach out to blargg. He's responsive and friendly. I've no problem with disclosures, but when things like that make no mention of trying to contact the author or maintainer, it never sits well with me.
Re: Hacking a Linux PC through blargg's SPC700 core
by on (#184711)
koitsu wrote:
I'd love to know why the author of that article/discovery didn't try to reach out to blargg. He's responsive and friendly.

Responsive through which channel? Because blargg hasn't been active here lately (4 posts in past 33 months).
Re: Hacking a Linux PC through blargg's SPC700 core
by on (#184712)
tepples wrote:
Responsive through which channel? Because blargg hasn't been active here lately (4 posts in past 33 months).

He answers Email, like a normal human being. His Email address is in both the readme.txt and gme.txt that comes with GME.
Re: Hacking a Linux PC through blargg's SPC700 core
by on (#184722)
I should add that Snes9X v1.50 - v1.53 uses blargg's SMP core as well, so they will definitely be vulnerable to this same attack. If you use Snes9X, upgrade to v1.54 if you haven't already.

koitsu wrote:
Considering emulators (including for audio) are mainstream and provided via many packaging systems per OS (Linux, BSD, etc.), I really must advise against "niche security" of this sort. Wider audience (hence filing a CVE + bugtraq) = better, in this case anyway.


Completely agree. Not only does it easily get bundled into default OS installs (via its inclusion into things like gstreamer), they're connecting these things into web browsers for god knows what reason.

So yes, this is a very serious issue.
Re: Hacking a Linux PC through blargg's SPC700 core
by on (#184727)
byuu wrote:
If you use Snes9X, upgrade to v1.54 if you haven't already.


Just a minor detail, 1.54 had issues, 1.54.1 is what you'd want if you're upgrading. Or, if you want MSU-1 support, there's more recent git builds