Playing Media Files Can Lead to Remote Code Execution in Linux

December 20, 2016

A new 0-day vulnerability in Linux desktops was recently reported. This is due to a flaw in game-music-emu. Game-music-emu is a plugin that allows emulation of various CPU and audio processors, thereby letting a user play different kind of music files. The flaw is in the way game-music-emu emulates the SNES CPU and audio processor. A specially crafted SNES music file allows an attacker to execute remote code onto the system.

An analysis of the available POC samples is as follows:

By itself, the above code has been shown to cause the emulator to crash. This is caused by attempting to write to a location outside of the available memory.

The problem shown in the POCs is that the emulator does not have out-of-bounds checking for very large or negative values.

An attacker can thus create a specially crafted SNES music file and rename it either as .flac or .mp3 to entice an unsuspecting user to load the file onto a player that uses the gstreamer framework. Game-music-emu is part of a plugin that can be added to the gstreamer framework.

SonicWALL Threat Research Team has written the following signature to help protect our customers from this attack:

  • SPY 1074: Malformed-File spc.OT.1