VICE emulator format string vulnerability
------------------------------------------------------------------------
VICE Security Advisory VSA-2004-1
------------------------------------------------------------------------
Summary:
Severity: Low
Title: VICE monitor memory dump format string vulnerability
Date: June 14, 2004
Version: 1
ID: VSA-2004-01
Impact: Could allow arbitrary code execution
Project site: http://www.viceteam.org/
Affected Versions: VICE 1.6 up to 1.14 on all plattforms
Revision: 1
CVE Names: CAN-2004-0453
------------------------------------------------------------------------
What is VICE?
VICE is a program that runs on a Unix, MS-DOS, Win32, OS/2, Acorn RISC
OS or BeOS machine and executes programs intended for the old 8-bit
Commodore computers. The current version emulates the C64, the C128,
the VIC20, all the PET models (except the SuperPET 9000, which is out
of line anyway), the PLUS4 and the CBM-II (aka C610).
More information can be found on the VICE homepage:
http://www.viceteam.org/
Affected VICE versions:
At least VICE 1.6 up to VICE 1.14 on all plattforms are affected. The
VICE team has not checked if older version are affected, too.
Description:
There is a format string vulnerability in the handling of the monitor
"memory dump" command. If the string to be output contains any % sign,
it is interpreted as a command for the output, normally resulting in a
crash. Even more sophisticated exploits, like arbitrary code execution
on the host machine, are possible.
Impact:
It is possible to crash the emulator or even execute arbitrary code on
the host machine from the inside of the emulated machine. For this, an
attacker needs to fill up parts of the memory with a specific value
and wheedle the user to enter the monitor and type in a specific
command.
Without the user being wheedled to enter the monitor and type in that
specific command, this vulnerability is not exploitable.
Proof-of-Concept:
The VICE team will not publish exploit code.
Severity rating:
This vulnerability can be used to execute arbitrary code on the host
machine out of the emulated machine. Anyway, since it requires the
user to enter the monitor and type a specific command, we find the
risk low of exploiting this. It should be hard to wheedle the user to
press exact this sequence.
Workaround:
Don't use the VICE monitor.
Solution:
Upgrade to a newer version of VICE as soon as it becomes available, or
use the attached security patch at [2].
Updates:
An online version of this document can be found at [3].
References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0453
[2] http://www.trikaliotis.net/vicekb/vice-1.14-mon-vuln.diff.gz
[3] http://www.trikaliotis.net/vicekb/vsa-2004-1
Date line:
June 8, 2004: The VICE team has been informed about this vulnerability
June 8, 2004: The VICE team releases an internal patch the fix this
vulnerability
June 10, 2004: First Linux distributors are being contacted.
June 14, 2004: Publication of this flaw
------------------------------------------------------------------------
June 14, 2004 The VICE team
Regards,
Spiro Trikaliotis.