A vulnerability in a multimedia framework present on Version 12.04.5 of Ubuntu can be exploited by sound files meant to be played on the venerable Nintendo Entertainment System, according to security researcher Chris Evans.
The vulnerability is the result of a flaw in an audio decoder called libgstnsf.so, which allows gstreamer Version 0.10 to play the NSF files that the NES uses for music. NSF files, when played, use the host system’s hardware to create a virtualized version of the NES’ old 6502 processor and sound hardware in real time.
What the exploit does, in essence, is take advantage of the way NES cartridges used to handle switching between certain memory registers to run code on an unsuspecting Linux user’s desktop. (The sample exploit Evans provides uses the vulnerability to run Xcalc.)
“This exploit works against what I would consider the ‘default’ install,” he wrote in a blog post. “During Ubuntu install, there’s a question along the lines of ‘hey, do you want mp3s to work?’ and of course the correct answer is ‘yes.’ Various extra packages are then installed including gstreamer0.10-plugins-bad. This package includes libgstnsf.so.”
Evans suggests that the exploit could theoretically be distributed via email attachment, drive-by download targeting Google Chrome, or by USB, though it’s unlikely to become a widespread threat.
It is, as Evans makes clear, not a particularly serious zero-day. The flaw appears to only exist in Ubuntu 12.04.5, which is an older (though still supported) version of the popular Linux distro. The fix is as simple as removing libgstnsf.so, which doesn’t even result in a loss of functionality, since there’s another decoder that can play NSF music from the NES.
What’s more, exploit code requires an attacker to program in the arcane 6502 language designed for the NES processor, relying on the way the virtualized 6502 processor translates this code to deliver malicious instructions.