Libgme Drive-by Exploit.
An interesting exploit:
https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html
While this is tailored to Fedora 25 (with Chrome) and Ubuntu 16.04, in checking my CentOS 7 system I find that it is not vulnerable simply because it doesn’t have the libgme used by gstreamer-plugins-bad to make it work. However, gstreamer-plugins-bad-free is indeed installed, and is listed as an installation from anaconda, so it is on the media. I
didn’t specifically select it in the package set I installed. I didn’t look to see if any third-party packages have it…. lessee…. nope, didn’t find the ‘Game Music Emu’ (gstreamer-plugins-bad-extras contains this in Fedora 25) anywhere, but I reserve the right to be wrong.
Now, even though C7 is not vulnerable by default, following Chris Evans’
narrative on how he dug this out and made it reliably exploitable is a very good read, especially if you want to see what kind of trampoline can actually be employed by those who really are out to get us.
3 thoughts on - Libgme Drive-by Exploit.
And five minutes later:
[lowen@dhcp-pool170 ~]$ yum list|grep game-music-emu game-music-emu.x86_64 0.6.0-5.el7 @epel game-music-emu-debuginfo.x86_64 0.6.0-3.el7.nux nux-dextop game-music-emu-devel.x86_64 0.6.0-5.el7 epel game-music-emu-player.x86_64 0.6.0-5.el7 epel
[lowen@dhcp-pool170 ~]$ rpm -ql game-music-emu
/usr/lib64/libgme.so.0
/usr/lib64/libgme.so.0.6.0
/usr/share/doc/game-music-emu-0.6.0
/usr/share/doc/game-music-emu-0.6.0/changes.txt
/usr/share/doc/game-music-emu-0.6.0/license.txt
/usr/share/doc/game-music-emu-0.6.0/readme.txt
[lowen@dhcp-pool170 ~]$
Yep, I was wrong: it is available (package name in the article was wrong) but not installed by default (is in EPEL). So might be vulnerable, might need to test on a burner machine.
rpm -q –whatprovides /usr/lib64/libgme.so.0
game-music-emu-0.6.0-5.el7.x86_64
Like I said, I always reserve the right to be wrong. Debian has issued an update with a list of CVE’s that are so new that they’re not on mitre yet. Debian DSA-3735-1:
https://security-tracker.debian.org/tracker/DSA-3735-1
This will be an EPEL update and not a CentOS one, as CentOS from media with no third-party repos does not have the affected library libgme.
But a heads-up nonetheless, and a really good read if you are into how something like this (where this is Super NES audio chip (SPC700)
assembly code) can cause a modern Linux distribution to be compromised.
Silently, and in a drive-by-download fully automatic manner.