Playing Media Files Can Lead to Remote Code Execution in Linux


A new 0-day vulnerability in Linux desktops was recently reported. This is due to a flaw in game-music-emu. Game-music-emu is a plugin that allows emulation of various CPU and audio processors, thereby letting a user play different kind of music files. The flaw is in the way game-music-emu emulates the SNES CPU and audio processor. A specially crafted SNES music file allows an attacker to execute remote code onto the system.

An analysis of the available POC samples is as follows:

By itself, the above code has been shown to cause the emulator to crash. This is caused by attempting to write to a location outside of the available memory.

The problem shown in the POCs is that the emulator does not have out-of-bounds checking for very large or negative values.

An attacker can thus create a specially crafted SNES music file and rename it either as .flac or .mp3 to entice an unsuspecting user to load the file onto a player that uses the gstreamer framework. Game-music-emu is part of a plugin that can be added to the gstreamer framework.

SonicWALL Threat Research Team has written the following signature to help protect our customers from this attack:

  • SPY 1074: Malformed-File spc.OT.1
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.