I didn’t realize they had to practically build an emulator for NES/6502 just to read a sound file. Wow. At the beginning, the author says the exploit activates without playing the file. Offers to explain that later. I must be overlooking the explanation. Why does it execute without opening the file?
It was briefly touched upon in one of the bullet points about attack vectors (it was seemingly unrelated, so you may have skimmed and missed it):
When the Downloads folder is later viewed in a file manager such as nautilus, an attempt is made to auto thumbnail files with known suffixes (so again, call the NSF exploit something.mp3). The exploit works against the thumbnailer.
Appreciate it! Makes me smile as I disabled thumbnails on most systems worried a parsing attack would happen at some point. I think they already did on Windows but can’t recall with bad memory. A general principle of mine is I want to control when something dangerous happens. Specifically, safe by default with me consciously making that the decision to do something risky and being aware of it.
Absolutely. This is a close relative to the “autorun” exploit on older Windows versions where it would execute whatever was defined in a removable disk/drive’s root “autorun.inf” file.
Ubuntu core maintainers should be aware of this type of attacks against thumbnailers, as there’s a ticket open for sandboxing thumbnailers (“gnome thumbnailers should have an apparmor profile”):
But no meaningful progress has been made to address the ticket apart from a PoC from 2011.
Makes me smile as I disabled thumbnails on most systems worried a parsing attack would happen at some point.
Nice write-up. Yeah, all kinds of issues apparently.
The whole “parsing is one of the riskiest things we do” thing only hit home for me recently, when I read the qmail paper (PDF).
In this case, the huge number of different parsers a file browser may decide to invoke is pretty damn scary!
Indeed. And if you think about the number of frameworks and applications that make use of file(1), either directly or indirectly, to determine file types, you’d never sleep at night… OpenBSD’s implementation has been privilege separated since 5.8.
That was a great paper. The people publishing the most on parser and protocol issues at language level are LANGSEC:
Gonna be the Rust guy…. but it would be cool if we could somehow crowdsource rewriting a bunch of these minor but installed everywhere stuff.
Like, have a website that lists a bunch of minor projects that are intsalled on 90+% of Ubuntu systems. And some guides on how to do C -> Rust. And have some people start writing in-place replacements for these.
I bet a lot of these projects are small, too. This would be a fun project if you had infinite time.
This platform does basically what you’re after. Anyone can list an improvement (generally to an open source project), and attach a bounty to it, and anyone can bid on / accept the work.