Is that cool or what? The gstreamer plug-in creates a virtual 6502 CPU hardware environment and then plays the music by running a bit of 6502 code for a little while and then looking at the resulting values in the virtualized sound hardware registers and then rendering some sound samples based on that. [...]
There is a near total lack of bounds checking on proposed ROM mappings. This applies to be the initial ROM load, as well as subsequent ROM bank switching. [...]
However, a second logic quirk of this particular emulator makes things more serious: 2. Ability to load or bank switch ROM to writable memory locations. [...] As can be appreciated, we now have a lot of read and write control over the host emulator heap and the more experienced exploit writers will realize that successful exploitation is already all but assured. [...]
There's a critical reason that decent, reliable exploitation was possible with this bug: the presence of some form of "scripting" language. In this case, that script happens to be 6502 opcodes.
It is amazing that bank switching is the key to an exploit on modern computers, however, it shouldn't really be all that surprising: everyone knows that bank switching is what made the T-800 possible.