Compromising a Linux desktop using 6502 opcodes on the NES

Typical music files are based on compressed samples and are decoded with a bunch of math. NSF music files, on the other hand, are played by actually emulating the NES CPU and sound hardware in real time.

Is that cool or what? The gstreamer plug-in creates a virtual 6502 CPU hardware environment and then plays the music by running a bit of 6502 code for a little while and then looking at the resulting values in the virtualized sound hardware registers and then rendering some sound samples based on that. [...]

There is a near total lack of bounds checking on proposed ROM mappings. This applies to be the initial ROM load, as well as subsequent ROM bank switching. [...]

However, a second logic quirk of this particular emulator makes things more serious: 2. Ability to load or bank switch ROM to writable memory locations. [...] As can be appreciated, we now have a lot of read and write control over the host emulator heap and the more experienced exploit writers will realize that successful exploitation is already all but assured. [...]

There's a critical reason that decent, reliable exploitation was possible with this bug: the presence of some form of "scripting" language. In this case, that script happens to be 6502 opcodes.

It is amazing that bank switching is the key to an exploit on modern computers, however, it shouldn't really be all that surprising: everyone knows that bank switching is what made the T-800 possible.

Previously, previously, previously, previously, previously, previously.

Tags: , , , , , ,

2 Responses:

  1. This somehow makes Jeff Goldblum's whole thing in Independence Day so much more realistic.

  2. Kyzer says:

    At first I thought the hacking in Continuum was unrealistic - standard TV trope, genius haxor types something and suddenly everything is under his control. Lazy writing.

    But then it hit me - Continuum's haxor is from the future. As in, this haxor lived through or read about every known exploit of the 2010s, and knows the timeframes for when things are vulnerable. Even if he's not l33t, he'll know about Heartbleed, Shellshock, Dirty COW, Stagefright or other named CVEs. As long as you suspend your disbelief about time travel, then it holds up. You could go back to the 1980s and exploit sendmail and finger after watching a documentary on the Morris Worm, before Robert Morris even went to Cornell.

    All we need for a TV-compatible future is for people to naively link all utilities and physical objects (lights, power, water, air, guns, cameras, battlestars, TVs, microwaves) to computers, wirelessly if possible, then it's open season for both the haxors and lazy dramatists.

  • Previously