Ubuntu and fedora have been confronted recently a critical bug, a bug that targeted GStreamer and allowed malicious individuals to hack into the system with a simple MP3 or FLAC file. Luckily for users, the gap was quickly closed by the publishers of these distros.
GStreamer comes in the form of a library focused on sound and visuals. It is distributed under a free license and is in a segment identical to QuickTime and DirectShow.
The first version was released in the late 1990s and was a huge hit with free software advocates, eventually being incorporated into Gnome.
A GStreamer specific bug
Currently, the library is used by many software programs, notably Listen, Totem, Songbird or Clementine. The list is obviously not complete.
Chris Evans has long been passionate about computer security and spends much of his free time tracking down vulnerabilities and exploits. During his investigation, he recognized a critical vulnerability in GStreamer, a rather special vulnerability.
This library can handle many different audio files and in particular it can handle SPC files. If you don’t know this format, remember that it was used by Nintendo for Super Nintendo audio files.
GStreamer includes an emulator that can simulate the CPU and audio processor of this console and can therefore read SPC files.
However, through fairly extensive testing, Chris Evans determined that it was possible to cause a heap overflow (a bug similar to a buffer overflow, but for the memory allocated to the programs) with these files and thus run code with user rights.
An attack based on heap overflow
By exploiting this flaw, he managed to develop an SPC file capable of launching the calculator every time it is viewed and/or read. At the end of the article you will find a video recorded during one of these tests.
After successfully using this exploit, Chris changed the file extension to MP3 or FLAC to more easily trick his hypothetical victims.
The researcher immediately reported his observations to the publishers of Ubuntu and Fedora, and the latter immediately installed a patch to close the vulnerability and prevent this flaw from being exploited by malware or virus developers. According to Chris, it would have been enough for GStreamer to integrate a sandbox system to make this attack obsolete. This isn’t the first time he’s attacked the library since spotting other flaws last November.