Bug 56976 (CVE-2004-0453)

Hi, 
I saw the following on FD. 
 
Von: 	Spiro Trikaliotis <trik-news@gmx.de> 
An: 	Full-Disclosure <full-disclosure@lists.netsys.com> 
Kopie: 	Bugtraq <bugtraq@securityfocus.com> 
Betreff: 	[Full-Disclosure] VICE emulator format string vulnerability 
Datum: 	Mon, 14 Jun 2004 07:54:02 +0200	 
------------------------------------------------------------------------ 
VICE Security Advisory                                        VSA-2004-1 
------------------------------------------------------------------------ 
 
Summary: 
 
           Severity: Low 
              Title: VICE monitor memory dump format string vulnerability 
               Date: June 14, 2004 
            Version: 1 
                 ID: VSA-2004-01 
             Impact: Could allow arbitrary code execution 
       Project site: http://www.viceteam.org/ 
  Affected Versions: VICE 1.6 up to 1.14 on all plattforms 
           Revision: 1 
          CVE Names: CAN-2004-0453 
 
------------------------------------------------------------------------ 
 
What is VICE? 
 
  VICE is a program that runs on a Unix, MS-DOS, Win32, OS/2, Acorn RISC 
  OS or BeOS machine and executes programs intended for the old 8-bit 
  Commodore computers. The current version emulates the C64, the C128, 
  the VIC20, all the PET models (except the SuperPET 9000, which is out 
  of line anyway), the PLUS4 and the CBM-II (aka C610). 
 
  More information can be found on the VICE homepage: 
  http://www.viceteam.org/ 
 
 
Affected VICE versions: 
 
  At least VICE 1.6 up to VICE 1.14 on all plattforms are affected. The 
  VICE team has not checked if older version are affected, too. 
 
 
Description: 
 
  There is a format string vulnerability in the handling of the monitor 
  "memory dump" command. If the string to be output contains any % sign, 
  it is interpreted as a command for the output, normally resulting in a 
  crash. Even more sophisticated exploits, like arbitrary code execution 
  on the host machine, are possible. 
 
 
Impact: 
 
  It is possible to crash the emulator or even execute arbitrary code on 
  the host machine from the inside of the emulated machine. For this, an 
  attacker needs to fill up parts of the memory with a specific value 
  and wheedle the user to enter the monitor and type in a specific 
  command. 
 
  Without the user being wheedled to enter the monitor and type in that 
  specific command, this vulnerability is not exploitable. 
 
 
Proof-of-Concept: 
 
  The VICE team will not publish exploit code. 
 
 
Severity rating: 
 
  This vulnerability can be used to execute arbitrary code on the host 
  machine out of the emulated machine. Anyway, since it requires the 
  user to enter the monitor and type a specific command, we find the 
  risk low of exploiting this. It should be hard to wheedle the user to 
  press exact this sequence. 
 
 
Workaround: 
 
  Don't use the VICE monitor. 
 
 
Solution: 
 
  Upgrade to a newer version of VICE as soon as it becomes available, or 
  use the attached security patch at [2]. 
 
 
Updates: 
 
  An online version of this document can be found at [3]. 
 
 
References: 
 
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0453 
  [2] http://www.trikaliotis.net/vicekb/vice-1.14-mon-vuln.diff.gz 
  [3] http://www.trikaliotis.net/vicekb/vsa-2004-1 
 
 
Date line: 
 
  June  8, 2004: The VICE team has been informed about this vulnerability 
  June  8, 2004: The VICE team releases an internal patch the fix this 
                 vulnerability 
  June 10, 2004: First Linux distributors are being contacted. 
  June 14, 2004: Publication of this flaw 
 
 
------------------------------------------------------------------------ 
 
June 14, 2004                                              The VICE team 
 
Regards, 
   Spiro Trikaliotis. 
 
_______________________________________________ 
Full-Disclosure - We believe in it. 
Charter: http://lists.netsys.com/full-disclosure-charter.html