TheZZAZZGlitch | VBA 1.8.0 & VBA-RR: Stack buffer overflow in XPC file parser results in code execution @TheZZAZZGlitch | Uploaded September 2016 | Updated October 2024, 4 days ago.
First I break the games, then I break the emulator.
Don't use VBA. Use mGBA or VBA-M instead.
(Read the description for more information)
DESCRIPTION FOR INFOSEC PEOPLE:
Just download the PoC+advisory here: sites.google.com/site/thezzazzglitch/home/VBA18_CodeExec.zip
DESCRIPTION FOR EVERYONE ELSE:
This is an arbitrary code execution vulnerability in the old and discontinued VBA emulator, including VBA-RR.
It's possible to run untrusted code on the computer by loading a specially crafted XPC cheatlist. You can imagine someone using this vulnerability to create a cheatlist that installs a virus, then giving it to you, disguised as an 'awesome cheat code for level 255 Arceus in Red/Blue'.
Remember how in the Pokémon games one could trigger a buffer overflow bug to execute his own code on the console? This is exactly the same thing, but on emulator level. An attacker can create a custom cheatlist that does whatever they want on your computer. In the video, I make it run calc.exe, because that's how I roll.
If you want to test it for yourself, here's an example exploit for VBA 1.8.0, along with a PDF explaining the technical side of the vulnerability: sites.google.com/site/thezzazzglitch/home/VBA18_CodeExec.zip
Additionally, I have received a lot of opinions that this feature is rarely used, so the vulnerability is of low severity. I don't believe that. Let's say I do a glitch video that presents an Arceus hack in Red/Blue, and I say you can try it yourself by running an EXE file. Not many people would try it, I assure you. Now, I instead tell you to try an XPC file, and tell you to import it through the 'Import Gameshark Code file' option. Works best on VBA. Now it sounds a lot better - it's a Gameshark code list, it can't be dangerous. Would you do it?
Code execution is always dangerous, because it breaks the basic security principle of "only executables can do anything to your computer".
First I break the games, then I break the emulator.
Don't use VBA. Use mGBA or VBA-M instead.
(Read the description for more information)
DESCRIPTION FOR INFOSEC PEOPLE:
Just download the PoC+advisory here: sites.google.com/site/thezzazzglitch/home/VBA18_CodeExec.zip
DESCRIPTION FOR EVERYONE ELSE:
This is an arbitrary code execution vulnerability in the old and discontinued VBA emulator, including VBA-RR.
It's possible to run untrusted code on the computer by loading a specially crafted XPC cheatlist. You can imagine someone using this vulnerability to create a cheatlist that installs a virus, then giving it to you, disguised as an 'awesome cheat code for level 255 Arceus in Red/Blue'.
Remember how in the Pokémon games one could trigger a buffer overflow bug to execute his own code on the console? This is exactly the same thing, but on emulator level. An attacker can create a custom cheatlist that does whatever they want on your computer. In the video, I make it run calc.exe, because that's how I roll.
If you want to test it for yourself, here's an example exploit for VBA 1.8.0, along with a PDF explaining the technical side of the vulnerability: sites.google.com/site/thezzazzglitch/home/VBA18_CodeExec.zip
Additionally, I have received a lot of opinions that this feature is rarely used, so the vulnerability is of low severity. I don't believe that. Let's say I do a glitch video that presents an Arceus hack in Red/Blue, and I say you can try it yourself by running an EXE file. Not many people would try it, I assure you. Now, I instead tell you to try an XPC file, and tell you to import it through the 'Import Gameshark Code file' option. Works best on VBA. Now it sounds a lot better - it's a Gameshark code list, it can't be dangerous. Would you do it?
Code execution is always dangerous, because it breaks the basic security principle of "only executables can do anything to your computer".
