This is a very thorough write up of an old but previously unknown 0day exploit for Ubuntu 12.04.5, leveraging libgstnsf.so in gstreamer 0.10.x to bypass 64-bit ASLR and DEP.
Essentially that version of gstreamer uses 6502 assembly code to emulate the NES’ CPU and sound hardware in realtime, which due to its lack of bounds checking can be tricked into performing an out of bounds read that will bypass ASLR and execute an arbitrary binary. The exploit can also be run on out of date versions of totem, rhythmbox, and nautilus, and goes to show how Ubuntu lags behind in using ASLR on binaries, as the equivalent versions in Fedora were not affected.
While much of the granular detail with regards to the 6502 assembly is lost on me (and I presume most hackers under the age of 35…) I found the methodological approach and detailed description to be fascinating and thought others here would appreciate as well.
I wonder how many there are out there that we don’t know about.