[Security] Sandbox escape in Mupen64Plus core

[YoshiRulz]

In summary:
There is a possibility that a malicious N64 rom (.n64, .v64, .z64), when loaded in the Mupen64Plus core, could exploit the core and write into host memory where the executable is stored, thereby executing arbitrary code on the host system.
The Mupen core shipped with 2.9.1 and every prior release would be vulnerable. The Ares64 core would not be vulnerable (so Linux users are safe, unless you've ignored our warnings and used WINE/Proton).
CPP has identified and fixed all the instances of the offending buffer overflow bugs that he could find, so you should grab a dev build if you want to play homebrew or patched roms or use any Internet content with the Mupen core. The first build with the fix is this one.

---

I still have very little information on this, but here's what I've been able to piece together:

• 2024-02-11: aglab publishes a proof-of-concept exploit for PJ64 v1.6
• 2024-02-19: aglab publishes a write-up of the PJ64 vuln as a Gist
• 2024-02-26: The first related commit for ParallelN64 is authored by falcobuster
• ≤2024-02-29: Yoshi is made aware of the PJ64 vuln
• 2024-04-01: A group of TASers including devwizard submit Paper Mario "bluescreen%" for TASVideos' April Fools' day event; the movie is for Mupen64Plus in EmuHawk 2.9.1 and as the name suggests causes the host system to crash
• 2024-04-03: devwizard explains that bluescreen% is a sandbox escape in TASVideos #general and no-one tells Yoshi anything >:(
• ≤2024-04-14: devwizard submits あのスライダーのひみつ, an SM64 romhack, to RHDC for one of its competitions (the submission has since been removed by RHDC staff)—the hack contains a sandbox escape for ParallelN64 which doesn't trigger when played by e.g. competition moderators (bad form IMO)
• 2024-05-17: SimpleFlips plays devwizard's hack live on stream
• 2024-05-17: devwizard uploads the source for their romhack to GitHub—note that the payload was split between the hack (patch) itself and a blob downloaded via Parallel Launcher's networking library (apparently in devwizard's RHDC avatar, clever)
• 2024-05-17: Yoshi is made aware of the Mupen vuln
• 2024-05-17: Mupen64Plus upstream is made aware of the Mupen vuln: Fix buffer overflow in RSP DMA - SECURITY CONCERN mupen64plus/mupen64plus-core#1081
• 2024-05-21: The first related commit for Mupen64Plus (standalone) is authored
• 2024-05-24: falcobuster adds the line "A similar vulnerability also exists in all versions of Bizhawk [sic]" to RHDC's site-wide banner re: the PJ64 vuln
• 2024-05-28: Public disclosure from BizHawk project of possible vuln in Mupen64Plus core
• 2024-05-30: The first related commit for Mupen64Plus in EmuHawk is authored by CPP
• 2024-06-05: Yoshi is made aware that bluescreen% is a sandbox escape

[Morilli]

Is there more information on this supposed RCE? Also, is there a POC for actually executing code or is this just theoretical at the moment?

[YoshiRulz]

I've spoken with devwizard and there is no POC for Mupen64Plus in EmuHawk, nor for any other fork. But as you can see, CPP ended up fixing several missing bounds checks, which I believe includes the one that the romhack in question exploits. It's likely that an attacker would "only" have to adapt some pointer offsets to target EmuHawk, since the Mupen core is a dynamic library executing directly on the host. Specifically, devwizard told me "it takes many hours of analysis and debugging to get this type of thing to work". (It's also possible that the "bluescreen%" payload could be turned into a sandbox escape / RCE instead.) Forget all of that, the earlier bluescreen% submission includes a sandbox escape.