Attack Chain

1. The attacker gains local access to a system with Snes9K 0.0.9z installed.
2. The attacker opens the Snes9K application.
3. The attacker navigates to the “Netplay Options” menu within the application.
4. The attacker locates the “Netplay Socket Port Number” field.
5. The attacker crafts a malicious payload designed to overwrite the SEH chain. This payload includes the address of the attacker’s shellcode.
6. The attacker pastes the malicious payload into the “Netplay Socket Port Number” field, exceeding the expected buffer size.
7. The application attempts to handle the overflow, triggering the SEH.
8. The SEH is overwritten by the attacker’s payload, redirecting execution to the attacker’s shellcode. This results in arbitrary code execution.

Impact

Successful exploitation of this buffer overflow vulnerability allows a local attacker to execute arbitrary code on the affected system. This could lead to complete system compromise, including data theft, installation of malware, and further lateral movement within the network. While the vulnerability requires local access, it could be leveraged as part of a more complex attack chain, for example, after initial access is gained through a separate vulnerability or social engineering.

Recommendation

• Monitor for the execution of Snes9K followed by unusual process creation, using the process_creation Sigma rule provided below.
• Monitor for applications writing to Snes9K configuration files followed by the execution of Snes9K, using the file_event and process_creation Sigma rules provided below.
• Consider removing the vulnerable software from systems or restricting access to it until a patched version is available.