- RETROARCH WINDOWS 10 PATCH
- RETROARCH WINDOWS 10 FULL
- RETROARCH WINDOWS 10 SOFTWARE
- RETROARCH WINDOWS 10 CODE
- RETROARCH WINDOWS 10 DOWNLOAD
Now that we have a way of injecting arbitrary content into the PowerShell script, we must escape from the string. In the below image, Exploit Placeholder represents the directory which will eventually contain our exploit payload: FIGURE 2 - RetroArch file selection screen When a user scrolls through a list of the files within RetroArch and reaches our malicious filename, it will be passed into the accessibility_speak_windowsfunction and injected into the PowerShell script. The best way to do that is by adding a malicious file or directory to a location that a user loads ROMs or cores from.
RETROARCH WINDOWS 10 CODE
Since RetroArch perform text-to-speech on menu items, we need to insert a menu item with our exploit code in it. To exploit this vulnerability, we first need to be able to control the text that is to be spoken. The text to be spoken is not sanitized before being injected into the PowerShell command, which leaves it open to injection. "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech $synth = New-Object $synth.Rate = %s $synth.Speak(\\\"%s\\\") \"", speeds, (char*) speak_text) įIGURE 1 – accessibility_speak_windows.c function showing un-sanitized input being passed to PowerShell "powershell.exe -NoProfile -WindowStyle Hidden -Command \"Add-Type -AssemblyName System.Speech $synth = New-Object $synth.SelectVoice(\\\"%s\\\") $synth.Rate = %s $synth.Speak(\\\"%s\\\") \"", language, speeds, (char*) speak_text) As shown below, the function invokes an instance of PowerShell and passes in a pre-built script containing the code to perform the text-to-speech as well as the text to be spoken: static bool accessibility_speak_windows(int speed, The accessibility_speak_windowsfunction in the /frontend/drivers/platform_win32.c file handles calls to perform the text-to-speech on any text that needs to be spoken. If remote file shares are utilized to load content for RetroArch, the vulnerability may be exploited remotely.
RETROARCH WINDOWS 10 FULL
Successful exploitation can result in full remote code execution under the context of the RetroArch user. It also requires that a directory or file with a malicious name is read aloud by the text-to-speech engine, commonly done when a user navigates through the menus while the engine is enabled. The exploit requires the text-to-speech engine to be enabled. The RetroArch for Windows application was affected by a command injection vulnerability that allowed arbitrary commands to be injected into a PowerShell script utilized by the text-to-speech engine.
RETROARCH WINDOWS 10 PATCH
The vulnerability is described in the sections below.ĭisable the text-to-speech option in RetroArch until a patch is made available. One vulnerability was identified within the RetroArch for Windows application:
The latest version of the application is 1.9.4, released on May 5, 2021. RetroArch is the official front end for libretro, a multi-platform library for emulation.
RetroArch does not require a privileged folder for importing content, opening exploitation to anyone with potential access to the host, and will execute as the user running the application.
RETROARCH WINDOWS 10 SOFTWARE
With the reach of the application across the consumer market, arbitrary code execution presents a very clear and present risk to any host running a vulnerable version.Īs the execution of the command can occur simply by the act of reading filenames from a directory for import, malicious commands could be included in file sets meant for import provided in ROM packages or supplemental software or placed in unprivileged folders for later execution.
RETROARCH WINDOWS 10 DOWNLOAD
RetroArch is one of the most trusted emulation front-ends available and has recently become available for download on the Steam platform, making it easily accessible to millions of people worldwide.
The text-to-speech engine in libretro RetroArch for Windows 1.9.0 - 1.9.4 passes unsanitized input to PowerShell through platform_win32.c via the accessibility_speak_windows function, which allows attackers who have write access on filesystems that are used by RetroArch to execute code via command injection using specially a crafted file and directory names.
0 kommentar(er)
