lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 31 Jul 2017 15:10:14 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] libid3tag multiple vulnerabilities

libid3tag multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
Libid3tag is an ID3 tag manipulation library.


Affected version:
=====
0.15.1b


Vulnerability Description:
==========================
1.
the id3_ucs4_length function in ucs4.c in libid3tag 0.15.1b can cause a denial of service(NULL Pointer Dereference and application crash) via a crafted mp3 file.


I found this bug when I test mpg321 0.3.2 which used the libid3tag library.


./mpg321 libid3tag_0.15.1b_null_pointer_dereference.mp3


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
id3_ucs4_length (ucs4=ucs4@...ry=0x0) at ucs4.c:46
46  while (*ptr)
(gdb) bt
#0  id3_ucs4_length (ucs4=ucs4@...ry=0x0) at ucs4.c:46
#1  0x00007ffff76be311 in id3_compat_fixup (tag=tag@...ry=0x60400000ce50)
    at compat.gperf:240
#2  0x00007ffff76c069f in v2_parse (ptr=0x61200000b9a1 "") at tag.c:613
#3  id3_tag_parse (data=data@...ry=0x61200000b8c0 "ID3\002", 
    length=length@...ry=263) at tag.c:665
#4  0x00007ffff76c1504 in read_tag (size=263, iofile=<optimized out>)
    at file.c:103
#5  add_tag (file=file@...ry=0x60600000eba0, length=263) at file.c:228
#6  0x00007ffff76c16cb in search_tags (file=0x60600000eba0) at file.c:307
#7  new_file (iofile=iofile@...ry=0x61600000de80, 
    mode=mode@...ry=ID3_FILE_MODE_READONLY, 
    path=path@...ry=0x60400000dfd0 "/home/a/Documents/file") at file.c:407
#8  0x00007ffff76c1890 in id3_file_open (
    path=0x60400000dfd0 "/home/a/Documents/file", 
    mode=ID3_FILE_MODE_READONLY) at file.c:439
#9  0x0000000000485f24 in get_id3_info (fname=<optimized out>, 
    id3struct=<optimized out>, id3tag=<optimized out>) at mpg321.c:485
#10 main (argc=<optimized out>, argv=<optimized out>) at mpg321.c:790
(gdb) 


-------------------
Breakpoint 2, id3_ucs4_length (ucs4=ucs4@...ry=0x0) at ucs4.c:46
46  while (*ptr)
(gdb) disassemble 
Dump of assembler code for function id3_ucs4_length:
=> 0x00007ffff76baee0 <+0>:cmpq   $0x0,(%rdi)
   0x00007ffff76baee4 <+4>:je     0x7ffff76baf02 <id3_ucs4_length+34>
   0x00007ffff76baee6 <+6>:mov    %rdi,%rax
   0x00007ffff76baee9 <+9>:nopl   0x0(%rax)
   0x00007ffff76baef0 <+16>:add    $0x8,%rax
   0x00007ffff76baef4 <+20>:cmpq   $0x0,(%rax)
   0x00007ffff76baef8 <+24>:jne    0x7ffff76baef0 <id3_ucs4_length+16>
   0x00007ffff76baefa <+26>:sub    %rdi,%rax
   0x00007ffff76baefd <+29>:sar    $0x3,%rax
   0x00007ffff76baf01 <+33>:retq   
   0x00007ffff76baf02 <+34>:xor    %eax,%eax
   0x00007ffff76baf04 <+36>:retq   
End of assembler dump.
(gdb) i r
rax            0x00
rbx            0x55
rcx            0x00
rdx            0x1016
rsi            0x55
rdi            0x00
rbp            0x7ffff76c329c0x7ffff76c329c
rsp            0x7fffffffb9980x7fffffffb998
r8             0x00
r9             0x7ffff6f7f7b8140737336833976
r10            0x7fffffffb760140737488336736
r11            0x7ffff76bde80140737344429696
r12            0x22
r13            0x6236d06436560
r14            0x6254bc6444220
r15            0x00
rip            0x7ffff76baee00x7ffff76baee0 <id3_ucs4_length>
eflags         0x246[ PF ZF IF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---
gs             0x00
(gdb) ni


Program received signal SIGSEGV, Segmentation fault.
id3_ucs4_length (ucs4=ucs4@...ry=0x0) at ucs4.c:46
46  while (*ptr)
(gdb) 
--------------------
id3_length_t id3_ucs4_length(id3_ucs4_t const *ucs4)
{
  id3_ucs4_t const *ptr = ucs4;


  while (*ptr)
    ++ptr;


  return ptr - ucs4;
}


POC:
libid3tag_0.15.1b_null_pointer_dereference.mp3
CVE:
CVE-2017-11550


2.
the id3_field_parse function in field.c in libid3tag 0.15.1b can cause a denial of service(OOM) via a crafted mp3 file.


I found this bug when I test mpg321 0.3.2 which used the libid3tag library.


./mpg321 libid3tag_0.15.1b_OOM.mp3


----debug info:----
(gdb) bt
#0  id3_field_parse (field=0x625180, ptr=ptr@...ry=0x7fffffffba48, 
    length=<optimized out>, encoding=encoding@...ry=0x7fffffffba3c)
    at field.c:306
#1  0x00007ffff76bf10b in parse_data (frame=0x625120, frame=0x625120, 
    length=<optimized out>, data=0x623352 "") at frame.c:252
#2  id3_frame_parse (ptr=ptr@...ry=0x7fffffffbad8, length=length@...ry=96, 
    version=<optimized out>) at frame.c:464
#3  0x00007ffff76c03c4 in v2_parse (ptr=0x623353 "TT1") at tag.c:607
#4  id3_tag_parse (data=data@...ry=0x623290 "ID3\002", length=length@...ry=263)
    at tag.c:665
#5  0x00007ffff76c1504 in read_tag (size=263, iofile=<optimized out>)
    at file.c:103
#6  add_tag (file=file@...ry=0x62b7f0, length=263) at file.c:228
#7  0x00007ffff76c16cb in search_tags (file=0x62b7f0) at file.c:307
#8  new_file (iofile=iofile@...ry=0x623450, 
    mode=mode@...ry=ID3_FILE_MODE_READONLY, 
    path=path@...ry=0x623040 "/home/a/Documents/file")
    at file.c:407
#9  0x00007ffff76c1890 in id3_file_open (
    path=path@...ry=0x623040 "/home/a/Documents/file", 
    mode=mode@...ry=ID3_FILE_MODE_READONLY) at file.c:439
#10 0x00000000004053c9 in get_id3_info (
    fname=fname@...ry=0x623040 "/home/a/Documents/file",
    ---Type <return> to continue, or q <return> to quit---
 id3struct=id3struct@...ry=0x7fffffffbd08, id3tag=id3tag@...ry=0x7fffffffbd10)
    at mpg321.c:485
#11 0x0000000000403eae in main (argc=<optimized out>, argv=<optimized out>)
    at mpg321.c:790
(gdb) r
Program terminated with signal SIGKILL, Killed.


----------------
##in field.c id3_field_parse function line:294 ==> line:308
      while (end - *ptr > 0) {
ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
if (ucs4 == 0)
  goto fail;


strings = realloc(field->stringlist.strings,
 (field->stringlist.nstrings + 1) * sizeof(*strings));
if (strings == 0) {
  free(ucs4);
  goto fail;
}


field->stringlist.strings = strings;
field->stringlist.strings[field->stringlist.nstrings++] = ucs4;
}


POC:
libid3tag_0.15.1b_OOM.mp3
CVE:
CVE-2017-11551




===============================




qflb.wu () dbappsecurity com cn






Download attachment "poc.zip" of type "application/x-zip-compressed" (1140 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ