lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Jun 2017 10:19:19 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] Freeware Advanced Audio Decoder 2 (FAAD2) multiple
	vulnerabilities

Freeware Advanced Audio Decoder 2 (FAAD2) multiple vulnerabilities


================
Author : qflb.wu
===============




Introduction:
=============
FAAD2 is a decoder for a lossy sound compression scheme specified in MPEG-2 Part 7 and MPEG-4 Part 3 standards and known as Advanced Audio Coding (AAC).


Affected version:
=====
2.7


Vulnerability Description:
==========================
1.
the mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.


./faad faad2_2.7_mp4ff_read_stsd_invalid_memory_read.mp4 -o out.wav


ASAN:SIGSEGV
=================================================================
==79726==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x0000004a8cd5 sp 0x7ffe49bd3c20 bp 0x7ffe49bd3d20 T0)
   #0 0x4a8cd4 in mp4ff_read_stsd /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:386
   #1 0x4a8cd4 in mp4ff_atom_read /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:671
   #2 0x49e426 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:173
   #3 0x49b514 in parse_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:214
   #4 0x49a731 in mp4ff_open_read /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:43
   #5 0x47f80f in decodeMP4file /home/a/Downloads/faad2-2.7/frontend/main.c:778
   #6 0x47f80f in main /home/a/Downloads/faad2-2.7/frontend/main.c:1246
   #7 0x7f21554edec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
   #8 0x47cecc in _start (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x47cecc)


AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:386 mp4ff_read_stsd
==79726==ABORTING


POC:
faad2_2.7_mp4ff_read_stsd_invalid_memory_read.mp4
CVE:
CVE-2017-9218


2.
the mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service (memory allocation error and application crash) via a crafted mp4 file.


./faad faad2_2.7_mp4ff_read_stsc_memory_allocation_error.mp4 -o out.wav


==81366==ERROR: AddressSanitizer failed to allocate 0xac003000 (2885693440) bytes of LargeMmapAllocator: 12
==81366==Process memory map follows:
0x000000400000-0x0000004db000/home/a/Downloads/faad2-2.7/frontend/.libs/faad
0x0000006db000-0x0000006dc000/home/a/Downloads/faad2-2.7/frontend/.libs/faad
0x0000006dc000-0x0000006e1000/home/a/Downloads/faad2-2.7/frontend/.libs/faad
0x0000006e1000-0x000001b25000
0x00007fff7000-0x00008fff7000
...
==81366==End of process memory map.
==81366========
    #0 0x46cd8f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x46cd8f)
    #1 0x4725f1 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x4725f1)
    #2 0x476ebe in __sanitizer::MmapOrDie(unsigned long, char const*) (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x476ebe)
    #3 0x432598 in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x432598)
    #4 0x42e5db in __asan::Allocate(unsigned long, unsigned long, __sanitizer::StackTrace*, __asan::AllocType, bool) (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x42e5db)
    #5 0x466e26 in __interceptor_malloc (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x466e26)
    #6 0x4aae52 in mp4ff_read_stsc /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:423
    #7 0x4aae52 in mp4ff_atom_read /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:665
    #8 0x49e426 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:173
    #9 0x49e386 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
    #10 0x49e386 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
    #11 0x49e386 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
    #12 0x49e386 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
    #13 0x49b514 in parse_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:214
    #14 0x49a731 in mp4ff_open_read /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:43
    #15 0x47f80f in decodeMP4file /home/a/Downloads/faad2-2.7/frontend/main.c:778
    #16 0x47f80f in main /home/a/Downloads/faad2-2.7/frontend/main.c:1246
    #17 0x7f7260e5cec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #18 0x47cecc in _start (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x47cecc)


POC:
faad2_2.7_mp4ff_read_stsc_memory_allocation_error.mp4
CVE:
CVE-2017-9219


3.
the mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service (memory allocation error) via a crafted mp4 file.


./faad faad2_2.7_mp4ff_read_stco_memory_allocation_error.mp4 -o out.wav


==81459==WARNING: AddressSanitizer failed to allocate 0xfffffffe18000000 bytes
==81459==AddressSanitizer's allocator is terminating the process instead of returning 0
==81459==If you don't like this behavior set allocator_may_return_null=1
==81459==
    #0 0x46cd8f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x46cd8f)
    #1 0x4725f1 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x4725f1)
    #2 0x471330 in __sanitizer::AllocatorReturnNull() (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x471330)
    #3 0x466e26 in __interceptor_malloc (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x466e26)
    #4 0x4aab2f in mp4ff_read_stco /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:448
    #5 0x4aab2f in mp4ff_atom_read /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:668
    #6 0x49e426 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:173
    #7 0x49e386 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
    #8 0x49e386 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
    #9 0x49e386 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
    #10 0x49e386 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
    #11 0x49b514 in parse_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:214
    #12 0x49a731 in mp4ff_open_read /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:43
    #13 0x47f80f in decodeMP4file /home/a/Downloads/faad2-2.7/frontend/main.c:778
    #14 0x47f80f in main /home/a/Downloads/faad2-2.7/frontend/main.c:1246
    #15 0x7f3a7dd64ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #16 0x47cecc in _start (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x47cecc)


POC:
faad2_2.7_mp4ff_read_stco_memory_allocation_error.mp4
CVE:
CVE-2017-9220


4.
the mp4ff_read_mdhd function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.


./faad faad2_2.7_mp4ff_read_mdhd_invalid_memory_read.mp4 -o out.wav


ASAN:SIGSEGV
=================================================================
==81533==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000009c (pc 0x0000004abd74 sp 0x7ffd8d1bb470 bp 0x7ffd8d1bb570 T0)
    #0 0x4abd73 in mp4ff_read_mdhd /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:614
    #1 0x4abd73 in mp4ff_atom_read /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:677
    #2 0x49e426 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:173
    #3 0x49e386 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:171
    #4 0x49b514 in parse_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:214
    #5 0x49a731 in mp4ff_open_read /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:43
    #6 0x47f80f in decodeMP4file /home/a/Downloads/faad2-2.7/frontend/main.c:778
    #7 0x47f80f in main /home/a/Downloads/faad2-2.7/frontend/main.c:1246
    #8 0x7f16f7a77ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #9 0x47cecc in _start (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x47cecc)


AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:614 mp4ff_read_mdhd
==81533==ABORTING


POC:
faad2_2.7_mp4ff_read_mdhd_invalid_memory_read.mp4
CVE:
CVE-2017-9221


5.
the mp4ff_parse_tag function in common/mp4ff/mp4meta.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 can to cause a denial of service(infinite loop and CPU consumption) via a crafted mp4 file.


./faad faad2_2.7_mp4ff_parse_tag_infinite_loop.mp4 -o out.wav


POC:
faad2_2.7_mp4ff_parse_tag_infinite_loop.mp4
CVE:
CVE-2017-9222


6.
the mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.


./faad faad2_2.7_mp4ff_read_stts_invalid_memory_read.mp4 -o out.wav


ASAN:SIGSEGV
=================================================================
==86670==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x0000004aa0d1 sp 0x7ffc40cbbb80 bp 0x7ffc40cbbc80 T0)
    #0 0x4aa0d0 in mp4ff_read_stts /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:495
    #1 0x4aa0d0 in mp4ff_atom_read /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:659
    #2 0x49e426 in parse_sub_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:173
    #3 0x49b514 in parse_atoms /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:214
    #4 0x49a731 in mp4ff_open_read /home/a/Downloads/faad2-2.7/common/mp4ff/mp4ff.c:43
    #5 0x47f80f in decodeMP4file /home/a/Downloads/faad2-2.7/frontend/main.c:778
    #6 0x47f80f in main /home/a/Downloads/faad2-2.7/frontend/main.c:1246
    #7 0x7f0f9cfbeec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #8 0x47cecc in _start (/home/a/Downloads/faad2-2.7/frontend/.libs/faad+0x47cecc)


AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/a/Downloads/faad2-2.7/common/mp4ff/mp4atom.c:495 mp4ff_read_stts
==86670==ABORTING


POC:
faad2_2.7_mp4ff_read_stts_invalid_memory_read.mp4
CVE:
CVE-2017-9223


7.
the mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(large loop and CPU consumption) via a crafted mp4 file.


./faad faad2_2.7_mp4ff_read_stsd_large_loop.mp4 -o out.wav


static int32_t mp4ff_read_stsd(mp4ff_t *f)
{
    int32_t i;
    uint8_t header_size = 0;


    mp4ff_read_char(f); /* version */
    mp4ff_read_int24(f); /* flags */


    f->track[f->total_tracks - 1]->stsd_entry_count = mp4ff_read_int32(f);  <==========


    for (i = 0; i < f->track[f->total_tracks - 1]->stsd_entry_count; i++) <==========
    {
        uint64_t skip = mp4ff_position(f);
        uint64_t size;
        uint8_t atom_type = 0;
        size = mp4ff_atom_read_header(f, &atom_type, &header_size);
        skip += size;


        if (atom_type == ATOM_MP4A)
        {
            f->track[f->total_tracks - 1]->type = TRACK_AUDIO;
            mp4ff_read_mp4a(f);
        } else if (atom_type == ATOM_MP4V) {
            f->track[f->total_tracks - 1]->type = TRACK_VIDEO;
        } else if (atom_type == ATOM_MP4S) {
            f->track[f->total_tracks - 1]->type = TRACK_SYSTEM;
        } else {
            f->track[f->total_tracks - 1]->type = TRACK_UNKNOWN;
        }


        mp4ff_set_position(f, skip);
    }


    return 0;
}


POC:
faad2_2.7_mp4ff_read_stsd_large_loop.mp4
CVE:
CVE-2017-9253


8.
the mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(large loop and CPU consumption) via a crafted mp4 file.


./faad faad2_2.7_mp4ff_read_stts_large_loop.mp4 -o out.wav


static int32_t mp4ff_read_stts(mp4ff_t *f)
{
    int32_t i;
    mp4ff_track_t * p_track = f->track[f->total_tracks - 1];


    if (p_track->stts_entry_count) return 0;


    mp4ff_read_char(f); /* version */
    mp4ff_read_int24(f); /* flags */
    p_track->stts_entry_count = mp4ff_read_int32(f);   <============


    p_track->stts_sample_count = (int32_t*)malloc(p_track->stts_entry_count * sizeof(int32_t));
    p_track->stts_sample_delta = (int32_t*)malloc(p_track->stts_entry_count * sizeof(int32_t));


    if (p_track->stts_sample_count == 0 || p_track->stts_sample_delta == 0)
    {
        if (p_track->stts_sample_count) {free(p_track->stts_sample_count);p_track->stts_sample_count=0;}
        if (p_track->stts_sample_delta) {free(p_track->stts_sample_delta);p_track->stts_sample_delta=0;}
        p_track->stts_entry_count = 0;
        return 0;
    }
    else
    {
        for (i = 0; i < f->track[f->total_tracks - 1]->stts_entry_count; i++)  <===========
        {
            p_track->stts_sample_count[i] = mp4ff_read_int32(f);
            p_track->stts_sample_delta[i] = mp4ff_read_int32(f);
        }
        return 1;
    }
}


POC:
faad2_2.7_mp4ff_read_stts_large_loop.mp4
CVE:
CVE-2017-9254


9.
the mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(large loop and CPU consumption) via a crafted mp4 file.


./faad faad2_2.7_mp4ff_read_stsc_large_loop.mp4 -o out.wav


static int32_t mp4ff_read_stsc(mp4ff_t *f)
{
    int32_t i;


    mp4ff_read_char(f); /* version */
    mp4ff_read_int24(f); /* flags */
    f->track[f->total_tracks - 1]->stsc_entry_count = mp4ff_read_int32(f); <========


    f->track[f->total_tracks - 1]->stsc_first_chunk =
        (int32_t*)malloc(f->track[f->total_tracks - 1]->stsc_entry_count*sizeof(int32_t));
    f->track[f->total_tracks - 1]->stsc_samples_per_chunk =
        (int32_t*)malloc(f->track[f->total_tracks - 1]->stsc_entry_count*sizeof(int32_t));
    f->track[f->total_tracks - 1]->stsc_sample_desc_index =
        (int32_t*)malloc(f->track[f->total_tracks - 1]->stsc_entry_count*sizeof(int32_t));


    for (i = 0; i < f->track[f->total_tracks - 1]->stsc_entry_count; i++) <========
    {
        f->track[f->total_tracks - 1]->stsc_first_chunk[i] = mp4ff_read_int32(f);
        f->track[f->total_tracks - 1]->stsc_samples_per_chunk[i] = mp4ff_read_int32(f);
        f->track[f->total_tracks - 1]->stsc_sample_desc_index[i] = mp4ff_read_int32(f);
    }


    return 0;
}


POC:
faad2_2.7_mp4ff_read_stsc_large_loop.mp4
CVE:
CVE-2017-9255


10.
the mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 can cause a denial of service(large loop and CPU consumption) via a crafted mp4 file.


./faad faad2_2.7_mp4ff_read_stco_large_loop.mp4 -o out.wav


static int32_t mp4ff_read_stco(mp4ff_t *f)
{
    int32_t i;


    mp4ff_read_char(f); /* version */
    mp4ff_read_int24(f); /* flags */
    f->track[f->total_tracks - 1]->stco_entry_count = mp4ff_read_int32(f); <========


    f->track[f->total_tracks - 1]->stco_chunk_offset =
        (int32_t*)malloc(f->track[f->total_tracks - 1]->stco_entry_count*sizeof(int32_t));


    for (i = 0; i < f->track[f->total_tracks - 1]->stco_entry_count; i++) <========
    {
        f->track[f->total_tracks - 1]->stco_chunk_offset[i] = mp4ff_read_int32(f);
    }


    return 0;
}


POC:
faad2_2.7_mp4ff_read_stco_large_loop.mp4
CVE:
CVE-2017-9256


11.
the mp4ff_read_ctts in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 allows can cause a denial of service(large loop and CPU consumption) via a crafted mp4 file.


static int32_t mp4ff_read_ctts(mp4ff_t *f)
{
    int32_t i;
    mp4ff_track_t * p_track = f->track[f->total_tracks - 1];  <========


    if (p_track->ctts_entry_count) return 0;


    mp4ff_read_char(f); /* version */
    mp4ff_read_int24(f); /* flags */
    p_track->ctts_entry_count = mp4ff_read_int32(f); <========


    p_track->ctts_sample_count = (int32_t*)malloc(p_track->ctts_entry_count * sizeof(int32_t));
    p_track->ctts_sample_offset = (int32_t*)malloc(p_track->ctts_entry_count * sizeof(int32_t));


    if (p_track->ctts_sample_count == 0 || p_track->ctts_sample_offset == 0)
    {
        if (p_track->ctts_sample_count) {free(p_track->ctts_sample_count);p_track->ctts_sample_count=0;}
        if (p_track->ctts_sample_offset) {free(p_track->ctts_sample_offset);p_track->ctts_sample_offset=0;}
        p_track->ctts_entry_count = 0;
        return 0;
    }
    else
    {
        for (i = 0; i < f->track[f->total_tracks - 1]->ctts_entry_count; i++)  <========
        {
            p_track->ctts_sample_count[i] = mp4ff_read_int32(f);
            p_track->ctts_sample_offset[i] = mp4ff_read_int32(f);
        }
        return 1;
    }
}


CVE:
CVE-2017-9257




===============================




qflb.wu () dbappsecurity com cn
Download attachment "poc.zip" of type "application/x-zip-compressed" (8681 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists