| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <17740290.e99.15d967d6c37.Coremail.qflb.wu@dbappsecurity.com.cn>
Date: Mon, 31 Jul 2017 10:33:08 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] TiMidity++ multiple vulnerabilities
TiMidity++ multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
TiMidity++ is an open source MIDI to WAVE converter and player.
Affected version:
=====
2.14.0
Vulnerability Description:
==========================
1.
the insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 can cause a denial of service(divide-by-zero error and application crash) via a crafted mid file.
./timidity timidity++_2.14.0_divide_by_zero_error.mid
----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x000000000071e9a9 in insert_note_steps () at readmidi.c:4594
4594at += current_file_info->divisions * 4 / denom;
(gdb) bt
#0 0x000000000071e9a9 in insert_note_steps () at readmidi.c:4594
#1 read_midi_file (tf=<optimized out>, fn=<optimized out>,
count=<optimized out>, sp=<optimized out>) at readmidi.c:4755
#2 0x0000000000650d6c in play_midi_load_file (event=<optimized out>,
fn=<optimized out>, nsamples=<optimized out>) at playmidi.c:8453
#3 play_midi_file (
fn=0x60400000df90 "/home/a/Documents/test/file")
at playmidi.c:8563
#4 0x0000000000659562 in dumb_pass_playing_list (
number_of_files=<optimized out>, list_of_files=<optimized out>)
at playmidi.c:8624
#5 0x0000000000846119 in timidity_play_main (nfiles=1, files=<optimized out>)
at timidity.c:5655
#6 main (argc=<optimized out>, argv=<optimized out>) at timidity.c:5935
(gdb) disassemble 0x000000000071e9a9,0x000000000071e9ff
Dump of assembler code from 0x71e9a9 to 0x71e9ff:
=> 0x000000000071e9a9 <read_midi_file+13305>:idiv %ecx
0x000000000071e9ab <read_midi_file+13307>:add %eax,%r15d
0x000000000071e9ae <read_midi_file+13310>:mov -0x38(%rbp),%eax
0x000000000071e9b1 <read_midi_file+13313>:cmp %eax,%r15d
0x000000000071e9b4 <read_midi_file+13316>:mov -0x48(%rbp),%rdi
0x000000000071e9b8 <read_midi_file+13320>:mov -0x30(%rbp),%ebx
0x000000000071e9bb <read_midi_file+13323>:jge 0x71e9cb <read_midi_file+13339>
0x000000000071e9bd <read_midi_file+13325>:mov 0x1bd403d(%rip),%eax # 0x22f2a00 <readmidi_error_flag>
0x000000000071e9c3 <read_midi_file+13331>:test %eax,%eax
0x000000000071e9c5 <read_midi_file+13333>:je 0x71e635 <read_midi_file+12421>
0x000000000071e9cb <read_midi_file+13339>:mov %fs:0x0,%rax
0x000000000071e9d4 <read_midi_file+13348>:add 0x6cf5fd(%rip),%rax # 0xdedfd8
0x000000000071e9db <read_midi_file+13355>:shr $0x3,%rax
0x000000000071e9df <read_midi_file+13359>:mov 0x7fff8000(%rax),%al
0x000000000071e9e5 <read_midi_file+13365>:test %al,%al
0x000000000071e9e7 <read_midi_file+13367>:je 0x71ea09 <read_midi_file+13401>
0x000000000071e9e9 <read_midi_file+13369>:mov 0x6cf5e8(%rip),%rcx ---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax 0x1e0480
rbx 0x11
rcx 0x00
rdx 0x00
rsi 0x78120
rdi 0xc4a00106edc13511968190172
rbp 0x7fffffffb7b00x7fffffffb7b0
rsp 0x7fffffffad200x7fffffffad20
r8 0x00
r9 0x11
r10 0x1c37d81849304
r11 0x91145
r12 0x11
r13 0xfffffffffffffffc-4
r14 0x00
r15 0x00
rip 0x71e9a90x71e9a9 <read_midi_file+13305>
eflags 0x10246[ PF ZF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb)
POC:
timidity++_2.14.0_divide_by_zero_error.mid
CVE:
CVE-2017-11546
2.
the resample_gauss function in resample.c in TiMidity++ 2.14.0 can cause a denial of service(heap-buffer-overflow) via a crafted mid file.
./timidity timidity++_2.14.0_heap_buffer_overflow.mid
=================================================================
==4658==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b00004c93a at pc 0x76f1db bp 0x7fff1cc7ad30 sp 0x7fff1cc7ad28
READ of size 2 at 0x62b00004c93a thread T0
#0 0x76f1da in resample_gauss /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:174
#1 0x777f2d in rs_plain /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:620
#2 0x777f2d in normal_resample_voice /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:1303
#3 0x772e07 in resample_voice /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:1369
#4 0x53d527 in mix_voice /home/a/Downloads/TiMidity++-2.14.0/timidity/mix.c:134
#5 0x689989 in do_compute_data_midi /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:6751
#6 0x689989 in do_compute_data /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7044
#7 0x61e337 in compute_data /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7433
#8 0x5e95da in play_event /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7563
#9 0x656379 in play_midi /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8297
#10 0x656379 in play_midi_file /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8570
#11 0x659581 in dumb_pass_playing_list /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8624
#12 0x846158 in timidity_play_main /home/a/Downloads/TiMidity++-2.14.0/timidity/timidity.c:5655
#13 0x846158 in main /home/a/Downloads/TiMidity++-2.14.0/timidity/timidity.c:5935
#14 0x7f9bc0dcdec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#15 0x486fac in _start (/home/a/Downloads/TiMidity++-2.14.0/timidity/timidity+0x486fac)
0x62b00004c93b is located 0 bytes to the right of 26427-byte region [0x62b000046200,0x62b00004c93b)
allocated by thread T0 here:
#0 0x470ec9 in __interceptor_malloc (/home/a/Downloads/TiMidity++-2.14.0/timidity/timidity+0x470ec9)
#1 0x4acc7b in safe_malloc /home/a/Downloads/TiMidity++-2.14.0/timidity/common.c:655
#2 0x81a948 in load_from_file /home/a/Downloads/TiMidity++-2.14.0/timidity/sndfont.c:697
#3 0x81a948 in try_load_soundfont /home/a/Downloads/TiMidity++-2.14.0/timidity/sndfont.c:469
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:174 resample_gauss
Shadow bytes around the buggy address:
0x0c56800018d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c56800018e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c56800018f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680001900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680001910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5680001920: 00 00 00 00 00 00 00[03]fa fa fa fa fa fa fa fa
0x0c5680001930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5680001940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5680001950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5680001960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5680001970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==4658==ABORTING
POC:
timidity++_2.14.0_heap_buffer_overflow.mid
CVE:
CVE-2017-11547
3.
the play_midi function in playmidi.c in TiMidity++ 2.14.0 can cause a denial of service(large loop and CPU consumption) via a crafted mid file.
./timidity timidity++_2.14.0_large_loop.mid
-----debug info:----
(gdb) bt
#0 do_ch_freeverb (buf=<optimized out>, count=<optimized out>,
rev=<optimized out>) at reverb.c:1570
#1 0x000000000079cdb6 in do_ch_reverb (buf=<optimized out>,
count=<optimized out>) at reverb.c:1921
#2 0x0000000000690b54 in do_compute_data_midi (count=2048) at playmidi.c:6895
#3 do_compute_data (count=<optimized out>) at playmidi.c:7044
#4 0x0000000000619eaa in compute_data (count=<optimized out>)
at playmidi.c:7197
#5 0x00000000005e95bb in play_event (ev=<optimized out>) at playmidi.c:7563
#6 0x000000000065635a in play_midi (samples=<optimized out>,
eventlist=<optimized out>) at playmidi.c:8297
#7 play_midi_file (fn=<optimized out>) at playmidi.c:8570
#8 0x0000000000659562 in dumb_pass_playing_list (
number_of_files=<optimized out>, list_of_files=<optimized out>)
at playmidi.c:8624
#9 0x0000000000846159 in timidity_play_main (nfiles=1, files=<optimized out>)
at timidity.c:5655
#10 main (argc=<optimized out>, argv=<optimized out>) at timidity.c:5935
##playmidi.c line:8294 ==> line:8302
for(;;)
{
midi_restart_time = 1;
rc = play_event(current_event);
if(rc != RC_NONE)
break;
if (midi_restart_time) /* don't skip the first event if == 0 */
current_event++;
}
POC:
timidity++_2.14.0_large_loop.mid
CVE:
CVE-2017-11549
===============================
qflb.wu () dbappsecurity com cn
Download attachment "poc.zip" of type "application/x-zip-compressed" (1548 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists