lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 31 Jul 2017 10:33:08 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] TiMidity++ multiple vulnerabilities

TiMidity++ multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
TiMidity++ is an open source MIDI to WAVE converter and player.


Affected version:
=====
2.14.0


Vulnerability Description:
==========================
1.
the insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 can cause a denial of service(divide-by-zero error and application crash) via a crafted mid file.


./timidity timidity++_2.14.0_divide_by_zero_error.mid


----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x000000000071e9a9 in insert_note_steps () at readmidi.c:4594
4594at += current_file_info->divisions * 4 / denom;
(gdb) bt
#0  0x000000000071e9a9 in insert_note_steps () at readmidi.c:4594
#1  read_midi_file (tf=<optimized out>, fn=<optimized out>, 
    count=<optimized out>, sp=<optimized out>) at readmidi.c:4755
#2  0x0000000000650d6c in play_midi_load_file (event=<optimized out>, 
    fn=<optimized out>, nsamples=<optimized out>) at playmidi.c:8453
#3  play_midi_file (
    fn=0x60400000df90 "/home/a/Documents/test/file")
    at playmidi.c:8563
#4  0x0000000000659562 in dumb_pass_playing_list (
    number_of_files=<optimized out>, list_of_files=<optimized out>)
    at playmidi.c:8624
#5  0x0000000000846119 in timidity_play_main (nfiles=1, files=<optimized out>)
    at timidity.c:5655
#6  main (argc=<optimized out>, argv=<optimized out>) at timidity.c:5935
(gdb) disassemble 0x000000000071e9a9,0x000000000071e9ff
Dump of assembler code from 0x71e9a9 to 0x71e9ff:
=> 0x000000000071e9a9 <read_midi_file+13305>:idiv   %ecx
   0x000000000071e9ab <read_midi_file+13307>:add    %eax,%r15d
   0x000000000071e9ae <read_midi_file+13310>:mov    -0x38(%rbp),%eax
   0x000000000071e9b1 <read_midi_file+13313>:cmp    %eax,%r15d
   0x000000000071e9b4 <read_midi_file+13316>:mov    -0x48(%rbp),%rdi
   0x000000000071e9b8 <read_midi_file+13320>:mov    -0x30(%rbp),%ebx
   0x000000000071e9bb <read_midi_file+13323>:jge    0x71e9cb <read_midi_file+13339>
   0x000000000071e9bd <read_midi_file+13325>:mov    0x1bd403d(%rip),%eax        # 0x22f2a00 <readmidi_error_flag>
   0x000000000071e9c3 <read_midi_file+13331>:test   %eax,%eax
   0x000000000071e9c5 <read_midi_file+13333>:je     0x71e635 <read_midi_file+12421>
   0x000000000071e9cb <read_midi_file+13339>:mov    %fs:0x0,%rax
   0x000000000071e9d4 <read_midi_file+13348>:add    0x6cf5fd(%rip),%rax        # 0xdedfd8
   0x000000000071e9db <read_midi_file+13355>:shr    $0x3,%rax
   0x000000000071e9df <read_midi_file+13359>:mov    0x7fff8000(%rax),%al
   0x000000000071e9e5 <read_midi_file+13365>:test   %al,%al
   0x000000000071e9e7 <read_midi_file+13367>:je     0x71ea09 <read_midi_file+13401>
   0x000000000071e9e9 <read_midi_file+13369>:mov    0x6cf5e8(%rip),%rcx      ---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax            0x1e0480
rbx            0x11
rcx            0x00
rdx            0x00
rsi            0x78120
rdi            0xc4a00106edc13511968190172
rbp            0x7fffffffb7b00x7fffffffb7b0
rsp            0x7fffffffad200x7fffffffad20
r8             0x00
r9             0x11
r10            0x1c37d81849304
r11            0x91145
r12            0x11
r13            0xfffffffffffffffc-4
r14            0x00
r15            0x00
rip            0x71e9a90x71e9a9 <read_midi_file+13305>
eflags         0x10246[ PF ZF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) 


POC:
timidity++_2.14.0_divide_by_zero_error.mid
CVE:
CVE-2017-11546


2.
the resample_gauss function in resample.c in TiMidity++ 2.14.0 can cause a denial of service(heap-buffer-overflow) via a crafted mid file.


./timidity timidity++_2.14.0_heap_buffer_overflow.mid


=================================================================
==4658==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b00004c93a at pc 0x76f1db bp 0x7fff1cc7ad30 sp 0x7fff1cc7ad28
READ of size 2 at 0x62b00004c93a thread T0
    #0 0x76f1da in resample_gauss /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:174
    #1 0x777f2d in rs_plain /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:620
    #2 0x777f2d in normal_resample_voice /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:1303
    #3 0x772e07 in resample_voice /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:1369
    #4 0x53d527 in mix_voice /home/a/Downloads/TiMidity++-2.14.0/timidity/mix.c:134
    #5 0x689989 in do_compute_data_midi /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:6751
    #6 0x689989 in do_compute_data /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7044
    #7 0x61e337 in compute_data /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7433
    #8 0x5e95da in play_event /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7563
    #9 0x656379 in play_midi /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8297
    #10 0x656379 in play_midi_file /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8570
    #11 0x659581 in dumb_pass_playing_list /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8624
    #12 0x846158 in timidity_play_main /home/a/Downloads/TiMidity++-2.14.0/timidity/timidity.c:5655
    #13 0x846158 in main /home/a/Downloads/TiMidity++-2.14.0/timidity/timidity.c:5935
    #14 0x7f9bc0dcdec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #15 0x486fac in _start (/home/a/Downloads/TiMidity++-2.14.0/timidity/timidity+0x486fac)


0x62b00004c93b is located 0 bytes to the right of 26427-byte region [0x62b000046200,0x62b00004c93b)
allocated by thread T0 here:
    #0 0x470ec9 in __interceptor_malloc (/home/a/Downloads/TiMidity++-2.14.0/timidity/timidity+0x470ec9)
    #1 0x4acc7b in safe_malloc /home/a/Downloads/TiMidity++-2.14.0/timidity/common.c:655
    #2 0x81a948 in load_from_file /home/a/Downloads/TiMidity++-2.14.0/timidity/sndfont.c:697
    #3 0x81a948 in try_load_soundfont /home/a/Downloads/TiMidity++-2.14.0/timidity/sndfont.c:469


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:174 resample_gauss
Shadow bytes around the buggy address:
  0x0c56800018d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c56800018e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c56800018f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5680001900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5680001910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5680001920: 00 00 00 00 00 00 00[03]fa fa fa fa fa fa fa fa
  0x0c5680001930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680001940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680001950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680001960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680001970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==4658==ABORTING


POC:
timidity++_2.14.0_heap_buffer_overflow.mid
CVE:
CVE-2017-11547


3.
the play_midi function in playmidi.c in TiMidity++ 2.14.0 can cause a denial of service(large loop and CPU consumption) via a crafted mid file.


./timidity timidity++_2.14.0_large_loop.mid


-----debug info:----
(gdb) bt
#0  do_ch_freeverb (buf=<optimized out>, count=<optimized out>, 
    rev=<optimized out>) at reverb.c:1570
#1  0x000000000079cdb6 in do_ch_reverb (buf=<optimized out>, 
    count=<optimized out>) at reverb.c:1921
#2  0x0000000000690b54 in do_compute_data_midi (count=2048) at playmidi.c:6895
#3  do_compute_data (count=<optimized out>) at playmidi.c:7044
#4  0x0000000000619eaa in compute_data (count=<optimized out>)
    at playmidi.c:7197
#5  0x00000000005e95bb in play_event (ev=<optimized out>) at playmidi.c:7563
#6  0x000000000065635a in play_midi (samples=<optimized out>, 
    eventlist=<optimized out>) at playmidi.c:8297
#7  play_midi_file (fn=<optimized out>) at playmidi.c:8570
#8  0x0000000000659562 in dumb_pass_playing_list (
    number_of_files=<optimized out>, list_of_files=<optimized out>)
    at playmidi.c:8624
#9  0x0000000000846159 in timidity_play_main (nfiles=1, files=<optimized out>)
    at timidity.c:5655
#10 main (argc=<optimized out>, argv=<optimized out>) at timidity.c:5935


##playmidi.c line:8294 ==> line:8302
for(;;)
{
midi_restart_time = 1;
rc = play_event(current_event);
if(rc != RC_NONE)
    break;
if (midi_restart_time)    /* don't skip the first event if == 0 */
    current_event++;
}


POC:
timidity++_2.14.0_large_loop.mid
CVE:
CVE-2017-11549




===============================




qflb.wu () dbappsecurity com cn




Download attachment "poc.zip" of type "application/x-zip-compressed" (1548 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ