lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 31 Jul 2017 15:33:02 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] libmad memory corruption vulnerability

libmad memory corruption vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
libmad is a high-quality MPEG audio decoder capable of 24-bit output.


Affected version:
=====
0.15.1b


Vulnerability Description:
==========================
the mad_decoder_run function in decoder.c in libmad 0.15.1b can cause a denial of service(memory corruption) via a crafted mp3 file.


I found this bug when I test mpg321 0.3.2 which used the libmad library.


./mpg321 libmad_0.15.1b_memory_corruption.mp3


----debug info:----
Program received signal SIGABRT, Aborted.
0x00007ffff6bf7cc9 in __GI_raise (sig=sig@...ry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff6bf7cc9 in __GI_raise (sig=sig@...ry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff6bfb0d8 in __GI_abort () at abort.c:89
#2  0x00007ffff6c34394 in __libc_message (do_abort=do_abort@...ry=1, 
    fmt=fmt@...ry=0x7ffff6d42b28 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff6c4066e in malloc_printerr (ptr=<optimized out>, 
    str=0x7ffff6d42c58 "double free or corruption (out)", action=1)
    at malloc.c:4996
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0)
    at malloc.c:3840
#5  0x00007ffff749ab43 in mad_decoder_run (
    decoder=decoder@...ry=0x7fffffffbd20, 
    mode=mode@...ry=MAD_DECODER_MODE_SYNC) at decoder.c:559
#6  0x0000000000403d5d in main (argc=<optimized out>, argv=<optimized out>)
    at mpg321.c:1092
(gdb)


POC:
libmad_0.15.1b_memory_corruption.mp3
CVE:
CVE-2017-11552


===============================




qflb.wu () dbappsecurity com cn




Download attachment "poc.zip" of type "application/x-zip-compressed" (628 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists