lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <3a52ba0a.29.15dbcd4730c.Coremail.qflb.wu@dbappsecurity.com.cn> Date: Mon, 7 Aug 2017 21:13:45 +0800 (GMT+08:00) From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn> To: fulldisclosure@...lists.org Subject: [FD] wildmidi multiple vulnerabilities wildmidi multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= WildMIDI is a simple software midi player which has a core softsynth library that can be use with other applications.The WildMIDI library uses Gravis Ultrasound patch files to convert MIDI files into audio which is then passed back to the calling application. The library API is designed so that it is easy to include WildMIDI into applications that wish to include MIDI file playback. Affected version: ===== 0.4.2 Vulnerability Description: ========================== 1. the _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file. ./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid -o out.wav or ./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid debug info: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010, event_data=0x6091bc "\202\035)", running_event=144 '\220') at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318 2318if (sysex_store[sysex_store_len - 1] == 0xF7) { (gdb) bt #0 0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010, event_data=0x6091bc "\202\035)", running_event=144 '\220') at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318 #1 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0) at /home/a/Downloads/wildmidi-master/src/f_midi.c:246 #2 0x00007ffff7bb685b in WildMidi_Open ( midifile=0x7fffffffe325 "/home/a/Documents/file") at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667 #3 0x000000000040373c in main (argc=4, argv=0x7fffffffdf88) at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804 (gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cef Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cef: => 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>:movzbl (%rax),%eax End of assembler dump. (gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cff Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cff: => 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>:movzbl (%rax),%eax 0x00007ffff7bc1cf1 <_WM_SetupMidiEvent+3493>:cmp $0xf7,%al 0x00007ffff7bc1cf3 <_WM_SetupMidiEvent+3495>:jne 0x7ffff7bc1ed7 <_WM_SetupMidiEvent+3979> 0x00007ffff7bc1cf9 <_WM_SetupMidiEvent+3501>:movb $0x41,-0x40(%rbp) 0x00007ffff7bc1cfd <_WM_SetupMidiEvent+3505>:movb $0x10,-0x3f(%rbp) End of assembler dump. (gdb) i r rax 0x1006096af4301297327 rbx 0x00 rcx 0x00 rdx 0xffffffff4294967295 rsi 0x6091bc6328764 rdi 0x6096b06330032 rbp 0x7fffffffdbd00x7fffffffdbd0 rsp 0x7fffffffdb400x7fffffffdb40 r8 0x00 r9 0x7ffff78b97b8140737346508728 r10 0x7ffff78b8760140737346504544 r11 0xffffff014294967041 r12 0x401ea04202144 r13 0x7fffffffdf80140737488347008 r14 0x00 r15 0x00 rip 0x7ffff7bc1cee0x7ffff7bc1cee <_WM_SetupMidiEvent+3490> eflags 0x10206[ PF IF RF ] cs 0x3351 ss 0x2b43 ds 0x00 es 0x00 fs 0x00 ---Type to continue, or q to quit--- gs 0x00 (gdb) x/20x 0x1006096af 0x1006096af:Cannot access memory at address 0x1006096af (gdb) ------------------line:2318 //sysex_len , sysex_store_len = 0,sysex_store_len - 1 = 0xFFFFFFFF 0x6096b0 + 0xFFFFFFFF = 0x1006096af sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len)); memcpy(&sysex_store[sysex_store_len], event_data, sysex_len); sysex_store_len += sysex_len; if (sysex_store[sysex_store_len - 1] == 0xF7) { uint8_t rolandsysexid[] = { 0x41, 0x10, 0x42, 0x12 }; POC: wildmidi_0.4.2_invalid_memory_read_1.mid CVE: CVE-2017-11661 2. the _WM_ParseNewMidi function in f_midi.c in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file. ./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid -o out.wav or ./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid debug info: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0) at /home/a/Downloads/wildmidi-master/src/f_midi.c:274 274if (*tracks[i] > 0x7f) { (gdb) bt #0 0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0) at /home/a/Downloads/wildmidi-master/src/f_midi.c:274 #1 0x00007ffff7bb685b in WildMidi_Open ( midifile=0x7fffffffe325 "/home/a/Documents/file") at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667 #2 0x000000000040373c in main (argc=4, argv=0x7fffffffdf88) at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804 (gdb) disassemble 0x00007ffff7bc59d9,0x00007ffff7bc59ff Dump of assembler code from 0x7ffff7bc59d9 to 0x7ffff7bc59ff: => 0x00007ffff7bc59d9 <_WM_ParseNewMidi+2974>:movzbl (%rax),%eax 0x00007ffff7bc59dc <_WM_ParseNewMidi+2977>:test %al,%al 0x00007ffff7bc59de <_WM_ParseNewMidi+2979>:jns 0x7ffff7bc5a6d <_WM_ParseNewMidi+3122> 0x00007ffff7bc59e4 <_WM_ParseNewMidi+2985>:mov -0x68(%rbp),%eax 0x00007ffff7bc59e7 <_WM_ParseNewMidi+2988>:lea 0x0(,%rax,4),%rdx 0x00007ffff7bc59ef <_WM_ParseNewMidi+2996>:mov -0x18(%rbp),%rax 0x00007ffff7bc59f3 <_WM_ParseNewMidi+3000>:add %rax,%rdx 0x00007ffff7bc59f6 <_WM_ParseNewMidi+3003>:mov -0x68(%rbp),%eax 0x00007ffff7bc59f9 <_WM_ParseNewMidi+3006>:lea 0x0(,%rax,4),%rcx End of assembler dump. (gdb) i r rax 0x7093a27377826 rbx 0x00 rcx 0x60909d6328477 rdx 0x88 rsi 0x60909d6328477 rdi 0x7ffff7f87010140737353642000 rbp 0x7fffffffdc600x7fffffffdc60 rsp 0x7fffffffdbe00x7fffffffdbe0 r8 0x00 r9 0x7ffff78b97b8140737346508728 r10 0x7fffffffd900140737488345344 r11 0x7ffff7592fd0140737343205328 r12 0x401ea04202144 r13 0x7fffffffdf80140737488347008 r14 0x00 r15 0x00 rip 0x7ffff7bc59d90x7ffff7bc59d9 <_WM_ParseNewMidi+2974> eflags 0x10206[ PF IF RF ] cs 0x3351 ss 0x2b43 ds 0x00 es 0x00 fs 0x00 ---Type to continue, or q to quit--- gs 0x00 (gdb) x/20x 0x7093a2 0x7093a2:Cannot access memory at address 0x7093a2 (gdb) POC: wildmidi_0.4.2_invalid_memory_read_2.mid CVE: CVE-2017-11662 3. the _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file. ./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid -o out.wav or ./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid debug info: Breakpoint 2, 0x00007ffff7bc1cd4 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010, event_data=0x62bbd7 "", running_event=145 '\221') at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315 2315memcpy(&sysex_store[sysex_store_len], event_data, sysex_len); (gdb) bt #0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36 #1 0x00007ffff7bc1cd9 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010, event_data=0x62bbd7 "", running_event=145 '\221') at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315 #2 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0) at /home/a/Downloads/wildmidi-master/src/f_midi.c:246 #3 0x00007ffff7bb685b in WildMidi_Open ( midifile=0x7fffffffe349 "/home/a/Documents/file") at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667 #4 0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8) at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804 (gdb) disassemble 0x00007ffff7bc1cb9,0x00007ffff7bc1cd9 Dump of assembler code from 0x7ffff7bc1cb9 to 0x7ffff7bc1cd9: 0x00007ffff7bc1cb9 <_WM_SetupMidiEvent+3437>:mov %rax,-0x48(%rbp) 0x00007ffff7bc1cbd <_WM_SetupMidiEvent+3441>:mov -0x5c(%rbp),%edx 0x00007ffff7bc1cc0 <_WM_SetupMidiEvent+3444>:mov -0x54(%rbp),%ecx 0x00007ffff7bc1cc3 <_WM_SetupMidiEvent+3447>:mov -0x48(%rbp),%rax 0x00007ffff7bc1cc7 <_WM_SetupMidiEvent+3451>:add %rax,%rcx 0x00007ffff7bc1cca <_WM_SetupMidiEvent+3454>:mov -0x80(%rbp),%rax 0x00007ffff7bc1cce <_WM_SetupMidiEvent+3458>:mov %rax,%rsi 0x00007ffff7bc1cd1 <_WM_SetupMidiEvent+3461>:mov %rcx,%rdi 0x00007ffff7bc1cd4 <_WM_SetupMidiEvent+3464>:callq 0x7ffff7bb1600 memcpy@plt End of assembler dump. (gdb) i r rax 0x62bbd76470615 rbx 0x00 rcx 0x7fffe41b6010140737020387344 rdx 0x3e494d465311956 rsi 0x62bbd76470615 rdi 0x7fffe41b6010140737020387344 rbp 0x7fffffffdc000x7fffffffdc00 rsp 0x7fffffffdb700x7fffffffdb70 r8 0xffffffff4294967295 r9 0x00 r10 0x2234 r11 0xf78b97014153120513 r12 0x401ea04202144 r13 0x7fffffffdfb0140737488347056 r14 0x00 r15 0x00 rip 0x7ffff7bc1cd40x7ffff7bc1cd4 <_WM_SetupMidiEvent+3464> eflags 0x202[ IF ] cs 0x3351 ss 0x2b43 ds 0x00 es 0x00 fs 0x00 ---Type to continue, or q to quit--- gs 0x00 (gdb) x/20x 0x44750AB 0x44750ab:Cannot access memory at address 0x44750ab (gdb) ni Program received signal SIGSEGV, Segmentation fault. __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36 36../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory. (gdb) ------------------ line:2315 //point:sysex_len is larger than the length of event_data sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len)); memcpy(&sysex_store[sysex_store_len], event_data, sysex_len); sysex_store_len += sysex_len; POC: wildmidi_0.4.2_invalid_memory_read_3.mid CVE: CVE-2017-11663 4. the _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file. ./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid -o out.wav or ./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid debug info: Program received signal SIGSEGV, Segmentation fault. __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36 36../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory. (gdb) bt #0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36 #1 0x00007ffff7bc15d0 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010, event_data=0x62b927 "", running_event=0 '\000') at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2122 #2 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0) at /home/a/Downloads/wildmidi-master/src/f_midi.c:246 #3 0x00007ffff7bb685b in WildMidi_Open ( midifile=0x7fffffffe349 "/home/a/Documents/file") at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667 #4 0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8) at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804 (gdb) disassemble 0x00007ffff7bc15b6,0x00007ffff7bc15d0 Dump of assembler code from 0x7ffff7bc15b6 to 0x7ffff7bc15d0: 0x00007ffff7bc15b6 <_WM_SetupMidiEvent+1642>:mov %rax,-0x50(%rbp) 0x00007ffff7bc15ba <_WM_SetupMidiEvent+1646>:mov -0x60(%rbp),%edx 0x00007ffff7bc15bd <_WM_SetupMidiEvent+1649>:mov -0x80(%rbp),%rcx 0x00007ffff7bc15c1 <_WM_SetupMidiEvent+1653>:mov -0x50(%rbp),%rax 0x00007ffff7bc15c5 <_WM_SetupMidiEvent+1657>:mov %rcx,%rsi 0x00007ffff7bc15c8 <_WM_SetupMidiEvent+1660>:mov %rax,%rdi 0x00007ffff7bc15cb <_WM_SetupMidiEvent+1663>:callq 0x7ffff7bb1600 memcpy@plt End of assembler dump. (gdb) i r rax 0xffff8000086e68a4-140737346901852 rbx 0x00 rcx 0x840e6540902 rdx 0x42073270451 rsi 0x62b9276469927 rdi 0x7ffff7f03010140737353101328 rbp 0x7fffffffdc000x7fffffffdc00 rsp 0x7fffffffdb680x7fffffffdb68 r8 0xffffffff4294967295 r9 0x00 r10 0x2234 r11 0xf7592f014149817089 r12 0x401ea04202144 r13 0x7fffffffdfb0140737488347056 r14 0x00 r15 0x00 rip 0x7ffff7592ffe0x7ffff7592ffe <__memcpy_sse2_unaligned+46> eflags 0x10206[ PF IF RF ] cs 0x3351 ss 0x2b43 ds 0x00 es 0x00 fs 0x00 ---Type to continue, or q to quit--- gs 0x00 (gdb) x/20x 0x66D99A 0x66d99a:Cannot access memory at address 0x66d99a (gdb) ----------------line:2122-------------- //the tmp_length is larger than the length of event_data text = malloc(tmp_length + 1); memcpy(text, event_data, tmp_length); text[tmp_length] = '\0'; midi_setup_trackname(mdi, text); POC: wildmidi_0.4.2_invalid_memory_read_4.mid CVE: CVE-2017-11664 Fix ========== Fixed: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd POC: ========== https://github.com/Mindwerks/wildmidi/files/1186857/poc.zip =============================== qflb.wu () dbappsecurity com cn _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists