lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3a52ba0a.29.15dbcd4730c.Coremail.qflb.wu@dbappsecurity.com.cn>
Date: Mon, 7 Aug 2017 21:13:45 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] wildmidi multiple vulnerabilities

wildmidi multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
WildMIDI is a simple software midi player which has a core softsynth library that can be use with other applications.The WildMIDI library uses Gravis Ultrasound patch files to convert MIDI files into audio which is then passed back to the calling application. The library API is designed so that it is easy to include WildMIDI into applications that wish to include MIDI file playback.


Affected version:
=====
0.4.2


Vulnerability Description:
==========================
1.
the _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.


./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid


debug info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x6091bc "\202\035)", running_event=144 '\220')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318
2318if (sysex_store[sysex_store_len - 1] == 0xF7) {
(gdb) bt
#0 0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x6091bc "\202\035)", running_event=144 '\220')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318
#1 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#2 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe325 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#3 0x000000000040373c in main (argc=4, argv=0x7fffffffdf88)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cef
Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cef:
=> 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>:movzbl (%rax),%eax
End of assembler dump.
(gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cff
Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cff:
=> 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>:movzbl (%rax),%eax
0x00007ffff7bc1cf1 <_WM_SetupMidiEvent+3493>:cmp $0xf7,%al
0x00007ffff7bc1cf3 <_WM_SetupMidiEvent+3495>:jne 0x7ffff7bc1ed7 <_WM_SetupMidiEvent+3979>
0x00007ffff7bc1cf9 <_WM_SetupMidiEvent+3501>:movb $0x41,-0x40(%rbp)
0x00007ffff7bc1cfd <_WM_SetupMidiEvent+3505>:movb $0x10,-0x3f(%rbp)
End of assembler dump.
(gdb) i r
rax 0x1006096af4301297327
rbx 0x00
rcx 0x00
rdx 0xffffffff4294967295
rsi 0x6091bc6328764
rdi 0x6096b06330032
rbp 0x7fffffffdbd00x7fffffffdbd0
rsp 0x7fffffffdb400x7fffffffdb40
r8 0x00
r9 0x7ffff78b97b8140737346508728
r10 0x7ffff78b8760140737346504544
r11 0xffffff014294967041
r12 0x401ea04202144
r13 0x7fffffffdf80140737488347008
r14 0x00
r15 0x00
rip 0x7ffff7bc1cee0x7ffff7bc1cee <_WM_SetupMidiEvent+3490>
eflags 0x10206[ PF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type to continue, or q to quit---
gs 0x00
(gdb) x/20x 0x1006096af
0x1006096af:Cannot access memory at address 0x1006096af
(gdb)


------------------line:2318
//sysex_len , sysex_store_len = 0,sysex_store_len - 1 = 0xFFFFFFFF 0x6096b0 + 0xFFFFFFFF = 0x1006096af


sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len));
memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
sysex_store_len += sysex_len;


if (sysex_store[sysex_store_len - 1] == 0xF7) {
uint8_t rolandsysexid[] = { 0x41, 0x10, 0x42, 0x12 };


POC:
wildmidi_0.4.2_invalid_memory_read_1.mid
CVE:
CVE-2017-11661


2.
the _WM_ParseNewMidi function in f_midi.c in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.


./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid


debug info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:274
274if (*tracks[i] > 0x7f) {
(gdb) bt
#0 0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:274
#1 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe325 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#2 0x000000000040373c in main (argc=4, argv=0x7fffffffdf88)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc59d9,0x00007ffff7bc59ff
Dump of assembler code from 0x7ffff7bc59d9 to 0x7ffff7bc59ff:
=> 0x00007ffff7bc59d9 <_WM_ParseNewMidi+2974>:movzbl (%rax),%eax
0x00007ffff7bc59dc <_WM_ParseNewMidi+2977>:test %al,%al
0x00007ffff7bc59de <_WM_ParseNewMidi+2979>:jns 0x7ffff7bc5a6d <_WM_ParseNewMidi+3122>
0x00007ffff7bc59e4 <_WM_ParseNewMidi+2985>:mov -0x68(%rbp),%eax
0x00007ffff7bc59e7 <_WM_ParseNewMidi+2988>:lea 0x0(,%rax,4),%rdx
0x00007ffff7bc59ef <_WM_ParseNewMidi+2996>:mov -0x18(%rbp),%rax
0x00007ffff7bc59f3 <_WM_ParseNewMidi+3000>:add %rax,%rdx
0x00007ffff7bc59f6 <_WM_ParseNewMidi+3003>:mov -0x68(%rbp),%eax
0x00007ffff7bc59f9 <_WM_ParseNewMidi+3006>:lea 0x0(,%rax,4),%rcx
End of assembler dump.
(gdb) i r
rax 0x7093a27377826
rbx 0x00
rcx 0x60909d6328477
rdx 0x88
rsi 0x60909d6328477
rdi 0x7ffff7f87010140737353642000
rbp 0x7fffffffdc600x7fffffffdc60
rsp 0x7fffffffdbe00x7fffffffdbe0
r8 0x00
r9 0x7ffff78b97b8140737346508728
r10 0x7fffffffd900140737488345344
r11 0x7ffff7592fd0140737343205328
r12 0x401ea04202144
r13 0x7fffffffdf80140737488347008
r14 0x00
r15 0x00
rip 0x7ffff7bc59d90x7ffff7bc59d9 <_WM_ParseNewMidi+2974>
eflags 0x10206[ PF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type to continue, or q to quit---
gs 0x00
(gdb) x/20x 0x7093a2
0x7093a2:Cannot access memory at address 0x7093a2
(gdb)


POC:
wildmidi_0.4.2_invalid_memory_read_2.mid
CVE:
CVE-2017-11662


3.
the _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.


./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid


debug info:
Breakpoint 2, 0x00007ffff7bc1cd4 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x62bbd7 "", running_event=145 '\221')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315
2315memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
(gdb) bt
#0 __memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1 0x00007ffff7bc1cd9 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x62bbd7 "", running_event=145 '\221')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315
#2 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#3 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe349 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#4 0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc1cb9,0x00007ffff7bc1cd9
Dump of assembler code from 0x7ffff7bc1cb9 to 0x7ffff7bc1cd9:
0x00007ffff7bc1cb9 <_WM_SetupMidiEvent+3437>:mov %rax,-0x48(%rbp)
0x00007ffff7bc1cbd <_WM_SetupMidiEvent+3441>:mov -0x5c(%rbp),%edx
0x00007ffff7bc1cc0 <_WM_SetupMidiEvent+3444>:mov -0x54(%rbp),%ecx
0x00007ffff7bc1cc3 <_WM_SetupMidiEvent+3447>:mov -0x48(%rbp),%rax
0x00007ffff7bc1cc7 <_WM_SetupMidiEvent+3451>:add %rax,%rcx
0x00007ffff7bc1cca <_WM_SetupMidiEvent+3454>:mov -0x80(%rbp),%rax
0x00007ffff7bc1cce <_WM_SetupMidiEvent+3458>:mov %rax,%rsi
0x00007ffff7bc1cd1 <_WM_SetupMidiEvent+3461>:mov %rcx,%rdi
0x00007ffff7bc1cd4 <_WM_SetupMidiEvent+3464>:callq 0x7ffff7bb1600 memcpy@plt
End of assembler dump.
(gdb) i r
rax 0x62bbd76470615
rbx 0x00
rcx 0x7fffe41b6010140737020387344
rdx 0x3e494d465311956
rsi 0x62bbd76470615
rdi 0x7fffe41b6010140737020387344
rbp 0x7fffffffdc000x7fffffffdc00
rsp 0x7fffffffdb700x7fffffffdb70
r8 0xffffffff4294967295
r9 0x00
r10 0x2234
r11 0xf78b97014153120513
r12 0x401ea04202144
r13 0x7fffffffdfb0140737488347056
r14 0x00
r15 0x00
rip 0x7ffff7bc1cd40x7ffff7bc1cd4 <_WM_SetupMidiEvent+3464>
eflags 0x202[ IF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type to continue, or q to quit---
gs 0x00
(gdb) x/20x 0x44750AB
0x44750ab:Cannot access memory at address 0x44750ab
(gdb) ni


Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb)
------------------ line:2315
//point:sysex_len is larger than the length of event_data
sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len));
memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
sysex_store_len += sysex_len;


POC:
wildmidi_0.4.2_invalid_memory_read_3.mid
CVE:
CVE-2017-11663


4.
the _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.


./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid


debug info:
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0 __memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1 0x00007ffff7bc15d0 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x62b927 "", running_event=0 '\000')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2122
#2 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#3 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe349 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#4 0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc15b6,0x00007ffff7bc15d0
Dump of assembler code from 0x7ffff7bc15b6 to 0x7ffff7bc15d0:
0x00007ffff7bc15b6 <_WM_SetupMidiEvent+1642>:mov %rax,-0x50(%rbp)
0x00007ffff7bc15ba <_WM_SetupMidiEvent+1646>:mov -0x60(%rbp),%edx
0x00007ffff7bc15bd <_WM_SetupMidiEvent+1649>:mov -0x80(%rbp),%rcx
0x00007ffff7bc15c1 <_WM_SetupMidiEvent+1653>:mov -0x50(%rbp),%rax
0x00007ffff7bc15c5 <_WM_SetupMidiEvent+1657>:mov %rcx,%rsi
0x00007ffff7bc15c8 <_WM_SetupMidiEvent+1660>:mov %rax,%rdi
0x00007ffff7bc15cb <_WM_SetupMidiEvent+1663>:callq 0x7ffff7bb1600 memcpy@plt
End of assembler dump.
(gdb) i r
rax 0xffff8000086e68a4-140737346901852
rbx 0x00
rcx 0x840e6540902
rdx 0x42073270451
rsi 0x62b9276469927
rdi 0x7ffff7f03010140737353101328
rbp 0x7fffffffdc000x7fffffffdc00
rsp 0x7fffffffdb680x7fffffffdb68
r8 0xffffffff4294967295
r9 0x00
r10 0x2234
r11 0xf7592f014149817089
r12 0x401ea04202144
r13 0x7fffffffdfb0140737488347056
r14 0x00
r15 0x00
rip 0x7ffff7592ffe0x7ffff7592ffe <__memcpy_sse2_unaligned+46>
eflags 0x10206[ PF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type to continue, or q to quit---
gs 0x00
(gdb) x/20x 0x66D99A
0x66d99a:Cannot access memory at address 0x66d99a
(gdb)


----------------line:2122--------------
//the tmp_length is larger than the length of event_data
text = malloc(tmp_length + 1);
memcpy(text, event_data, tmp_length);
text[tmp_length] = '\0';
midi_setup_trackname(mdi, text);


POC:
wildmidi_0.4.2_invalid_memory_read_4.mid
CVE:
CVE-2017-11664




Fix
==========
Fixed:
https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd


POC:
==========
https://github.com/Mindwerks/wildmidi/files/1186857/poc.zip




===============================




qflb.wu () dbappsecurity com cn


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists