libvorbis 1.3.5 – Multiple Vulnerabilities

• Exploit Database
• 107 阅读

• 作者： qflb.wu
  日期： 2017-07-31
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/42399/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188

  libvorbis multiple vulnerabilities ================ Author : qflb.wu ===============     Introduction: ============= The libvorbis package contains a general purpose audio and music encoding format. This is useful for creating (encoding) and playing (decoding) sound in an open (patent free) format.     Affected version: ===== 1.3.5     Vulnerability Description: ========================== 1. the vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 can cause a denial of service(OOM) via a crafted wav file.     I found this bug when I test Sound eXchange(SoX) 14.4.2 which used the libvorbis library.     ./sox libvorbis_1.3.5_OOM.wav out.ogg     /var/log/syslog info: Jul 13 19:58:05 ubuntu kernel: [] Out of memory: Kill process 44203 (sox) score 364 or sacrifice child Jul 13 19:58:05 ubuntu kernel: [] Killed process 44203 (sox) total-vm:1831804kB, anon-rss:599932kB, file-rss:40kB     ----debug info:---- #00x00007ffff5df5e92 in vorbis_analysis_wrote () from /usr/local/lib/libvorbis.so.0 #10x00007ffff7ba1cba in write_samples (ft=0x611c20, buf=buf@entry=0x0, len=len@entry=0x0) at vorbis.c:358 #20x00007ffff7ba1dc5 in stopwrite (ft=<optimized out>) at vorbis.c:398 #30x00007ffff7b58488 in sox_close (ft=0x611c20) at formats.c:1006 #40x0000000000405fa8 in cleanup () at sox.c:246 #50x0000000000403479 in main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffe5e8) at sox.c:3050 #60x00007ffff727bec5 in __libc_start_main (main=0x4029c0 <main>, argc=0x3, argv=0x7fffffffe5e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe5d8) at libc-start.c:287 #70x0000000000403c65 in _start () -------- Program terminated with signal SIGKILL, Killed. The program no longer exists.     POC: libvorbis_1.3.5_OOM.wav CVE: CVE-2017-11333     2. the vorbis_block_clear function in lib/block.c in Xiph.Org libvorbis 1.3.5 can cause a denial of service(NULL pointer dereference and application crash) via a crafted ogg file.     I found this bug when I test mp3splt 2.6.2 which used the libvorbis library.     ./mp3splt -P -t 0.9 libvorbis_1.3.5_null_pointer_dereference.ogg     ----debug info:---- 0x00007ffff61752c0 in vorbis_block_clear () from /usr/local/lib/libvorbis.so.0 (gdb) disassemble Dump of assembler code for function vorbis_block_clear: 0x00007ffff61752a0 <+0>:push %r14 0x00007ffff61752a2 <+2>:mov%rdi,%r14 0x00007ffff61752a5 <+5>:push %r13 0x00007ffff61752a7 <+7>:push %r12 0x00007ffff61752a9 <+9>:push %rbp 0x00007ffff61752aa <+10>:push %rbx 0x00007ffff61752ab <+11>:mov0xb8(%rdi),%r13 0x00007ffff61752b2 <+18>:callq0x7ffff616b240 <_vorbis_block_ripcord@plt> 0x00007ffff61752b7 <+23>:mov0x70(%r14),%rdi 0x00007ffff61752bb <+27>:test %rdi,%rdi 0x00007ffff61752be <+30>:je 0x7ffff61752c5 <vorbis_block_clear+37> => 0x00007ffff61752c0 <+32>:callq0x7ffff616b130 <free@plt> 0x00007ffff61752c5 <+37>:test %r13,%r13 0x00007ffff61752c8 <+40>:je 0x7ffff617530c <vorbis_block_clear+108> 0x00007ffff61752ca <+42>:mov$0x1,%r12d 0x00007ffff61752d0 <+48>:xor%ebx,%ebx 0x00007ffff61752d2 <+50>:jmp0x7ffff61752df <vorbis_block_clear+63> 0x00007ffff61752d4 <+52>:nopl 0x0(%rax) 0x00007ffff61752d8 <+56>:add$0x1,%ebx 0x00007ffff61752db <+59>:add$0x1,%r12d 0x00007ffff61752df <+63>:movslq %ebx,%rax ---Type <return> to continue, or q <return> to quit---q Quit (gdb) i r rax0x22 rbx0x61fca06421664 rcx0x00 rdx0x7ffff7ba6778140737349576568 rsi0x00 rdi0x80128 rbp0x7fffffffd4700x7fffffffd470 rsp0x7fffffffd4000x7fffffffd400 r8 0x746e656d75636f008389754676633104128 r9 0x6143506374224 r100x7fffffffd1f0140737488343536 r110x7ffff61752a0140737322111648 r120x6128506367312 r130x00 r140x6205606423904 r150x7ffff7bcf146140737349742918 rip0x7ffff61752c00x7ffff61752c0 <vorbis_block_clear+32> eflags 0x202[ IF ] cs 0x3351 ss 0x2b43 ds 0x00 es 0x00 fs 0x00 ---Type <return> to continue, or q <return> to quit--- gs 0x00 (gdb) ni     Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x80) at malloc.c:2929 2929malloc.c: No such file or directory. (gdb) bt #0__GI___libc_free (mem=0x80) at malloc.c:2929 #10x00007ffff61752c5 in vorbis_block_clear () from /usr/local/lib/libvorbis.so.0 #20x00007ffff65ac5ae in splt_ogg_v_free (oggstate=0x61fca0) at ogg.c:162 #30x00007ffff65ace0b in splt_ogg_info (in=<optimized out>, state=state@entry=0x60ddb0, error=error@entry=0x7fffffffdbf0) at ogg.c:545 #40x00007ffff65acf75 in splt_ogg_get_info (state=state@entry=0x60ddb0, file_input=<optimized out>, error=error@entry=0x7fffffffdbf0) at ogg.c:108 #50x00007ffff65ae6c7 in splt_pl_init (state=0x60ddb0, error=0x7fffffffdbf0) at ogg.c:1482 #60x00007ffff7bcac16 in splt_tp_get_original_tags_and_append ( error=0x7fffffffdbf0, state=0x60ddb0) at tags_parser.c:545 #7splt_tp_process_original_tags_variable (tpu=tpu@entry=0x61f800, state=state@entry=0x60ddb0, error=error@entry=0x7fffffffdbf0, set_original_tags=1) at tags_parser.c:514 #80x00007ffff7bcb4d1 in splt_tp_process_tag_variable (error=0x7fffffffdbf0, state=0x60ddb0, tpu=0x61f800, end_paranthesis=0x7ffff7bcf14c "]", tag_variable_start=0x7ffff7bcf146 "o,@N=1]") at tags_parser.c:363 #9splt_tp_process_tags (error=0x7fffffffdbf0, state=0x60ddb0, tpu=0x61f800, tags=0x7ffff7bcf143 "%[@o,@N=1]") at tags_parser.c:293 #10 splt_tp_put_tags_from_string (state=state@entry=0x60ddb0, tags=tags@entry=0x7ffff7bcf143 "%[@o,@N=1]", error=error@entry=0x7fffffffdbf0) at tags_parser.c:192 ---Type <return> to continue, or q <return> to quit--- #11 0x00007ffff7bbb4f3 in mp3splt_split (state=state@entry=0x60ddb0) at mp3splt.c:1232 #12 0x0000000000403320 in main (argc=<optimized out>, orig_argv=<optimized out>) at mp3splt.c:872 (gdb) -------------------- int vorbis_block_clear(vorbis_block *vb){ int i; vorbis_block_internal *vbi=vb->internal;     _vorbis_block_ripcord(vb); if(vb->localstore)_ogg_free(vb->localstore);<========     if(vbi){ for(i=0;i<PACKETBLOBS;i++){ oggpack_writeclear(vbi->packetblob[i]); if(i!=PACKETBLOBS/2)_ogg_free(vbi->packetblob[i]); } _ogg_free(vbi); } memset(vb,0,sizeof(*vb)); return(0); }     POC: libvorbis_1.3.5_null_pointer_dereference.ogg CVE: CVE-2017-11735     Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42399.zip