Sound eXchange (SoX) 14.4.2 – Multiple Vulnerabilities

Exploit Database
117 阅读

作者： qflb.wu

日期： 2017-07-31
类别：
- dos
平台：
- linux
来源：https://www.exploit-db.com/exploits/42398/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

Sound eXchange (SoX) multiple vulnerabilities

================

Author : qflb.wu

===============

Introduction:

=============

SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files, and, as an added bonus, SoX can play and record audio files on most platforms.

Affected version:

=====

14.4.2

Vulnerability Description:

==========================

the startread function in wav.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(divide-by-zero error and application crash) via a crafted wav file.

./sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg

----debug info:----

Program received signal SIGFPE, Arithmetic exception.

0x00007ffff7b9c829 in startread (ft=0x611540) at wav.c:950

950wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels;

(gdb) disassemble 0x00007ffff7b9c829,0x00007ffff7b9c8ff

Dump of assembler code from 0x7ffff7b9c829 to 0x7ffff7b9c8ff:

=> 0x00007ffff7b9c829 <startread+1577>:div%rcx

0x00007ffff7b9c82c <startread+1580>:mov%rax,0x0(%rbp)

0x00007ffff7b9c830 <startread+1584>:imul %rcx,%rax

0x00007ffff7b9c834 <startread+1588>:mov%rax,0x18(%rbx)

0x00007ffff7b9c838 <startread+1592>:mov0x28(%rbp),%r8d

0x00007ffff7b9c83c <startread+1596>:test %r8d,%r8d

0x00007ffff7b9c83f <startread+1599>:je 0x7ffff7b9c849 <startread+1609>

0x00007ffff7b9c841 <startread+1601>:movq $0x0,0x18(%rbx)

0x00007ffff7b9c849 <startread+1609>:mov%r9d,0x14(%rsp)

0x00007ffff7b9c84e <startread+1614>:mov%edi,0x10(%rsp)

0x00007ffff7b9c852 <startread+1618>:callq0x7ffff7b50390 <sox_get_globals@plt>

0x00007ffff7b9c857 <startread+1623>:cmpw $0x1,0x22(%rsp)

0x00007ffff7b9c85d <startread+1629>:lea0x241fa(%rip),%rdx# 0x7ffff7bc0a5e

0x00007ffff7b9c864 <startread+1636>:mov0x10(%rsp),%edi

0x00007ffff7b9c868 <startread+1640>:mov0x30(%rsp),%r8d

0x00007ffff7b9c86d <startread+1645>:lea0x1de3a(%rip),%rcx# 0x7ffff7bba6ae

0x00007ffff7b9c874 <startread+1652>:mov%rdx,0x40(%rax)

0x00007ffff7b9c878 <startread+1656>:lea0x115e7(%rip),%rax# 0x7ffff7bade66

---Type <return> to continue, or q <return> to quit---q

End of assembler dump.

(gdb) i r

rax0x5371335

rbx0x6115406362432

rcx0x00

rdx0x00

rsi0x88

rdi0x11

rbp0x611a600x611a60

rsp0x7fffffffdc000x7fffffffdc00

r8 0x7ffff7fce7c0140737353934784

r9 0x00

r100x7fffffffd9c0140737488345536

r110x7ffff72cca80140737340295808

r120x5371335

r130x7fffffffdc50140737488346192

r140x7fffffffdc40140737488346176

r150x00

rip0x7ffff7b9c8290x7ffff7b9c829 <startread+1577>

eflags 0x10246[ PF ZF IF RF ]

cs 0x3351

ss 0x2b43

ds 0x00

es 0x00

fs 0x00

gs 0x00

(gdb)

POC:

sox_14.4.2_divide_by_zero_error_1.wav

CVE:

CVE-2017-11332

the read_samples function in hcom.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted hcom file.

./sox sox_14.4.2_invalid_memory_read.hcom out.wav

----debug info:----

Program received signal SIGSEGV, Segmentation fault.

read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215

215if(p->dictionary[p->dictentry].dict_leftson < 0) {

(gdb) bt

#0read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215

#10x00007ffff7b58409 in sox_read (ft=ft@entry=0x611590, buf=<optimized out>,

len=8192) at formats.c:978

#20x0000000000409dd4 in sox_read_wide (ft=0x611590, buf=<optimized out>,

max=<optimized out>) at sox.c:490

#30x000000000040a32e in combiner_drain (effp=0x614410, obuf=0x6145f0,

osamp=0x7fffffffdbb0) at sox.c:552

#40x00007ffff7b68c0d in drain_effect (n=0, chain=0x614260) at effects.c:352

#5sox_flow_effects (chain=0x614260,

callback=callback@entry=0x405a80 <update_status>,

client_data=client_data@entry=0x0) at effects.c:445

#60x0000000000407bf6 in process () at sox.c:1802

#70x0000000000403085 in main (argc=3, argv=0x7fffffffdf98) at sox.c:3008

(gdb) disassemble

Dump of assembler code for function read_samples:

0x00007ffff7b93900 <+0>:push %r15

0x00007ffff7b93902 <+2>:push %r14

0x00007ffff7b93904 <+4>:mov%rsi,%r14

0x00007ffff7b93907 <+7>:push %r13

0x00007ffff7b93909 <+9>:push %r12

0x00007ffff7b9390b <+11>:push %rbp

0x00007ffff7b9390c <+12>:push %rbx

0x00007ffff7b9390d <+13>:mov%rdi,%rbx

0x00007ffff7b93910 <+16>:sub$0x28,%rsp

0x00007ffff7b93914 <+20>:mov0x2d0(%rdi),%r15

0x00007ffff7b9391b <+27>:mov0x24(%r15),%esi

0x00007ffff7b9391f <+31>:test %esi,%esi

0x00007ffff7b93921 <+33>:js 0x7ffff7b93a60 <read_samples+352>

0x00007ffff7b93927 <+39>:mov0x10(%r15),%rdi

0x00007ffff7b9392b <+43>:xor%eax,%eax

0x00007ffff7b9392d <+45>:lea(%rax,%rdx,1),%r13d

0x00007ffff7b93931 <+49>:lea0x28(%r15),%rbp

0x00007ffff7b93935 <+53>:mov%rdx,%r12

0x00007ffff7b93938 <+56>:lea0x1(%r13),%eax

0x00007ffff7b9393c <+60>:mov%eax,0xc(%rsp)

0x00007ffff7b93940 <+64>:mov%r13d,%eax

0x00007ffff7b93943 <+67>:mov%r12d,0x8(%rsp)

---Type <return> to continue, or q <return> to quit---

0x00007ffff7b93948 <+72>:sub%r12d,%eax

0x00007ffff7b9394b <+75>:mov%eax,(%rsp)

0x00007ffff7b9394e <+78>:jmp0x7ffff7b93989 <read_samples+137>

0x00007ffff7b93950 <+80>:lea-0x1(%rax),%r8d

0x00007ffff7b93954 <+84>:movslq 0x20(%r15),%rax

0x00007ffff7b93958 <+88>:mov0x28(%r15),%edx

0x00007ffff7b9395c <+92>:mov(%r15),%rsi

0x00007ffff7b9395f <+95>:shl$0x4,%rax

0x00007ffff7b93963 <+99>:test %edx,%edx

0x00007ffff7b93965 <+101>:js 0x7ffff7b939e0 <read_samples+224>

0x00007ffff7b93967 <+103>:movswq 0x8(%rsi,%rax,1),%rax

0x00007ffff7b9396d <+109>:mov%eax,0x20(%r15)

0x00007ffff7b93971 <+113>:shl$0x4,%rax

0x00007ffff7b93975 <+117>:add%edx,%edx

0x00007ffff7b93977 <+119>:mov%r8d,0x24(%r15)

0x00007ffff7b9397b <+123>:add%rsi,%rax

0x00007ffff7b9397e <+126>:mov%edx,0x28(%r15)

=> 0x00007ffff7b93982 <+130>:cmpw $0x0,0x8(%rax)

0x00007ffff7b93987 <+135>:js 0x7ffff7b939f0 <read_samples+240>

0x00007ffff7b93989 <+137>:test %rdi,%rdi

0x00007ffff7b9398c <+140>:jle0x7ffff7b93a48 <read_samples+328>

0x00007ffff7b93992 <+146>:mov0x24(%r15),%eax

0x00007ffff7b93996 <+150>:test %eax,%eax

---Type <return> to continue, or q <return> to quit---q

Quit

(gdb) i r

rax0x631b306495024

rbx0x6115906362512

rcx0x11

rdx0x6900006881280

rsi0x611b206363936

rdi0x5241316

rbp0x611ad80x611ad8

rsp0x7fffffffda300x7fffffffda30

r8 0x1016

r9 0x7ffff7fce7c0140737353934784

r100x7fffffffd7f0140737488345072

r110x7ffff72cb2e0140737340289760

r120x1ff98185

r130x20008192

r140x61460c6374924

r150x611ab06363824

rip0x7ffff7b939820x7ffff7b93982 <read_samples+130>

eflags 0x10206[ PF IF RF ]

cs 0x3351

ss 0x2b43

ds 0x00

es 0x00

fs 0x00

---Type <return> to continue, or q <return> to quit---q

Quit

(gdb) x/20x $rax+8

0x631b38:Cannot access memory at address 0x631b38

(gdb)

POC:

sox_14.4.2_invalid_memory_read.hcom

CVE:

CVE-2017-11358

the wavwritehdr function in wav.c in Sound eXchange(SoX) 14.4.2 allows remote attackers to cause a denial of service(divide-by-zero error and application crash) via a crafted snd file which convert to wav file.

./sox sox_14.4.2_divide_by_zero_error_2.snd out.wav

----debug info:----

Program received signal SIGFPE, Arithmetic exception.

0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0,

second_header=second_header@entry=0) at wav.c:1457

1457blocksWritten = MS_UNSPEC/wBlockAlign;

(gdb) bt

#00x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0,

second_header=second_header@entry=0) at wav.c:1457

#10x00007ffff7b9c0e9 in startwrite (ft=0x611bf0) at wav.c:1252

#20x00007ffff7b59e32 in open_write (

path=path@entry=0x611bc0 "/home/a/Documents/out.wav",

buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0,

buffer_ptr=buffer_ptr@entry=0x0,

buffer_size_ptr=buffer_size_ptr@entry=0x0, signal=signal@entry=0x611410,

encoding=encoding@entry=0x611430, filetype=0x611bd6 "wav",

oob=oob@entry=0x7fffffffdcd0,

overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:912

#30x00007ffff7b5a5e8 in sox_open_write (

path=path@entry=0x611bc0 "/home/a/Documents/out.wav",

signal=signal@entry=0x611410, encoding=encoding@entry=0x611430,

filetype=<optimized out>, oob=oob@entry=0x7fffffffdcd0,

overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:948

#40x000000000040847a in open_output_file () at sox.c:1557

#5process () at sox.c:1754

#60x0000000000403085 in main (argc=3, argv=0x7fffffffdfa8) at sox.c:3008

(gdb) disassemble 0x00007ffff7b9a97b,0x00007ffff7b9a9ff

Dump of assembler code from 0x7ffff7b9a97b to 0x7ffff7b9a9ff:

=> 0x00007ffff7b9a97b <wavwritehdr+427>:idivl0x10(%rsp)

0x00007ffff7b9a97f <wavwritehdr+431>:movslq %eax,%rcx

0x00007ffff7b9a982 <wavwritehdr+434>:imul %eax,%r12d

0x00007ffff7b9a986 <wavwritehdr+438>:mov%rcx,0x48(%rsp)

0x00007ffff7b9a98b <wavwritehdr+443>:imul %r14d,%eax

0x00007ffff7b9a98f <wavwritehdr+447>:cmp$0x31,%bp

0x00007ffff7b9a993 <wavwritehdr+451>:mov%eax,0x40(%rsp)

0x00007ffff7b9a997 <wavwritehdr+455>:je 0x7ffff7b9aff0 <wavwritehdr+2080>

0x00007ffff7b9a99d <wavwritehdr+461>:cmp$0x1,%bp

0x00007ffff7b9a9a1 <wavwritehdr+465>:je 0x7ffff7b9b0a8 <wavwritehdr+2264>

0x00007ffff7b9a9a7 <wavwritehdr+471>:movzwl 0x3e(%rsp),%eax

0x00007ffff7b9a9ac <wavwritehdr+476>:movl $0x0,0x34(%rsp)

0x00007ffff7b9a9b4 <wavwritehdr+484>:lea0x12(%rax),%r13d

0x00007ffff7b9a9b8 <wavwritehdr+488>:mov%r12d,%eax

0x00007ffff7b9a9bb <wavwritehdr+491>:and$0x1,%eax

0x00007ffff7b9a9be <wavwritehdr+494>:movzwl %r13w,%r13d

0x00007ffff7b9a9c2 <wavwritehdr+498>:lea(%r12,%r13,1),%edx

0x00007ffff7b9a9c6 <wavwritehdr+502>:add%edx,%eax

0x00007ffff7b9a9c8 <wavwritehdr+504>:cmp$0x1,%bp

0x00007ffff7b9a9cc <wavwritehdr+508>:setne0x3d(%rsp)

---Type <return> to continue, or q <return> to quit---q

Quit

(gdb) x/10gx $rsp+10

0x7fffffffdaaa:0x00000000000000000x0056000000000000

0x7fffffffdaba:0x00010000000000d40x0001000000000000

0x7fffffffdaca:0x00000000000800000x0000000000000008

0x7fffffffdada:0x0fe000007fff00000x876000007ffff7bc

0x7fffffffdaea:0x00d000007ffff7610x21a0000000000000

(gdb)

POC:

sox_14.4.2_divide_by_zero_error_2.snd

CVE:

CVE-2017-11359

Proof of Concept:

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42398.zip