[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Gstreamer ID3v2 v1.0 - Out of Bounds Read

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Gstreamer ID3v2 v1.0 - Out of Bounds Read
From: Joshua <joshua2014@xxxxxxxxxxxxx>
Date: Thu, 08 Dec 2016 19:22:33 -0500

Gstreamer ID3v2 v1.0 - Out of Bounds Read


A maliciously crafted ID3v2-tagged file enables an out-of-bounds memory read 
against Gstreamer 1.0.

The Gstreamer ID3v2 implementation uses arbitrarily supplied data to generate 
buffers for the ID3v2 object and frames. By providing a maliciously crafted 
file with a null length in the ID3v2 header and an arbitrarily set length in 
the succeeding frame it is possible to generate an out of bounds read. An 
attacker may leverage this vulnerability to cause at minimum a denial of 
service attack.


This vulnerability previously affects GNU/Linux-based Firefox versions 43 and 
below. Since Firefox is no longer built against Gstreamer the vulnerability is 
no longer relevant.


Relevant Data Structure:

ID3v2 Header Size (Offset 0x6): 4 bytes ID3v2 Frame Size (Offset 0xE): 4 bytes

Reproduction:


Command
Impact

GST_DEBUG="*:6" totem crash.mp3
crashes

GST_DEBUG="*:6" totem no-crash.mp3
this file overflows but does not cause a crash in non-ASAN builds


More info and sample files: 
https://github.com/joshuayabut/gstreamerID3v2/tree/master

- MOVRCX X64 EDITION


Sent from [ProtonMail](https://protonmail.ch), encrypted email based in 
Switzerland.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Splunk Enterprise Server-Side Request Forgery
Next by Date: [FD] Roundcube 1.2.2: Command Execution via Email
Previous by thread: [FD] Splunk Enterprise Server-Side Request Forgery
Next by thread: [FD] Roundcube 1.2.2: Command Execution via Email
Index(es):
- Date
- Thread