libid3tag multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
Libid3tag is an ID3 tag manipulation library.
Affected version:
=====
0.15.1b
Vulnerability Description:
==========================
1.
the id3_ucs4_length function in ucs4.c in libid3tag 0.15.1b can cause a denial
of service(NULL Pointer Dereference and application crash) via a crafted mp3
file.
I found this bug when I test mpg321 0.3.2 which used the libid3tag library.
./mpg321 libid3tag_0.15.1b_null_pointer_dereference.mp3
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
id3_ucs4_length (ucs4=ucs4@entry=0x0) at ucs4.c:46
46 while (*ptr)
(gdb) bt
#0 id3_ucs4_length (ucs4=ucs4@entry=0x0) at ucs4.c:46
#1 0x00007ffff76be311 in id3_compat_fixup (tag=tag@entry=0x60400000ce50)
at compat.gperf:240
#2 0x00007ffff76c069f in v2_parse (ptr=0x61200000b9a1 "") at tag.c:613
#3 id3_tag_parse (data=data@entry=0x61200000b8c0 "ID3\002",
length=length@entry=263) at tag.c:665
#4 0x00007ffff76c1504 in read_tag (size=263, iofile=<optimized out>)
at file.c:103
#5 add_tag (file=file@entry=0x60600000eba0, length=263) at file.c:228
#6 0x00007ffff76c16cb in search_tags (file=0x60600000eba0) at file.c:307
#7 new_file (iofile=iofile@entry=0x61600000de80,
mode=mode@entry=ID3_FILE_MODE_READONLY,
path=path@entry=0x60400000dfd0 "/home/a/Documents/file") at file.c:407
#8 0x00007ffff76c1890 in id3_file_open (
path=0x60400000dfd0 "/home/a/Documents/file",
mode=ID3_FILE_MODE_READONLY) at file.c:439
#9 0x0000000000485f24 in get_id3_info (fname=<optimized out>,
id3struct=<optimized out>, id3tag=<optimized out>) at mpg321.c:485
#10 main (argc=<optimized out>, argv=<optimized out>) at mpg321.c:790
(gdb)
-------------------
Breakpoint 2, id3_ucs4_length (ucs4=ucs4@entry=0x0) at ucs4.c:46
46 while (*ptr)
(gdb) disassemble
Dump of assembler code for function id3_ucs4_length:
=> 0x00007ffff76baee0 <+0>:cmpq $0x0,(%rdi)
0x00007ffff76baee4 <+4>:je 0x7ffff76baf02 <id3_ucs4_length+34>
0x00007ffff76baee6 <+6>:mov %rdi,%rax
0x00007ffff76baee9 <+9>:nopl 0x0(%rax)
0x00007ffff76baef0 <+16>:add $0x8,%rax
0x00007ffff76baef4 <+20>:cmpq $0x0,(%rax)
0x00007ffff76baef8 <+24>:jne 0x7ffff76baef0 <id3_ucs4_length+16>
0x00007ffff76baefa <+26>:sub %rdi,%rax
0x00007ffff76baefd <+29>:sar $0x3,%rax
0x00007ffff76baf01 <+33>:retq
0x00007ffff76baf02 <+34>:xor %eax,%eax
0x00007ffff76baf04 <+36>:retq
End of assembler dump.
(gdb) i r
rax 0x00
rbx 0x55
rcx 0x00
rdx 0x1016
rsi 0x55
rdi 0x00
rbp 0x7ffff76c329c0x7ffff76c329c
rsp 0x7fffffffb9980x7fffffffb998
r8 0x00
r9 0x7ffff6f7f7b8140737336833976
r10 0x7fffffffb760140737488336736
r11 0x7ffff76bde80140737344429696
r12 0x22
r13 0x6236d06436560
r14 0x6254bc6444220
r15 0x00
rip 0x7ffff76baee00x7ffff76baee0 <id3_ucs4_length>
eflags 0x246[ PF ZF IF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type <return> to continue, or q <return> to quit---
gs 0x00
(gdb) ni
Program received signal SIGSEGV, Segmentation fault.
id3_ucs4_length (ucs4=ucs4@entry=0x0) at ucs4.c:46
46 while (*ptr)
(gdb)
--------------------
id3_length_t id3_ucs4_length(id3_ucs4_t const *ucs4)
{
id3_ucs4_t const *ptr = ucs4;
while (*ptr)
++ptr;
return ptr - ucs4;
}
POC:
libid3tag_0.15.1b_null_pointer_dereference.mp3
CVE:
CVE-2017-11550
2.
the id3_field_parse function in field.c in libid3tag 0.15.1b can cause a denial
of service(OOM) via a crafted mp3 file.
I found this bug when I test mpg321 0.3.2 which used the libid3tag library.
./mpg321 libid3tag_0.15.1b_OOM.mp3
----debug info:----
(gdb) bt
#0 id3_field_parse (field=0x625180, ptr=ptr@entry=0x7fffffffba48,
length=<optimized out>, encoding=encoding@entry=0x7fffffffba3c)
at field.c:306
#1 0x00007ffff76bf10b in parse_data (frame=0x625120, frame=0x625120,
length=<optimized out>, data=0x623352 "") at frame.c:252
#2 id3_frame_parse (ptr=ptr@entry=0x7fffffffbad8, length=length@entry=96,
version=<optimized out>) at frame.c:464
#3 0x00007ffff76c03c4 in v2_parse (ptr=0x623353 "TT1") at tag.c:607
#4 id3_tag_parse (data=data@entry=0x623290 "ID3\002", length=length@entry=263)
at tag.c:665
#5 0x00007ffff76c1504 in read_tag (size=263, iofile=<optimized out>)
at file.c:103
#6 add_tag (file=file@entry=0x62b7f0, length=263) at file.c:228
#7 0x00007ffff76c16cb in search_tags (file=0x62b7f0) at file.c:307
#8 new_file (iofile=iofile@entry=0x623450,
mode=mode@entry=ID3_FILE_MODE_READONLY,
path=path@entry=0x623040 "/home/a/Documents/file")
at file.c:407
#9 0x00007ffff76c1890 in id3_file_open (
path=path@entry=0x623040 "/home/a/Documents/file",
mode=mode@entry=ID3_FILE_MODE_READONLY) at file.c:439
#10 0x00000000004053c9 in get_id3_info (
fname=fname@entry=0x623040 "/home/a/Documents/file",
---Type <return> to continue, or q <return> to quit---
id3struct=id3struct@entry=0x7fffffffbd08, id3tag=id3tag@entry=0x7fffffffbd10)
at mpg321.c:485
#11 0x0000000000403eae in main (argc=<optimized out>, argv=<optimized out>)
at mpg321.c:790
(gdb) r
Program terminated with signal SIGKILL, Killed.
----------------
##in field.c id3_field_parse function line:294 ==> line:308
while (end - *ptr > 0) {
ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
if (ucs4 == 0)
goto fail;
strings = realloc(field->stringlist.strings,
(field->stringlist.nstrings + 1) * sizeof(*strings));
if (strings == 0) {
free(ucs4);
goto fail;
}
field->stringlist.strings = strings;
field->stringlist.strings[field->stringlist.nstrings++] = ucs4;
}
POC:
libid3tag_0.15.1b_OOM.mp3
CVE:
CVE-2017-11551
===============================
qflb.wu () dbappsecurity com cn
Attachment:
poc.zip
Description: Zip compressed data
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/