[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Nosefart denial of service vulnerability
From:       "qflb.wu" <qflb.wu () dbappsecurity ! com ! cn>
Date:       2017-07-30 8:02:02
Message-ID: 6fdf2a1f.e44.15d92843056.Coremail.qflb.wu () dbappsecurity ! com ! cn
[Download RAW message or body]

[Attachment #2 (text/plain)]

Nosefart denial of service vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
Nosefart is NES Music Player.Nosefart plays NSF (Nintendo Entertainment System Sound Format) \
files so you can listen to those old tunes without actually having to play through the games.


Affected version:
=====
2.9-mls


Vulnerability Description:
==========================
the chk_mem_access function in src/cpu/nes6502/nes6502.c in libnosefart.a in Nosefart 2.9-mls \
can  cause a denial of service(invalid memory read and application crash) via a crafted nsf \
file.


./nosefart nosefart_2.9-mls_invalid_memory_read.nsf


Program received signal SIGSEGV, Segmentation fault.
0x0000000000401940 in chk_mem_access (
    access=0x69752e <error: Cannot access memory at address 0x69752e>, flags=4)
    at src/cpu/nes6502/nes6502.c:1195
1195  uint8 oldchk = * access;
(gdb) bt
#0  0x0000000000401940 in chk_mem_access (
    access=0x69752e <error: Cannot access memory at address 0x69752e>, flags=4)
    at src/cpu/nes6502/nes6502.c:1195
#1  0x0000000000401ad6 in _bank_readbyte (address=61962, flags=4 '\004')
    at src/cpu/nes6502/nes6502.c:1265
#2  0x00000000004022c2 in nes6502_execute (remaining_cycles=29823)
    at src/cpu/nes6502/nes6502.c:1549
#3  0x0000000000408630 in nsf_inittune (nsf=0x6222a0) at src/machine/nsf.c:309
#4  0x0000000000409adb in nsf_playtrack (nsf=0x6222a0, track=1, 
    sample_rate=44100, sample_bits=8, stereo=0 '\000') at src/machine/nsf.c:997
#5  0x00000000004106ee in nsf_setupsong () at src/linux/main_linux.c:403
#6  0x0000000000410be9 in play (
    filename=0x622030 "/home/a/Documents/file", track=1, doautocalc=0, 
    reps=0, starting_frame=0, limited=0) at src/linux/main_linux.c:534
#7  0x0000000000411122 in main (argc=2, argv=0x7fffffffdfc8)
    at src/linux/main_linux.c:690
(gdb) 


POC:
nosefart_2.9-mls_invalid_memory_read.nsf
CVE:
CVE-2017-11119




===============================




qflb.wu () dbappsecurity com cn


["poc.zip" (application/x-zip-compressed)]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic