[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] TiMidity++ multiple vulnerabilities
From: "qflb.wu" <qflb.wu () dbappsecurity ! com ! cn>
Date: 2017-07-31 2:33:08
Message-ID: 17740290.e99.15d967d6c37.Coremail.qflb.wu () dbappsecurity ! com ! cn
[Download RAW message or body]
[Attachment #2 (text/plain)]
TiMidity++ multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
TiMidity++ is an open source MIDI to WAVE converter and player.
Affected version:
=====
2.14.0
Vulnerability Description:
==========================
1.
the insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 can cause a denial of \
service(divide-by-zero error and application crash) via a crafted mid file.
./timidity timidity++_2.14.0_divide_by_zero_error.mid
----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x000000000071e9a9 in insert_note_steps () at readmidi.c:4594
4594at += current_file_info->divisions * 4 / denom;
(gdb) bt
#0 0x000000000071e9a9 in insert_note_steps () at readmidi.c:4594
#1 read_midi_file (tf=<optimized out>, fn=<optimized out>,
count=<optimized out>, sp=<optimized out>) at readmidi.c:4755
#2 0x0000000000650d6c in play_midi_load_file (event=<optimized out>,
fn=<optimized out>, nsamples=<optimized out>) at playmidi.c:8453
#3 play_midi_file (
fn=0x60400000df90 "/home/a/Documents/test/file")
at playmidi.c:8563
#4 0x0000000000659562 in dumb_pass_playing_list (
number_of_files=<optimized out>, list_of_files=<optimized out>)
at playmidi.c:8624
#5 0x0000000000846119 in timidity_play_main (nfiles=1, files=<optimized out>)
at timidity.c:5655
#6 main (argc=<optimized out>, argv=<optimized out>) at timidity.c:5935
(gdb) disassemble 0x000000000071e9a9,0x000000000071e9ff
Dump of assembler code from 0x71e9a9 to 0x71e9ff:
=> 0x000000000071e9a9 <read_midi_file+13305>:idiv %ecx
0x000000000071e9ab <read_midi_file+13307>:add %eax,%r15d
0x000000000071e9ae <read_midi_file+13310>:mov -0x38(%rbp),%eax
0x000000000071e9b1 <read_midi_file+13313>:cmp %eax,%r15d
0x000000000071e9b4 <read_midi_file+13316>:mov -0x48(%rbp),%rdi
0x000000000071e9b8 <read_midi_file+13320>:mov -0x30(%rbp),%ebx
0x000000000071e9bb <read_midi_file+13323>:jge 0x71e9cb <read_midi_file+13339>
0x000000000071e9bd <read_midi_file+13325>:mov 0x1bd403d(%rip),%eax # 0x22f2a00 \
<readmidi_error_flag> 0x000000000071e9c3 <read_midi_file+13331>:test %eax,%eax
0x000000000071e9c5 <read_midi_file+13333>:je 0x71e635 <read_midi_file+12421>
0x000000000071e9cb <read_midi_file+13339>:mov %fs:0x0,%rax
0x000000000071e9d4 <read_midi_file+13348>:add 0x6cf5fd(%rip),%rax # 0xdedfd8
0x000000000071e9db <read_midi_file+13355>:shr $0x3,%rax
0x000000000071e9df <read_midi_file+13359>:mov 0x7fff8000(%rax),%al
0x000000000071e9e5 <read_midi_file+13365>:test %al,%al
0x000000000071e9e7 <read_midi_file+13367>:je 0x71ea09 <read_midi_file+13401>
0x000000000071e9e9 <read_midi_file+13369>:mov 0x6cf5e8(%rip),%rcx ---Type <return> \
to continue, or q <return> to quit---q Quit
(gdb) i r
rax 0x1e0480
rbx 0x11
rcx 0x00
rdx 0x00
rsi 0x78120
rdi 0xc4a00106edc13511968190172
rbp 0x7fffffffb7b00x7fffffffb7b0
rsp 0x7fffffffad200x7fffffffad20
r8 0x00
r9 0x11
r10 0x1c37d81849304
r11 0x91145
r12 0x11
r13 0xfffffffffffffffc-4
r14 0x00
r15 0x00
rip 0x71e9a90x71e9a9 <read_midi_file+13305>
eflags 0x10246[ PF ZF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb)
POC:
timidity++_2.14.0_divide_by_zero_error.mid
CVE:
CVE-2017-11546
2.
the resample_gauss function in resample.c in TiMidity++ 2.14.0 can cause a denial of \
service(heap-buffer-overflow) via a crafted mid file.
./timidity timidity++_2.14.0_heap_buffer_overflow.mid
=================================================================
==4658==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b00004c93a at pc 0x76f1db \
bp 0x7fff1cc7ad30 sp 0x7fff1cc7ad28 READ of size 2 at 0x62b00004c93a thread T0
#0 0x76f1da in resample_gauss /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:174
#1 0x777f2d in rs_plain /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:620
#2 0x777f2d in normal_resample_voice \
/home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:1303 #3 0x772e07 in resample_voice \
/home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:1369 #4 0x53d527 in mix_voice \
/home/a/Downloads/TiMidity++-2.14.0/timidity/mix.c:134 #5 0x689989 in do_compute_data_midi \
/home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:6751 #6 0x689989 in do_compute_data \
/home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7044 #7 0x61e337 in compute_data \
/home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7433 #8 0x5e95da in play_event \
/home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7563 #9 0x656379 in play_midi \
/home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8297 #10 0x656379 in play_midi_file \
/home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8570 #11 0x659581 in \
dumb_pass_playing_list /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8624 #12 \
0x846158 in timidity_play_main /home/a/Downloads/TiMidity++-2.14.0/timidity/timidity.c:5655 \
#13 0x846158 in main /home/a/Downloads/TiMidity++-2.14.0/timidity/timidity.c:5935 #14 \
0x7f9bc0dcdec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #15 0x486fac in _start \
(/home/a/Downloads/TiMidity++-2.14.0/timidity/timidity+0x486fac)
0x62b00004c93b is located 0 bytes to the right of 26427-byte region \
[0x62b000046200,0x62b00004c93b) allocated by thread T0 here:
#0 0x470ec9 in __interceptor_malloc \
(/home/a/Downloads/TiMidity++-2.14.0/timidity/timidity+0x470ec9) #1 0x4acc7b in safe_malloc \
/home/a/Downloads/TiMidity++-2.14.0/timidity/common.c:655 #2 0x81a948 in load_from_file \
/home/a/Downloads/TiMidity++-2.14.0/timidity/sndfont.c:697 #3 0x81a948 in try_load_soundfont \
/home/a/Downloads/TiMidity++-2.14.0/timidity/sndfont.c:469
SUMMARY: AddressSanitizer: heap-buffer-overflow \
/home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:174 resample_gauss Shadow bytes around \
the buggy address: 0x0c56800018d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c56800018e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c56800018f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680001900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5680001910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5680001920: 00 00 00 00 00 00 00[03]fa fa fa fa fa fa fa fa
0x0c5680001930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5680001940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5680001950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5680001960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5680001970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==4658==ABORTING
POC:
timidity++_2.14.0_heap_buffer_overflow.mid
CVE:
CVE-2017-11547
3.
the play_midi function in playmidi.c in TiMidity++ 2.14.0 can cause a denial of service(large \
loop and CPU consumption) via a crafted mid file.
./timidity timidity++_2.14.0_large_loop.mid
-----debug info:----
(gdb) bt
#0 do_ch_freeverb (buf=<optimized out>, count=<optimized out>,
rev=<optimized out>) at reverb.c:1570
#1 0x000000000079cdb6 in do_ch_reverb (buf=<optimized out>,
count=<optimized out>) at reverb.c:1921
#2 0x0000000000690b54 in do_compute_data_midi (count=2048) at playmidi.c:6895
#3 do_compute_data (count=<optimized out>) at playmidi.c:7044
#4 0x0000000000619eaa in compute_data (count=<optimized out>)
at playmidi.c:7197
#5 0x00000000005e95bb in play_event (ev=<optimized out>) at playmidi.c:7563
#6 0x000000000065635a in play_midi (samples=<optimized out>,
eventlist=<optimized out>) at playmidi.c:8297
#7 play_midi_file (fn=<optimized out>) at playmidi.c:8570
#8 0x0000000000659562 in dumb_pass_playing_list (
number_of_files=<optimized out>, list_of_files=<optimized out>)
at playmidi.c:8624
#9 0x0000000000846159 in timidity_play_main (nfiles=1, files=<optimized out>)
at timidity.c:5655
#10 main (argc=<optimized out>, argv=<optimized out>) at timidity.c:5935
##playmidi.c line:8294 ==> line:8302
for(;;)
{
midi_restart_time = 1;
rc = play_event(current_event);
if(rc != RC_NONE)
break;
if (midi_restart_time) /* don't skip the first event if == 0 */
current_event++;
}
POC:
timidity++_2.14.0_large_loop.mid
CVE:
CVE-2017-11549
===============================
qflb.wu () dbappsecurity com cn
["poc.zip" (application/x-zip-compressed)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic