扫码分享
验证:
体验盒子Sound eXchange (SoX) multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files, and, as an added bonus, SoX can play and record audio files on most platforms.
Affected version:
=====
14.4.2
Vulnerability Description:
==========================
1.
the startread function in wav.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(divide-by-zero error and application crash) via a crafted wav file.
./sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg
----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7b9c829 in startread (ft=0x611540) at wav.c:950
950wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels;
(gdb) disassemble 0x00007ffff7b9c829,0x00007ffff7b9c8ff
Dump of assembler code from 0x7ffff7b9c829 to 0x7ffff7b9c8ff:
=> 0x00007ffff7b9c829 <startread+1577>:div%rcx
0x00007ffff7b9c82c <startread+1580>:mov%rax,0x0(%rbp)
0x00007ffff7b9c830 <startread+1584>:imul %rcx,%rax
0x00007ffff7b9c834 <startread+1588>:mov%rax,0x18(%rbx)
0x00007ffff7b9c838 <startread+1592>:mov0x28(%rbp),%r8d
0x00007ffff7b9c83c <startread+1596>:test %r8d,%r8d
0x00007ffff7b9c83f <startread+1599>:je 0x7ffff7b9c849 <startread+1609>
0x00007ffff7b9c841 <startread+1601>:movq $0x0,0x18(%rbx)
0x00007ffff7b9c849 <startread+1609>:mov%r9d,0x14(%rsp)
0x00007ffff7b9c84e <startread+1614>:mov%edi,0x10(%rsp)
0x00007ffff7b9c852 <startread+1618>:callq0x7ffff7b50390 <sox_get_globals@plt>
0x00007ffff7b9c857 <startread+1623>:cmpw $0x1,0x22(%rsp)
0x00007ffff7b9c85d <startread+1629>:lea0x241fa(%rip),%rdx# 0x7ffff7bc0a5e
0x00007ffff7b9c864 <startread+1636>:mov0x10(%rsp),%edi
0x00007ffff7b9c868 <startread+1640>:mov0x30(%rsp),%r8d
0x00007ffff7b9c86d <startread+1645>:lea0x1de3a(%rip),%rcx# 0x7ffff7bba6ae
0x00007ffff7b9c874 <startread+1652>:mov%rdx,0x40(%rax)
0x00007ffff7b9c878 <startread+1656>:lea0x115e7(%rip),%rax# 0x7ffff7bade66
---Type <return> to continue, or q <return> to quit---q
End of assembler dump.
(gdb) i r
rax0x5371335
rbx0x6115406362432
rcx0x00
rdx0x00
rsi0x88
rdi0x11
rbp0x611a600x611a60
rsp0x7fffffffdc000x7fffffffdc00
r8 0x7ffff7fce7c0140737353934784
r9 0x00
r100x7fffffffd9c0140737488345536
r110x7ffff72cca80140737340295808
r120x5371335
r130x7fffffffdc50140737488346192
r140x7fffffffdc40140737488346176
r150x00
rip0x7ffff7b9c8290x7ffff7b9c829 <startread+1577>
eflags 0x10246[ PF ZF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
gs 0x00
(gdb)
POC:
sox_14.4.2_divide_by_zero_error_1.wav
CVE:
CVE-2017-11332
2.
the read_samples function in hcom.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted hcom file.
./sox sox_14.4.2_invalid_memory_read.hcom out.wav
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215
215if(p->dictionary[p->dictentry].dict_leftson < 0) {
(gdb) bt
#0read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215
#10x00007ffff7b58409 in sox_read (ft=ft@entry=0x611590, buf=<optimized out>,
len=8192) at formats.c:978
#20x0000000000409dd4 in sox_read_wide (ft=0x611590, buf=<optimized out>,
max=<optimized out>) at sox.c:490
#30x000000000040a32e in combiner_drain (effp=0x614410, obuf=0x6145f0,
osamp=0x7fffffffdbb0) at sox.c:552
#40x00007ffff7b68c0d in drain_effect (n=0, chain=0x614260) at effects.c:352
#5sox_flow_effects (chain=0x614260,
callback=callback@entry=0x405a80 <update_status>,
client_data=client_data@entry=0x0) at effects.c:445
#60x0000000000407bf6 in process () at sox.c:1802
#70x0000000000403085 in main (argc=3, argv=0x7fffffffdf98) at sox.c:3008
(gdb) disassemble
Dump of assembler code for function read_samples:
0x00007ffff7b93900 <+0>:push %r15
0x00007ffff7b93902 <+2>:push %r14
0x00007ffff7b93904 <+4>:mov%rsi,%r14
0x00007ffff7b93907 <+7>:push %r13
0x00007ffff7b93909 <+9>:push %r12
0x00007ffff7b9390b <+11>:push %rbp
0x00007ffff7b9390c <+12>:push %rbx
0x00007ffff7b9390d <+13>:mov%rdi,%rbx
0x00007ffff7b93910 <+16>:sub$0x28,%rsp
0x00007ffff7b93914 <+20>:mov0x2d0(%rdi),%r15
0x00007ffff7b9391b <+27>:mov0x24(%r15),%esi
0x00007ffff7b9391f <+31>:test %esi,%esi
0x00007ffff7b93921 <+33>:js 0x7ffff7b93a60 <read_samples+352>
0x00007ffff7b93927 <+39>:mov0x10(%r15),%rdi
0x00007ffff7b9392b <+43>:xor%eax,%eax
0x00007ffff7b9392d <+45>:lea(%rax,%rdx,1),%r13d
0x00007ffff7b93931 <+49>:lea0x28(%r15),%rbp
0x00007ffff7b93935 <+53>:mov%rdx,%r12
0x00007ffff7b93938 <+56>:lea0x1(%r13),%eax
0x00007ffff7b9393c <+60>:mov%eax,0xc(%rsp)
0x00007ffff7b93940 <+64>:mov%r13d,%eax
0x00007ffff7b93943 <+67>:mov%r12d,0x8(%rsp)
---Type <return> to continue, or q <return> to quit---
0x00007ffff7b93948 <+72>:sub%r12d,%eax
0x00007ffff7b9394b <+75>:mov%eax,(%rsp)
0x00007ffff7b9394e <+78>:jmp0x7ffff7b93989 <read_samples+137>
0x00007ffff7b93950 <+80>:lea-0x1(%rax),%r8d
0x00007ffff7b93954 <+84>:movslq 0x20(%r15),%rax
0x00007ffff7b93958 <+88>:mov0x28(%r15),%edx
0x00007ffff7b9395c <+92>:mov(%r15),%rsi
0x00007ffff7b9395f <+95>:shl$0x4,%rax
0x00007ffff7b93963 <+99>:test %edx,%edx
0x00007ffff7b93965 <+101>:js 0x7ffff7b939e0 <read_samples+224>
0x00007ffff7b93967 <+103>:movswq 0x8(%rsi,%rax,1),%rax
0x00007ffff7b9396d <+109>:mov%eax,0x20(%r15)
0x00007ffff7b93971 <+113>:shl$0x4,%rax
0x00007ffff7b93975 <+117>:add%edx,%edx
0x00007ffff7b93977 <+119>:mov%r8d,0x24(%r15)
0x00007ffff7b9397b <+123>:add%rsi,%rax
0x00007ffff7b9397e <+126>:mov%edx,0x28(%r15)
=> 0x00007ffff7b93982 <+130>:cmpw $0x0,0x8(%rax)
0x00007ffff7b93987 <+135>:js 0x7ffff7b939f0 <read_samples+240>
0x00007ffff7b93989 <+137>:test %rdi,%rdi
0x00007ffff7b9398c <+140>:jle0x7ffff7b93a48 <read_samples+328>
0x00007ffff7b93992 <+146>:mov0x24(%r15),%eax
0x00007ffff7b93996 <+150>:test %eax,%eax
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax0x631b306495024
rbx0x6115906362512
rcx0x11
rdx0x6900006881280
rsi0x611b206363936
rdi0x5241316
rbp0x611ad80x611ad8
rsp0x7fffffffda300x7fffffffda30
r8 0x1016
r9 0x7ffff7fce7c0140737353934784
r100x7fffffffd7f0140737488345072
r110x7ffff72cb2e0140737340289760
r120x1ff98185
r130x20008192
r140x61460c6374924
r150x611ab06363824
rip0x7ffff7b939820x7ffff7b93982 <read_samples+130>
eflags 0x10206[ PF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/20x $rax+8
0x631b38:Cannot access memory at address 0x631b38
(gdb)
POC:
sox_14.4.2_invalid_memory_read.hcom
CVE:
CVE-2017-11358
3.
the wavwritehdr function in wav.c in Sound eXchange(SoX) 14.4.2 allows remote attackers to cause a denial of service(divide-by-zero error and application crash) via a crafted snd file which convert to wav file.
./sox sox_14.4.2_divide_by_zero_error_2.snd out.wav
----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0,
second_header=second_header@entry=0) at wav.c:1457
1457blocksWritten = MS_UNSPEC/wBlockAlign;
(gdb) bt
#00x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0,
second_header=second_header@entry=0) at wav.c:1457
#10x00007ffff7b9c0e9 in startwrite (ft=0x611bf0) at wav.c:1252
#20x00007ffff7b59e32 in open_write (
path=path@entry=0x611bc0 "/home/a/Documents/out.wav",
buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0,
buffer_ptr=buffer_ptr@entry=0x0,
buffer_size_ptr=buffer_size_ptr@entry=0x0, signal=signal@entry=0x611410,
encoding=encoding@entry=0x611430, filetype=0x611bd6 "wav",
oob=oob@entry=0x7fffffffdcd0,
overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:912
#30x00007ffff7b5a5e8 in sox_open_write (
path=path@entry=0x611bc0 "/home/a/Documents/out.wav",
signal=signal@entry=0x611410, encoding=encoding@entry=0x611430,
filetype=<optimized out>, oob=oob@entry=0x7fffffffdcd0,
overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:948
#40x000000000040847a in open_output_file () at sox.c:1557
#5process () at sox.c:1754
#60x0000000000403085 in main (argc=3, argv=0x7fffffffdfa8) at sox.c:3008
(gdb) disassemble 0x00007ffff7b9a97b,0x00007ffff7b9a9ff
Dump of assembler code from 0x7ffff7b9a97b to 0x7ffff7b9a9ff:
=> 0x00007ffff7b9a97b <wavwritehdr+427>:idivl0x10(%rsp)
0x00007ffff7b9a97f <wavwritehdr+431>:movslq %eax,%rcx
0x00007ffff7b9a982 <wavwritehdr+434>:imul %eax,%r12d
0x00007ffff7b9a986 <wavwritehdr+438>:mov%rcx,0x48(%rsp)
0x00007ffff7b9a98b <wavwritehdr+443>:imul %r14d,%eax
0x00007ffff7b9a98f <wavwritehdr+447>:cmp$0x31,%bp
0x00007ffff7b9a993 <wavwritehdr+451>:mov%eax,0x40(%rsp)
0x00007ffff7b9a997 <wavwritehdr+455>:je 0x7ffff7b9aff0 <wavwritehdr+2080>
0x00007ffff7b9a99d <wavwritehdr+461>:cmp$0x1,%bp
0x00007ffff7b9a9a1 <wavwritehdr+465>:je 0x7ffff7b9b0a8 <wavwritehdr+2264>
0x00007ffff7b9a9a7 <wavwritehdr+471>:movzwl 0x3e(%rsp),%eax
0x00007ffff7b9a9ac <wavwritehdr+476>:movl $0x0,0x34(%rsp)
0x00007ffff7b9a9b4 <wavwritehdr+484>:lea0x12(%rax),%r13d
0x00007ffff7b9a9b8 <wavwritehdr+488>:mov%r12d,%eax
0x00007ffff7b9a9bb <wavwritehdr+491>:and$0x1,%eax
0x00007ffff7b9a9be <wavwritehdr+494>:movzwl %r13w,%r13d
0x00007ffff7b9a9c2 <wavwritehdr+498>:lea(%r12,%r13,1),%edx
0x00007ffff7b9a9c6 <wavwritehdr+502>:add%edx,%eax
0x00007ffff7b9a9c8 <wavwritehdr+504>:cmp$0x1,%bp
0x00007ffff7b9a9cc <wavwritehdr+508>:setne0x3d(%rsp)
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/10gx $rsp+10
0x7fffffffdaaa:0x00000000000000000x0056000000000000
0x7fffffffdaba:0x00010000000000d40x0001000000000000
0x7fffffffdaca:0x00000000000800000x0000000000000008
0x7fffffffdada:0x0fe000007fff00000x876000007ffff7bc
0x7fffffffdaea:0x00d000007ffff7610x21a0000000000000
(gdb)
POC:
sox_14.4.2_divide_by_zero_error_2.snd
CVE:
CVE-2017-11359
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42398.zip
体验盒子
