Vorbis Tools oggenc 1.4.0 – ‘.wav’ Denial of Service

• Exploit Database
• 13 阅读

• 作者： qflb.wu
  日期： 2017-07-31
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/42397/

• vorbis-tools oggenc vulnerability
  ================
  Author : qflb.wu
  ===============
  
  
  Introduction:
  =============
  The Vorbis Tools package contains command-line tools useful for encoding, playing or editing files using the Ogg CODEC.
  
  
  Affected version:
  =====
  1.4.0
  
  
  Vulnerability Description:
  ==========================
  the wav_open function in oggenc/audio.c in vorbis-tools 1.4.0 can cause a denial of service(memory allocation error) via a crafted wav file.
  
  
  ./oggenc vorbis-tools_1.4.0_oggenc_memory_allocation_error.wav -o out
  
  
  ==68126==WARNING: AddressSanitizer failed to allocate 0xffffffffffffbc00 bytes
  ==68126==AddressSanitizer's allocator is terminating the process instead of returning 0
  ==68126==If you don't like this behavior set allocator_may_return_null=1
  ==68126==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:149 "((0)) != (0)" (0x0, 0x0)
  #0 0x46d41f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x46d41f)
  #1 0x472c81 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x472c81)
  #2 0x4719c0 in __sanitizer::AllocatorReturnNull() (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4719c0)
  #3 0x4674b6 in __interceptor_malloc (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4674b6)
  #4 0x492896 in wav_open /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:573
  #5 0x496d8e in open_audio_file /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:86
  #6 0x485d0a in main /home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc.c:256
  #7 0x7f6d9f8dcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  #8 0x47d55c in _start (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x47d55c)
  
  
  -----------------
  wav->channel_permute = malloc(wav->channels * sizeof(int));
  if (wav->channels <= 8)
   /* Where we know the mappings, use them. */
   memcpy(wav->channel_permute, wav_permute_matrix[wav->channels-1], 
   sizeof(int) * wav->channels);
  else
   /* Use a default 1-1 mapping */
   for (i=0; i < wav->channels; i++)
   wav->channel_permute[i] = i;
  
  
  return 1;
  
  
  Andthe code didn't check the return of malloc.
  
  
  POC:
  vorbis-tools_1.4.0_oggenc_memory_allocation_error.wav
  CVE:
  CVE-2017-11331
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42397.zip