GStreamer gst-plugins-bad Plugin – NULL Pointer Dereference

• Exploit Database
• 21 阅读

• 作者： Hanno Boeck
  日期： 2017-06-12
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/42162/

• Source: https://bugzilla.gnome.org/show_bug.cgi?id=775120
  
  The attached file will cause a null pointer access and segfault in the mpegts parser. Current git code, found with afl.
  
  ASAN stack trace:
  =================================================================
  ==32545==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe957185495 bp 0x60200002cf7a sp 0x7fe956e027a0 T2)
  ==32545==The signal is caused by a WRITE memory access.
  ==32545==Hint: address points to the zero page.
  #0 0x7fe957185494 in _parse_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32
  #1 0x7fe957184058 in __common_section_checks /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:166:9
  #2 0x7fe95718522f in gst_mpegts_section_get_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:480:9
  #3 0x7fe957438b9a in mpegts_base_apply_pat /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:942:20
  #4 0x7fe957438b9a in mpegts_base_handle_psi /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1155
  #5 0x7fe957437cd1 in mpegts_base_chain /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1424:11
  #6 0x7fe9574341e7 in mpegts_base_loop /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1589:13
  #7 0x7fe9644305c3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
  #8 0x7fe96362f867(/usr/lib64/libglib-2.0.so.0+0x70867)
  #9 0x7fe96362eed4(/usr/lib64/libglib-2.0.so.0+0x6fed4)
  #10 0x7fe9630ac443 in start_thread (/lib64/libpthread.so.0+0x7443)
  #11 0x7fe962bdb92c in clone (/lib64/libc.so.6+0xe792c)
  
  AddressSanitizer can not provide additional info.
  SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32 in _parse_pat
  Thread T2 (tsdemux0:sink) created by T1 (typefind:sink) here:
  #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
  #1 0x7fe96364cadf(/usr/lib64/libglib-2.0.so.0+0x8dadf)
  
  Thread T1 (typefind:sink) created by T0 here:
  #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
  #1 0x7fe96364cadf(/usr/lib64/libglib-2.0.so.0+0x8dadf)
  
  ==32545==ABORTING
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42162.zip