LAME 3.99.5 - Multiple Vulnerabilities



Author:

qflb.wu

Type:

dos


Platform:

Linux

Date:

2017-07-28


LAME multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
Following the great history of GNU naming, LAME originally stood for LAME Ain't an Mp3 Encoder.
LAME is an educational tool to be used for learning about MP3 encoding. The goal of the LAME project is to use the open source model to improve the psycho acoustics, noise shaping and speed of MP3.


Affected version:
=====
3.99.5


Vulnerability Description:
==========================
1.
the fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted wav file.


./lame lame_3.99.5_heap_buffer_overflow.wav out


==26618==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000009f08 at pc 0x5f3a1e bp 0x7ffdfaf74620 sp 0x7ffdfaf74618
READ of size 4 at 0x60c000009f08 thread T0
    #0 0x5f3a1d in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:606
    #1 0x5f3a1d in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677
    #2 0x55257c in lame_encode_buffer_sample_t /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1736
    #3 0x55257c in lame_encode_buffer_template /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1891
    #4 0x553de1 in lame_encode_buffer_int /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1963
    #5 0x488ba9 in lame_encoder_loop /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:462
    #6 0x488ba9 in lame_encoder /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:531
    #7 0x483c40 in lame_main /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:707
    #8 0x48bee1 in c_main /home/a/Downloads/lame-3.99.5/frontend/main.c:470
    #9 0x48bee1 in main /home/a/Downloads/lame-3.99.5/frontend/main.c:438
    #10 0x7ff8c8771f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #11 0x481a6c in _start (/home/a/Downloads/lame-3.99.5/frontend/lame+0x481a6c)


0x60c000009f08 is located 8 bytes to the right of 128-byte region [0x60c000009e80,0x60c000009f00)
allocated by thread T0 here:
    #0 0x46ba59 in calloc (/home/a/Downloads/lame-3.99.5/frontend/lame+0x46ba59)
    #1 0x5f1302 in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:561
    #2 0x5f1302 in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:606 fill_buffer_resample
Shadow bytes around the buggy address:
  0x0c187fff9390: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fff93a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff93b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff93c0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fff93d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fff93e0: fa[fa]fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff93f0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fff9400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff9410: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff9420: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fff9430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==26618==ABORTING


POC:
lame_3.99.5_heap_buffer_overflow.wav
CVE:
CVE-2017-9410


2.
the fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 can cause a denial of service(invalid memory read and application crash) via a crafted wav file.


./lame lame_3.99.5_invalid_memory_read_1.wav out


==30841==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005f24ed sp 0x7ffee94d3050 bp 0x000000000000 T0)
    #0 0x5f24ec in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:608
    #1 0x5f24ec in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677
    #2 0x55257c in lame_encode_buffer_sample_t /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1736
    #3 0x55257c in lame_encode_buffer_template /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1891
    #4 0x553de1 in lame_encode_buffer_int /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1963
    #5 0x488ba9 in lame_encoder_loop /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:462
    #6 0x488ba9 in lame_encoder /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:531
    #7 0x483c40 in lame_main /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:707
    #8 0x48bee1 in c_main /home/a/Downloads/lame-3.99.5/frontend/main.c:470
    #9 0x48bee1 in main /home/a/Downloads/lame-3.99.5/frontend/main.c:438
    #10 0x7f48b8cacf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #11 0x481a6c in _start (/home/a/Downloads/lame-3.99.5/frontend/lame+0x481a6c)


AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:608 fill_buffer_resample
==30841==ABORTING


POC:
lame_3.99.5_invalid_memory_read_1.wav
CVE:
CVE-2017-9411


3.
the unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 can cause a denial of service(invalid memory read and application crash) via a crafted wav file.


./lame lame_3.99.5_invalid_memory_read_2.wav out


(gdb) r
Starting program: lame file out
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".


Program received signal SIGSEGV, Segmentation fault.
0x080f27b3 in unpack_read_samples (samples_to_read=-146880, 
    bytes_per_sample=<optimized out>, swap_order=-2088828928, 
    pcm_in=0xb6303d80, sample_buffer=<optimized out>) at get_audio.c:1204
1204        GA_URS_IFLOOP(1)
(gdb) disassemble 0x080f27b3,0x080f27ff
Dump of assembler code from 0x80f27b3 to 0x80f27ff:
=> 0x080f27b3 <get_audio_common+4051>:mov    0x20000000(%eax),%al
   0x080f27b9 <get_audio_common+4057>:test   %al,%al
   0x080f27bb <get_audio_common+4059>:je     0x80f27d0 <get_audio_common+4080>
   0x080f27bd <get_audio_common+4061>:mov    $0x8320b78,%edx
   0x080f27c2 <get_audio_common+4066>:and    $0x7,%edx
   0x080f27c5 <get_audio_common+4069>:add    $0x3,%edx
   0x080f27c8 <get_audio_common+4072>:cmp    %al,%dl
   0x080f27ca <get_audio_common+4074>:jge    0x80f6715 <get_audio_common+20277>
   0x080f27d0 <get_audio_common+4080>:xor    $0xf879,%ebx
   0x080f27d6 <get_audio_common+4086>:add    0x8320b78,%ebx
   0x080f27dc <get_audio_common+4092>:mov    %ebx,%eax
   0x080f27de <get_audio_common+4094>:shr    $0x3,%eax
   0x080f27e1 <get_audio_common+4097>:mov    0x20000000(%eax),%al
   0x080f27e7 <get_audio_common+4103>:test   %al,%al
   0x080f27e9 <get_audio_common+4105>:je     0x80f27f8 <get_audio_common+4120>
   0x080f27eb <get_audio_common+4107>:mov    %ebx,%edx
   0x080f27ed <get_audio_common+4109>:and    $0x7,%edx
   0x080f27f0 <get_audio_common+4112>:cmp    %al,%dl
   0x080f27f2 <get_audio_common+4114>:jge    0x80f6727 <get_audio_common+20295---Type <return> to continue, or q <return> to quit---
   0x080f27f8 <get_audio_common+4120>:incb   (%ebx)
   0x080f27fa <get_audio_common+4122>:movl   $0x7c3c,%gs%edi)
End of assembler dump.
(gdb) i r
eax            0x837f0000-2088828928
ecx            0x24489288
edx            0xbfee5e20-1074897376
ebx            0x7c3c31804
esp            0xbfee4c200xbfee4c20
ebp            0xbfee82780xbfee8278
esi            0xfffffcf2-782
edi            0xfffffffc-4
eip            0x80f27b30x80f27b3 <get_audio_common+4051>
eflags         0x10246[ PF ZF IF RF ]
cs             0x73115
ss             0x7b123
ds             0x7b123
es             0x7b123
fs             0x00
gs             0x3351
(gdb) x/20x 0x837f0000
0x837f0000:Cannot access memory at address 0x837f0000


POC:
lame_3.99.5_invalid_memory_read_2.wav
CVE:
CVE-2017-9412


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42390.zip