Sound eXchange (SoX) 14.4.2 - Multiple Vulnerabilities



Author:

qflb.wu

Type:

dos


Platform:

Linux

Date:

2017-07-31


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

Sound eXchange (SoX) multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files, and, as an added bonus, SoX can play and record audio files on most platforms.


Affected version:
=====
14.4.2


Vulnerability Description:
==========================
1.
the startread function in wav.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(divide-by-zero error and application crash) via a crafted wav file.


./sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg


----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7b9c829 in startread (ft=0x611540) at wav.c:950
950        wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels;
(gdb) disassemble 0x00007ffff7b9c829,0x00007ffff7b9c8ff
Dump of assembler code from 0x7ffff7b9c829 to 0x7ffff7b9c8ff:
=> 0x00007ffff7b9c829 <startread+1577>:div    %rcx
   0x00007ffff7b9c82c <startread+1580>:mov    %rax,0x0(%rbp)
   0x00007ffff7b9c830 <startread+1584>:imul   %rcx,%rax
   0x00007ffff7b9c834 <startread+1588>:mov    %rax,0x18(%rbx)
   0x00007ffff7b9c838 <startread+1592>:mov    0x28(%rbp),%r8d
   0x00007ffff7b9c83c <startread+1596>:test   %r8d,%r8d
   0x00007ffff7b9c83f <startread+1599>:je     0x7ffff7b9c849 <startread+1609>
   0x00007ffff7b9c841 <startread+1601>:movq   $0x0,0x18(%rbx)
   0x00007ffff7b9c849 <startread+1609>:mov    %r9d,0x14(%rsp)
   0x00007ffff7b9c84e <startread+1614>:mov    %edi,0x10(%rsp)
   0x00007ffff7b9c852 <startread+1618>:callq  0x7ffff7b50390 <sox_get_globals@plt>
   0x00007ffff7b9c857 <startread+1623>:cmpw   $0x1,0x22(%rsp)
   0x00007ffff7b9c85d <startread+1629>:lea    0x241fa(%rip),%rdx        # 0x7ffff7bc0a5e
   0x00007ffff7b9c864 <startread+1636>:mov    0x10(%rsp),%edi
   0x00007ffff7b9c868 <startread+1640>:mov    0x30(%rsp),%r8d
   0x00007ffff7b9c86d <startread+1645>:lea    0x1de3a(%rip),%rcx        # 0x7ffff7bba6ae
   0x00007ffff7b9c874 <startread+1652>:mov    %rdx,0x40(%rax)
   0x00007ffff7b9c878 <startread+1656>:lea    0x115e7(%rip),%rax        # 0x7ffff7bade66
---Type <return> to continue, or q <return> to quit---q
End of assembler dump.
(gdb) i r
rax            0x5371335
rbx            0x6115406362432
rcx            0x00
rdx            0x00
rsi            0x88
rdi            0x11
rbp            0x611a600x611a60
rsp            0x7fffffffdc000x7fffffffdc00
r8             0x7ffff7fce7c0140737353934784
r9             0x00
r10            0x7fffffffd9c0140737488345536
r11            0x7ffff72cca80140737340295808
r12            0x5371335
r13            0x7fffffffdc50140737488346192
r14            0x7fffffffdc40140737488346176
r15            0x00
rip            0x7ffff7b9c8290x7ffff7b9c829 <startread+1577>
eflags         0x10246[ PF ZF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
gs             0x00
(gdb)


POC:
sox_14.4.2_divide_by_zero_error_1.wav
CVE:
CVE-2017-11332


2.
the read_samples function in hcom.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted hcom file.


./sox sox_14.4.2_invalid_memory_read.hcom out.wav


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215
215                if(p->dictionary[p->dictentry].dict_leftson < 0) {
(gdb) bt
#0  read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215
#1  0x00007ffff7b58409 in sox_read (ft=ft@entry=0x611590, buf=<optimized out>, 
    len=8192) at formats.c:978
#2  0x0000000000409dd4 in sox_read_wide (ft=0x611590, buf=<optimized out>, 
    max=<optimized out>) at sox.c:490
#3  0x000000000040a32e in combiner_drain (effp=0x614410, obuf=0x6145f0, 
    osamp=0x7fffffffdbb0) at sox.c:552
#4  0x00007ffff7b68c0d in drain_effect (n=0, chain=0x614260) at effects.c:352
#5  sox_flow_effects (chain=0x614260, 
    callback=callback@entry=0x405a80 <update_status>, 
    client_data=client_data@entry=0x0) at effects.c:445
#6  0x0000000000407bf6 in process () at sox.c:1802
#7  0x0000000000403085 in main (argc=3, argv=0x7fffffffdf98) at sox.c:3008
(gdb) disassemble 
Dump of assembler code for function read_samples:
   0x00007ffff7b93900 <+0>:push   %r15
   0x00007ffff7b93902 <+2>:push   %r14
   0x00007ffff7b93904 <+4>:mov    %rsi,%r14
   0x00007ffff7b93907 <+7>:push   %r13
   0x00007ffff7b93909 <+9>:push   %r12
   0x00007ffff7b9390b <+11>:push   %rbp
   0x00007ffff7b9390c <+12>:push   %rbx
   0x00007ffff7b9390d <+13>:mov    %rdi,%rbx
   0x00007ffff7b93910 <+16>:sub    $0x28,%rsp
   0x00007ffff7b93914 <+20>:mov    0x2d0(%rdi),%r15
   0x00007ffff7b9391b <+27>:mov    0x24(%r15),%esi
   0x00007ffff7b9391f <+31>:test   %esi,%esi
   0x00007ffff7b93921 <+33>:js     0x7ffff7b93a60 <read_samples+352>
   0x00007ffff7b93927 <+39>:mov    0x10(%r15),%rdi
   0x00007ffff7b9392b <+43>:xor    %eax,%eax
   0x00007ffff7b9392d <+45>:lea    (%rax,%rdx,1),%r13d
   0x00007ffff7b93931 <+49>:lea    0x28(%r15),%rbp
   0x00007ffff7b93935 <+53>:mov    %rdx,%r12
   0x00007ffff7b93938 <+56>:lea    0x1(%r13),%eax
   0x00007ffff7b9393c <+60>:mov    %eax,0xc(%rsp)
   0x00007ffff7b93940 <+64>:mov    %r13d,%eax
   0x00007ffff7b93943 <+67>:mov    %r12d,0x8(%rsp)
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7b93948 <+72>:sub    %r12d,%eax
   0x00007ffff7b9394b <+75>:mov    %eax,(%rsp)
   0x00007ffff7b9394e <+78>:jmp    0x7ffff7b93989 <read_samples+137>
   0x00007ffff7b93950 <+80>:lea    -0x1(%rax),%r8d
   0x00007ffff7b93954 <+84>:movslq 0x20(%r15),%rax
   0x00007ffff7b93958 <+88>:mov    0x28(%r15),%edx
   0x00007ffff7b9395c <+92>:mov    (%r15),%rsi
   0x00007ffff7b9395f <+95>:shl    $0x4,%rax
   0x00007ffff7b93963 <+99>:test   %edx,%edx
   0x00007ffff7b93965 <+101>:js     0x7ffff7b939e0 <read_samples+224>
   0x00007ffff7b93967 <+103>:movswq 0x8(%rsi,%rax,1),%rax
   0x00007ffff7b9396d <+109>:mov    %eax,0x20(%r15)
   0x00007ffff7b93971 <+113>:shl    $0x4,%rax
   0x00007ffff7b93975 <+117>:add    %edx,%edx
   0x00007ffff7b93977 <+119>:mov    %r8d,0x24(%r15)
   0x00007ffff7b9397b <+123>:add    %rsi,%rax
   0x00007ffff7b9397e <+126>:mov    %edx,0x28(%r15)
=> 0x00007ffff7b93982 <+130>:cmpw   $0x0,0x8(%rax)
   0x00007ffff7b93987 <+135>:js     0x7ffff7b939f0 <read_samples+240>
   0x00007ffff7b93989 <+137>:test   %rdi,%rdi
   0x00007ffff7b9398c <+140>:jle    0x7ffff7b93a48 <read_samples+328>
   0x00007ffff7b93992 <+146>:mov    0x24(%r15),%eax
   0x00007ffff7b93996 <+150>:test   %eax,%eax
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax            0x631b306495024
rbx            0x6115906362512
rcx            0x11
rdx            0x6900006881280
rsi            0x611b206363936
rdi            0x5241316
rbp            0x611ad80x611ad8
rsp            0x7fffffffda300x7fffffffda30
r8             0x1016
r9             0x7ffff7fce7c0140737353934784
r10            0x7fffffffd7f0140737488345072
r11            0x7ffff72cb2e0140737340289760
r12            0x1ff98185
r13            0x20008192
r14            0x61460c6374924
r15            0x611ab06363824
rip            0x7ffff7b939820x7ffff7b93982 <read_samples+130>
eflags         0x10206[ PF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/20x $rax+8
0x631b38:Cannot access memory at address 0x631b38
(gdb)


POC:
sox_14.4.2_invalid_memory_read.hcom
CVE:
CVE-2017-11358


3.
the wavwritehdr function in wav.c in Sound eXchange(SoX) 14.4.2 allows remote attackers to cause a denial of service(divide-by-zero error and application crash) via a crafted snd file which convert to wav file.


./sox sox_14.4.2_divide_by_zero_error_2.snd out.wav


----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0, 
    second_header=second_header@entry=0) at wav.c:1457
1457        blocksWritten = MS_UNSPEC/wBlockAlign;
(gdb) bt
#0  0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0, 
    second_header=second_header@entry=0) at wav.c:1457
#1  0x00007ffff7b9c0e9 in startwrite (ft=0x611bf0) at wav.c:1252
#2  0x00007ffff7b59e32 in open_write (
    path=path@entry=0x611bc0 "/home/a/Documents/out.wav", 
    buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0, 
    buffer_ptr=buffer_ptr@entry=0x0, 
    buffer_size_ptr=buffer_size_ptr@entry=0x0, signal=signal@entry=0x611410, 
    encoding=encoding@entry=0x611430, filetype=0x611bd6 "wav", 
    oob=oob@entry=0x7fffffffdcd0, 
    overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:912
#3  0x00007ffff7b5a5e8 in sox_open_write (
    path=path@entry=0x611bc0 "/home/a/Documents/out.wav", 
    signal=signal@entry=0x611410, encoding=encoding@entry=0x611430, 
    filetype=<optimized out>, oob=oob@entry=0x7fffffffdcd0, 
    overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:948
#4  0x000000000040847a in open_output_file () at sox.c:1557
#5  process () at sox.c:1754
#6  0x0000000000403085 in main (argc=3, argv=0x7fffffffdfa8) at sox.c:3008
(gdb) disassemble 0x00007ffff7b9a97b,0x00007ffff7b9a9ff
Dump of assembler code from 0x7ffff7b9a97b to 0x7ffff7b9a9ff:
=> 0x00007ffff7b9a97b <wavwritehdr+427>:idivl  0x10(%rsp)
   0x00007ffff7b9a97f <wavwritehdr+431>:movslq %eax,%rcx
   0x00007ffff7b9a982 <wavwritehdr+434>:imul   %eax,%r12d
   0x00007ffff7b9a986 <wavwritehdr+438>:mov    %rcx,0x48(%rsp)
   0x00007ffff7b9a98b <wavwritehdr+443>:imul   %r14d,%eax
   0x00007ffff7b9a98f <wavwritehdr+447>:cmp    $0x31,%bp
   0x00007ffff7b9a993 <wavwritehdr+451>:mov    %eax,0x40(%rsp)
   0x00007ffff7b9a997 <wavwritehdr+455>:je     0x7ffff7b9aff0 <wavwritehdr+2080>
   0x00007ffff7b9a99d <wavwritehdr+461>:cmp    $0x1,%bp
   0x00007ffff7b9a9a1 <wavwritehdr+465>:je     0x7ffff7b9b0a8 <wavwritehdr+2264>
   0x00007ffff7b9a9a7 <wavwritehdr+471>:movzwl 0x3e(%rsp),%eax
   0x00007ffff7b9a9ac <wavwritehdr+476>:movl   $0x0,0x34(%rsp)
   0x00007ffff7b9a9b4 <wavwritehdr+484>:lea    0x12(%rax),%r13d
   0x00007ffff7b9a9b8 <wavwritehdr+488>:mov    %r12d,%eax
   0x00007ffff7b9a9bb <wavwritehdr+491>:and    $0x1,%eax
   0x00007ffff7b9a9be <wavwritehdr+494>:movzwl %r13w,%r13d
   0x00007ffff7b9a9c2 <wavwritehdr+498>:lea    (%r12,%r13,1),%edx
   0x00007ffff7b9a9c6 <wavwritehdr+502>:add    %edx,%eax
   0x00007ffff7b9a9c8 <wavwritehdr+504>:cmp    $0x1,%bp
   0x00007ffff7b9a9cc <wavwritehdr+508>:setne  0x3d(%rsp)
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/10gx $rsp+10
0x7fffffffdaaa:0x00000000000000000x0056000000000000
0x7fffffffdaba:0x00010000000000d40x0001000000000000
0x7fffffffdaca:0x00000000000800000x0000000000000008
0x7fffffffdada:0x0fe000007fff00000x876000007ffff7bc
0x7fffffffdaea:0x00d000007ffff7610x21a0000000000000
(gdb) 


POC:
sox_14.4.2_divide_by_zero_error_2.snd
CVE:
CVE-2017-11359


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42398.zip