libao 1.2.0 - Denial of Service

EDB-ID:

42400


Author:

qflb.wu

Type:

dos


Platform:

Linux

Date:

2017-07-31


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

libao memory corruption vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
Libao is a cross-platform audio library that allows programs to output audio using a simple API on a wide variety of platforms.


Affected version:
=====
1.2.0


Vulnerability Description:
==========================
the _tokenize_matrix function in audio_out.c in Xiph.Org libao 1.2.0 can cause a denial of service(memory corruption) via a crafted mp3 file.


I found this bug when I test mpg321 0.3.2 which used the libao library.


./mpg321 libao_1.2.0_memory_corruption.mp3


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
_int_malloc (av=av@entry=0x7ffff6f7f760 <main_arena>, bytes=bytes@entry=3)
    at malloc.c:3740
3740malloc.c: No such file or directory.
(gdb) bt
#0  _int_malloc (av=av@entry=0x7ffff6f7f760 <main_arena>, bytes=bytes@entry=3)
    at malloc.c:3740
#1  0x00007ffff6c442cc in __libc_calloc (n=<optimized out>, 
    elem_size=<optimized out>) at malloc.c:3219
#2  0x00007ffff728e189 in _tokenize_matrix () from /usr/local/lib/libao.so.4
#3  0x00007ffff728e607 in _matrix_to_channelmask ()
   from /usr/local/lib/libao.so.4
#4  0x00007ffff72906f2 in _open_device () from /usr/local/lib/libao.so.4
#5  0x000000000040a6aa in open_ao_playdevice (header=header@entry=0x624af8)
    at ao.c:411
#6  0x0000000000407e50 in output (data=<optimized out>, header=0x624af8, 
    pcm=0x627f44) at mad.c:974
#7  0x00007ffff749a85c in run_sync (decoder=0x7fffffffbc40) at decoder.c:439
#8  0x00007ffff749ab38 in mad_decoder_run (
    decoder=decoder@entry=0x7fffffffbc40, 
    mode=mode@entry=MAD_DECODER_MODE_SYNC) at decoder.c:557
#9  0x0000000000403d5d in main (argc=<optimized out>, argv=<optimized out>)
    at mpg321.c:1092
(gdb) 


POC:
libao_1.2.0_memory_corruption.mp3
CVE:
CVE-2017-11548


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42400.zip