search

xiph / vorbis-tools

Command-line tools for creating and playing Ogg Vorbis files.
GNU General Public License v2.0
73 stars 28 forks source link

Heap-buffer-overflow on vorbis-tools/oggenc #41

Closed Frank-Z7 closed 12 months ago

Frank-Z7 commented 1 year ago

Heap-buffer-overflow on vorbis-tools/oggenc

Description

We found a heap-buffer-overflow when vorbis-tools/oggenc converted wav files to ogg files. It should be noted that vorbis-tools(version 1.4.0-11) downloaded through apt-get may also trigger this vulnerability, which may endanger the system security of Debian users. 1694969784524

Version

root@38ad1e4b9d16:/vorbis-tools# /vorbis-tools/oggenc/oggenc --version
oggenc from vorbis-tools 1.4.2

vorbis-tools 1.4.2 is the latest version.

Reference

https://www.xiph.org/press/2021/vorbis-tools-1.4.2/

https://github.com/xiph/vorbis-tools

https://github.com/xiph/vorbis

https://xiph.org/vorbis/

Actual Behavior

Heap-buffer-overflow

PoC

https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/vorbis1poc

Reproduction

git clone https://github.com/xiph/vorbis-tools.git
cd vorbis-tools
apt install automake libtool m4 autoconf libogg-dev libvorbis-dev
./autogen.sh
CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS=" -fsanitize=address -fno-omit-frame-pointer -g" ./configure
make
./oggenc/oggenc -q 5 vorbis1poc -o ./oggenc/

ASAN Log

=================================================================
==1899805==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000086 at pc 0x7ffff7600ccd bp 0x7fffffffde00 sp 0x7fffffffd5a8
READ of size 1 at 0x603000000086 thread T0
    #0 0x7ffff7600ccc in __interceptor_strchr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671
    #1 0x55555556bd28 in create_directories /vorbis-tools/oggenc/platform.c:150
    #2 0x5555555609fd in main /vorbis-tools/oggenc/oggenc.c:353
    #3 0x7ffff7189082 in __libc_start_main ../csu/libc-start.c:308
    #4 0x55555556280d in _start (/vorbis-tools/oggenc/oggenc+0xe80d)

0x603000000086 is located 0 bytes to the right of 22-byte region [0x603000000070,0x603000000086)
allocated by thread T0 here:
    #0 0x7ffff76223ed in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cc:445
    #1 0x5555555609d0 in main /vorbis-tools/oggenc/oggenc.c:308
    #2 0x7ffff7189082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671 in __interceptor_strchr
Shadow bytes around the buggy address:
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 06 fa fa fa 00 00
=>0x0c067fff8010:[06]fa fa fa 00 00 06 fa fa fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1899805==ABORTING

Location

image-20230916025548148 image-20230916025622500 image-20230916025948153

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09

Credit

Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/)) Song Jiaxuan

rillian commented 1 year ago

Thanks for the report! Proposed fix at https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7

Frank-Z7 commented 1 year ago

Thanks for the report! Proposed fix at https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7

my pleasure.

samueloph commented 11 months ago

CVE-2023-43361 was assigned to this.

I did not had any involvement on the assignment.