60 lines
No EOL
1.7 KiB
Text
60 lines
No EOL
1.7 KiB
Text
libmad memory corruption vulnerability
|
|
================
|
|
Author : qflb.wu
|
|
===============
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
libmad is a high-quality MPEG audio decoder capable of 24-bit output.
|
|
|
|
|
|
Affected version:
|
|
=====
|
|
0.15.1b
|
|
|
|
|
|
Vulnerability Description:
|
|
==========================
|
|
the mad_decoder_run function in decoder.c in libmad 0.15.1b can cause a denial of service(memory corruption) via a crafted mp3 file.
|
|
|
|
|
|
I found this bug when I test mpg321 0.3.2 which used the libmad library.
|
|
|
|
|
|
./mpg321 libmad_0.15.1b_memory_corruption.mp3
|
|
|
|
|
|
----debug info:----
|
|
Program received signal SIGABRT, Aborted.
|
|
0x00007ffff6bf7cc9 in __GI_raise (sig=sig@entry=6)
|
|
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
|
|
56../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
|
|
(gdb) bt
|
|
#0 0x00007ffff6bf7cc9 in __GI_raise (sig=sig@entry=6)
|
|
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
|
|
#1 0x00007ffff6bfb0d8 in __GI_abort () at abort.c:89
|
|
#2 0x00007ffff6c34394 in __libc_message (do_abort=do_abort@entry=1,
|
|
fmt=fmt@entry=0x7ffff6d42b28 "*** Error in `%s': %s: 0x%s ***\n")
|
|
at ../sysdeps/posix/libc_fatal.c:175
|
|
#3 0x00007ffff6c4066e in malloc_printerr (ptr=<optimized out>,
|
|
str=0x7ffff6d42c58 "double free or corruption (out)", action=1)
|
|
at malloc.c:4996
|
|
#4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0)
|
|
at malloc.c:3840
|
|
#5 0x00007ffff749ab43 in mad_decoder_run (
|
|
decoder=decoder@entry=0x7fffffffbd20,
|
|
mode=mode@entry=MAD_DECODER_MODE_SYNC) at decoder.c:559
|
|
#6 0x0000000000403d5d in main (argc=<optimized out>, argv=<optimized out>)
|
|
at mpg321.c:1092
|
|
(gdb)
|
|
|
|
|
|
POC:
|
|
libmad_0.15.1b_memory_corruption.mp3
|
|
CVE:
|
|
CVE-2017-11552
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42409.zip |