heap-buffer-overflow in function id3dmx_flush filters/reframe_mp3.c in gpac/gpac
Reported on
Jun 13th 2023
Description
Heap-buffer-overflow in MP4Box.
Version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
complie and run
./configure --enable-sanitizer
make
Proof of Concept
./MP4Box -info ./poc.mp3
poc is here!
ASAN
information reported by sanitizer
==32961==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001bb8 at pc 0x7fe8c604bcc3 bp 0x7ffc04e06160 sp 0x7ffc04e06150
WRITE of size 1 at 0x602000001bb8 thread T0
#0 0x7fe8c604bcc2 in id3dmx_flush filters/reframe_mp3.c:274
#1 0x7fe8c604de18 in mp3_dmx_flush_id3 filters/reframe_mp3.c:344
#2 0x7fe8c604de18 in mp3_dmx_check_pid filters/reframe_mp3.c:417
#3 0x7fe8c604de18 in mp3_dmx_process filters/reframe_mp3.c:657
#4 0x7fe8c5bee15e in gf_filter_process_task filter_core/filter.c:2901
#5 0x7fe8c5badd1a in gf_fs_thread_proc filter_core/filter_session.c:1962
#6 0x7fe8c5bbb686 in gf_fs_run filter_core/filter_session.c:2264
#7 0x7fe8c55ea3c6 in gf_media_import media_tools/media_import.c:1239
#8 0x55a1aa648da1 in convert_file_info /home/functionmain/Desktop/gpac-master/applications/mp4box/fileimport.c:130
#9 0x55a1aa6123a7 in mp4box_main /home/functionmain/Desktop/gpac-master/applications/mp4box/mp4box.c:6371
#10 0x7fe8c2814082 in __libc_start_main ../csu/libc-start.c:308
#11 0x55a1aa5eaebd in _start (/home/functionmain/Desktop/gpac-master/bin/gcc/MP4Box+0xa4ebd)
0x602000001bb8 is located 0 bytes to the right of 8-byte region [0x602000001bb0,0x602000001bb8)
allocated by thread T0 here:
#0 0x7fe8c87e2c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
#1 0x7fe8c604b37a in id3dmx_flush filters/reframe_mp3.c:269
#2 0x7fe8c604de18 in mp3_dmx_flush_id3 filters/reframe_mp3.c:344
#3 0x7fe8c604de18 in mp3_dmx_check_pid filters/reframe_mp3.c:417
#4 0x7fe8c604de18 in mp3_dmx_process filters/reframe_mp3.c:657
#5 0x7fe8c5bee15e in gf_filter_process_task filter_core/filter.c:2901
#6 0x7fe8c5badd1a in gf_fs_thread_proc filter_core/filter_session.c:1962
#7 0x7fe8c5bbb686 in gf_fs_run filter_core/filter_session.c:2264
#8 0x7fe8c55ea3c6 in gf_media_import media_tools/media_import.c:1239
#9 0x55a1aa648da1 in convert_file_info /home/functionmain/Desktop/gpac-master/applications/mp4box/fileimport.c:130
#10 0x55a1aa6123a7 in mp4box_main /home/functionmain/Desktop/gpac-master/applications/mp4box/mp4box.c:6371
#11 0x7fe8c2814082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow filters/reframe_mp3.c:274 in id3dmx_flush
Shadow bytes around the buggy address:
0x0c047fff8320: fa fa fd fd fa fa 06 fa fa fa 00 01 fa fa 00 00
0x0c047fff8330: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8340: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8350: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8360: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa fd fa
=>0x0c047fff8370: fa fa 06 fa fa fa 00[fa]fa fa 05 fa fa fa 03 fa
0x0c047fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==32961==ABORTING
Impact
This is capable of causing crashes.
References
Impact
This is capable of causing crashes.
References
Yes but first could you please review the severity? We still need to explore the issue but 7.8 seems really high with a proof about the risks.
I have reviewed the severity of this issue. But the quantification in detail is too complicated. I calculated the score by refering to other cve reports.
Again there is no issue for us to emit a CVE. It's just that seeing a heap overflow with a score of 7.8 only hurts our open-source project. If no one is able to prove this give access to external data, let's stay conservative until it is proven. Cc @admin. Thanks.
I have reviewed the severity again and agree to evaluate the risk level as Medium (4.4).
I reconsider the risk of the issue. Since heap overflow allows us to write the size and data sections of the next chunk, users could control the chunk allocation in certain cases, thus making them can Write-Anything-Anywhere and control the execution process of the program. So I do think it might be a high severity.
I don't know if you'd agree with me:
- attack vector: local
- attack complexity: low
- privilege required: none
- user interaction: none <= CHANGED
- scope: unchanged
- confidentiality: none
- integrity: low
- availability: none or low <= CHANGED: MP4Box is a command-line stateless tool. It is not a server. So it wouldn't affect a service availability (unless trying to make a DDoS on a server, in which case it depends on the server implementation, not on MP4Box which is always fully functional).
Which parts deserves to be challenged?
I am genuinely trying to understand how people compute these scores. We've had high scores on memory double free() for example. We were unable to justify to Debian's maintainers how the score was computed.
Thanks
Thanks for your sharing. I agree with most of your calculations. But I am wondering if confidentiality could be quantified as low? Out-of-bounds reads and writes caused by heap overflow could lead to information leakage in certain cases.
The CVEs related to MP4Box that I reffered to while doing the calculations, such as CVE 2023 0866, CVE 2023 0819 and CVE 2023 0760, are all related to heap-buffer-overflow. Their vulnerability ratings are all High(7.8 or 7.3) and their impact descriptions are "This vulnerability is capable of crashing software, using unexpected value, or possible code execution". I am wondering if these reports can serve as a reference for calculating scores.
Again I'd like to thank for the work that's being done here.
The CVEs you mention (with a high rating) are the ones causing us troubles with Debian. When they are high level vulnerabilities, Debian asks us to make new releases or we are kicked out. GPAC got kicked out from some older Debian versions because some people run fuzzers, discovered crashes, but the wrong severity was applied. We are trying to fix this.
am wondering if confidentiality could be quantified as low? Out-of-bounds reads and writes caused by heap overflow could lead to information leakage in certain cases.
That's exactly what we are trying to figure out. If which cases can information leak? This is inside an executable where you feed the data in.
During my debugging process, I found that when function id3dmx_flush() in filters/reframe_mp3.c called function gf_realloc() for the third time, both the prev_size and size of the next chunk next to the chunk pointed to by the _buf pointer were destroyed.
Whether it is possible to control the size of the next heap block by arranging appropriate input data to achieve Write Anything Anywhere thus causing code execution remains to be further study.
As you said, it is currently not easy to achieve information leakage - unless the execution flow of the program is fully controlled to achieve RCE.
I have modified the report now.
Debuggin info: <img src="https://gitee.com/FUNctionMain/mypoc/raw/master/debugging.png" alt="debugging_info" style="zoom: 67%;" />
During my debugging process, I found that when function id3dmx_flush() in filters/reframe_mp3.c called function gf_realloc() for the third time, both the prev_size and size of the next chunk next to the chunk pointed to by the _buf pointer had already been destroyed.
Whether it is possible to control the prev_size, size, fd and bk of the next chunk by arranging appropriate input data to achieve Write Anything Anywhere thus causing code execution remains to be further study.
As you said, it is currently not easy to achieve information leakage - unless the execution flow of the program is fully controlled to achieve RCE.
I have modified the report now.
Debuggin info: debugging_info
( I have commented again because of some mistakes in the last comment. )
May I ask you to retry on the lastest git? It should have been fixed hours ago, but I am not sure to understand if your last message was part of the initial report, or is an extension of it.
Sorry for taking you so much time here. That's also needed on our side to be better on next reports.
The above content is part of the initial report. I retried in the latest Git and found that this issue has been fixed.
Thanks for you work and cooperation