DivFix++ denial of service vulnerability
================
Author : qflb.wu
===============
Introduction:
=============
DivFix++ is FREE AVI Video Fix & Preview program.
Affected version:
=====
v0.34
Vulnerability Description:
==========================
the DivFixppCore::avi_header_fix function in src/DivFix++Core.cpp in DivFix++ v0.34 can cause a denial of service(invalid memory write and application crash) via a crafted avi file.
./DivFix++ -i DivFix++_v0.34_invalid_memory_write.avi -o out.avi
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
167../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0 __memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
#1 0x00000000004239d8 in DivFixppCore::avi_header_fix() ()
#2 0x000000000042c0c0 in DivFixppCore::Fix(wxString, wxString, bool, bool, bool, bool) ()
#3 0x000000000041404a in DivFixppApp::OnCmdLineParsed(wxCmdLineParser&) ()
#4 0x0000000000414f6e in DivFixppApp::OnInit() ()
#5 0x0000000000416f4f in wxAppConsoleBase::CallOnInit() ()
#6 0x00007ffff6c6903c in wxEntry(int&, wchar_t**) ()
from /usr/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0
#7 0x0000000000411e70 in main ()
(gdb)
-------------------
(gdb) disassemble 0x00000000004239b0,0x00000000004239df
Dump of assembler code from 0x4239b0 to 0x4239df:
0x00000000004239b0 <_ZN12DivFixppCore14avi_header_fixEv+3504>:add %al,(%rax)
0x00000000004239b2 <_ZN12DivFixppCore14avi_header_fixEv+3506>:mov %eax,%edi
0x00000000004239b4 <_ZN12DivFixppCore14avi_header_fixEv+3508>:callq 0x434eaf <_Z17make_littleendianIiERT_S0_>
0x00000000004239b9 <_ZN12DivFixppCore14avi_header_fixEv+3513>:mov -0x138(%rbp),%rdx
0x00000000004239c0 <_ZN12DivFixppCore14avi_header_fixEv+3520>:mov 0x38(%rdx),%rdx
0x00000000004239c4 <_ZN12DivFixppCore14avi_header_fixEv+3524>:lea 0x10(%rdx),%rcx
0x00000000004239c8 <_ZN12DivFixppCore14avi_header_fixEv+3528>:mov $0x4,%edx
0x00000000004239cd <_ZN12DivFixppCore14avi_header_fixEv+3533>:mov %rax,%rsi
0x00000000004239d0 <_ZN12DivFixppCore14avi_header_fixEv+3536>:mov %rcx,%rdi
=> 0x00000000004239d3 <_ZN12DivFixppCore14avi_header_fixEv+3539>:callq 0x40fcc0 <memcpy@plt>
0x00000000004239d8 <_ZN12DivFixppCore14avi_header_fixEv+3544>:mov -0x138(%rbp),%rax
---Type <return> to continue, or q <return> to quit---
End of assembler dump.
(gdb) i r
rax 0x6615286690088
rbx 0x00
rcx 0x1016
rdx 0x44
rsi 0x6615286690088
rdi 0x1016
rbp 0x7fffffffcf100x7fffffffcf10
rsp 0x7fffffffcdd00x7fffffffcdd0
r8 0x8049308407344
r9 0x7ffff7fc1a40140737353882176
r10 0x640000006e429496729710
r11 0x00
r12 0x11
r13 0x11
r14 0x00
r15 0x00
rip 0x4239d30x4239d3 <DivFixppCore::avi_header_fix()+3539>
eflags 0x246[ PF ZF IF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type <return> to continue, or q <return> to quit---
gs 0x00
(gdb)
POC:
DivFix++_v0.34_invalid_memory_write.avi
CVE:
CVE-2017-11330
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42396.zip