Sound eXchange (SoX) multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files, and, as an added bonus, SoX can play and record audio files on most platforms.
Affected version:
=====
14.4.2
Vulnerability Description:
==========================
1.
the startread function in wav.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(divide-by-zero error and application crash) via a crafted wav file.
./sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg
----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7b9c829 in startread (ft=0x611540) at wav.c:950
950 wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels;
(gdb) disassemble 0x00007ffff7b9c829,0x00007ffff7b9c8ff
Dump of assembler code from 0x7ffff7b9c829 to 0x7ffff7b9c8ff:
=> 0x00007ffff7b9c829 <startread+1577>:div %rcx
0x00007ffff7b9c82c <startread+1580>:mov %rax,0x0(%rbp)
0x00007ffff7b9c830 <startread+1584>:imul %rcx,%rax
0x00007ffff7b9c834 <startread+1588>:mov %rax,0x18(%rbx)
0x00007ffff7b9c838 <startread+1592>:mov 0x28(%rbp),%r8d
0x00007ffff7b9c83c <startread+1596>:test %r8d,%r8d
0x00007ffff7b9c83f <startread+1599>:je 0x7ffff7b9c849 <startread+1609>
0x00007ffff7b9c841 <startread+1601>:movq $0x0,0x18(%rbx)
0x00007ffff7b9c849 <startread+1609>:mov %r9d,0x14(%rsp)
0x00007ffff7b9c84e <startread+1614>:mov %edi,0x10(%rsp)
0x00007ffff7b9c852 <startread+1618>:callq 0x7ffff7b50390 <sox_get_globals@plt>
0x00007ffff7b9c857 <startread+1623>:cmpw $0x1,0x22(%rsp)
0x00007ffff7b9c85d <startread+1629>:lea 0x241fa(%rip),%rdx # 0x7ffff7bc0a5e
0x00007ffff7b9c864 <startread+1636>:mov 0x10(%rsp),%edi
0x00007ffff7b9c868 <startread+1640>:mov 0x30(%rsp),%r8d
0x00007ffff7b9c86d <startread+1645>:lea 0x1de3a(%rip),%rcx # 0x7ffff7bba6ae
0x00007ffff7b9c874 <startread+1652>:mov %rdx,0x40(%rax)
0x00007ffff7b9c878 <startread+1656>:lea 0x115e7(%rip),%rax # 0x7ffff7bade66
---Type <return> to continue, or q <return> to quit---q
End of assembler dump.
(gdb) i r
rax 0x5371335
rbx 0x6115406362432
rcx 0x00
rdx 0x00
rsi 0x88
rdi 0x11
rbp 0x611a600x611a60
rsp 0x7fffffffdc000x7fffffffdc00
r8 0x7ffff7fce7c0140737353934784
r9 0x00
r10 0x7fffffffd9c0140737488345536
r11 0x7ffff72cca80140737340295808
r12 0x5371335
r13 0x7fffffffdc50140737488346192
r14 0x7fffffffdc40140737488346176
r15 0x00
rip 0x7ffff7b9c8290x7ffff7b9c829 <startread+1577>
eflags 0x10246[ PF ZF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
gs 0x00
(gdb)
POC:
sox_14.4.2_divide_by_zero_error_1.wav
CVE:
CVE-2017-11332
2.
the read_samples function in hcom.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted hcom file.
./sox sox_14.4.2_invalid_memory_read.hcom out.wav
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215
215 if(p->dictionary[p->dictentry].dict_leftson < 0) {
(gdb) bt
#0 read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215
#1 0x00007ffff7b58409 in sox_read (ft=ft@entry=0x611590, buf=<optimized out>,
len=8192) at formats.c:978
#2 0x0000000000409dd4 in sox_read_wide (ft=0x611590, buf=<optimized out>,
max=<optimized out>) at sox.c:490
#3 0x000000000040a32e in combiner_drain (effp=0x614410, obuf=0x6145f0,
osamp=0x7fffffffdbb0) at sox.c:552
#4 0x00007ffff7b68c0d in drain_effect (n=0, chain=0x614260) at effects.c:352
#5 sox_flow_effects (chain=0x614260,
callback=callback@entry=0x405a80 <update_status>,
client_data=client_data@entry=0x0) at effects.c:445
#6 0x0000000000407bf6 in process () at sox.c:1802
#7 0x0000000000403085 in main (argc=3, argv=0x7fffffffdf98) at sox.c:3008
(gdb) disassemble
Dump of assembler code for function read_samples:
0x00007ffff7b93900 <+0>:push %r15
0x00007ffff7b93902 <+2>:push %r14
0x00007ffff7b93904 <+4>:mov %rsi,%r14
0x00007ffff7b93907 <+7>:push %r13
0x00007ffff7b93909 <+9>:push %r12
0x00007ffff7b9390b <+11>:push %rbp
0x00007ffff7b9390c <+12>:push %rbx
0x00007ffff7b9390d <+13>:mov %rdi,%rbx
0x00007ffff7b93910 <+16>:sub $0x28,%rsp
0x00007ffff7b93914 <+20>:mov 0x2d0(%rdi),%r15
0x00007ffff7b9391b <+27>:mov 0x24(%r15),%esi
0x00007ffff7b9391f <+31>:test %esi,%esi
0x00007ffff7b93921 <+33>:js 0x7ffff7b93a60 <read_samples+352>
0x00007ffff7b93927 <+39>:mov 0x10(%r15),%rdi
0x00007ffff7b9392b <+43>:xor %eax,%eax
0x00007ffff7b9392d <+45>:lea (%rax,%rdx,1),%r13d
0x00007ffff7b93931 <+49>:lea 0x28(%r15),%rbp
0x00007ffff7b93935 <+53>:mov %rdx,%r12
0x00007ffff7b93938 <+56>:lea 0x1(%r13),%eax
0x00007ffff7b9393c <+60>:mov %eax,0xc(%rsp)
0x00007ffff7b93940 <+64>:mov %r13d,%eax
0x00007ffff7b93943 <+67>:mov %r12d,0x8(%rsp)
---Type <return> to continue, or q <return> to quit---
0x00007ffff7b93948 <+72>:sub %r12d,%eax
0x00007ffff7b9394b <+75>:mov %eax,(%rsp)
0x00007ffff7b9394e <+78>:jmp 0x7ffff7b93989 <read_samples+137>
0x00007ffff7b93950 <+80>:lea -0x1(%rax),%r8d
0x00007ffff7b93954 <+84>:movslq 0x20(%r15),%rax
0x00007ffff7b93958 <+88>:mov 0x28(%r15),%edx
0x00007ffff7b9395c <+92>:mov (%r15),%rsi
0x00007ffff7b9395f <+95>:shl $0x4,%rax
0x00007ffff7b93963 <+99>:test %edx,%edx
0x00007ffff7b93965 <+101>:js 0x7ffff7b939e0 <read_samples+224>
0x00007ffff7b93967 <+103>:movswq 0x8(%rsi,%rax,1),%rax
0x00007ffff7b9396d <+109>:mov %eax,0x20(%r15)
0x00007ffff7b93971 <+113>:shl $0x4,%rax
0x00007ffff7b93975 <+117>:add %edx,%edx
0x00007ffff7b93977 <+119>:mov %r8d,0x24(%r15)
0x00007ffff7b9397b <+123>:add %rsi,%rax
0x00007ffff7b9397e <+126>:mov %edx,0x28(%r15)
=> 0x00007ffff7b93982 <+130>:cmpw $0x0,0x8(%rax)
0x00007ffff7b93987 <+135>:js 0x7ffff7b939f0 <read_samples+240>
0x00007ffff7b93989 <+137>:test %rdi,%rdi
0x00007ffff7b9398c <+140>:jle 0x7ffff7b93a48 <read_samples+328>
0x00007ffff7b93992 <+146>:mov 0x24(%r15),%eax
0x00007ffff7b93996 <+150>:test %eax,%eax
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax 0x631b306495024
rbx 0x6115906362512
rcx 0x11
rdx 0x6900006881280
rsi 0x611b206363936
rdi 0x5241316
rbp 0x611ad80x611ad8
rsp 0x7fffffffda300x7fffffffda30
r8 0x1016
r9 0x7ffff7fce7c0140737353934784
r10 0x7fffffffd7f0140737488345072
r11 0x7ffff72cb2e0140737340289760
r12 0x1ff98185
r13 0x20008192
r14 0x61460c6374924
r15 0x611ab06363824
rip 0x7ffff7b939820x7ffff7b93982 <read_samples+130>
eflags 0x10206[ PF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/20x $rax+8
0x631b38:Cannot access memory at address 0x631b38
(gdb)
POC:
sox_14.4.2_invalid_memory_read.hcom
CVE:
CVE-2017-11358
3.
the wavwritehdr function in wav.c in Sound eXchange(SoX) 14.4.2 allows remote attackers to cause a denial of service(divide-by-zero error and application crash) via a crafted snd file which convert to wav file.
./sox sox_14.4.2_divide_by_zero_error_2.snd out.wav
----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0,
second_header=second_header@entry=0) at wav.c:1457
1457 blocksWritten = MS_UNSPEC/wBlockAlign;
(gdb) bt
#0 0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0,
second_header=second_header@entry=0) at wav.c:1457
#1 0x00007ffff7b9c0e9 in startwrite (ft=0x611bf0) at wav.c:1252
#2 0x00007ffff7b59e32 in open_write (
path=path@entry=0x611bc0 "/home/a/Documents/out.wav",
buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0,
buffer_ptr=buffer_ptr@entry=0x0,
buffer_size_ptr=buffer_size_ptr@entry=0x0, signal=signal@entry=0x611410,
encoding=encoding@entry=0x611430, filetype=0x611bd6 "wav",
oob=oob@entry=0x7fffffffdcd0,
overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:912
#3 0x00007ffff7b5a5e8 in sox_open_write (
path=path@entry=0x611bc0 "/home/a/Documents/out.wav",
signal=signal@entry=0x611410, encoding=encoding@entry=0x611430,
filetype=<optimized out>, oob=oob@entry=0x7fffffffdcd0,
overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:948
#4 0x000000000040847a in open_output_file () at sox.c:1557
#5 process () at sox.c:1754
#6 0x0000000000403085 in main (argc=3, argv=0x7fffffffdfa8) at sox.c:3008
(gdb) disassemble 0x00007ffff7b9a97b,0x00007ffff7b9a9ff
Dump of assembler code from 0x7ffff7b9a97b to 0x7ffff7b9a9ff:
=> 0x00007ffff7b9a97b <wavwritehdr+427>:idivl 0x10(%rsp)
0x00007ffff7b9a97f <wavwritehdr+431>:movslq %eax,%rcx
0x00007ffff7b9a982 <wavwritehdr+434>:imul %eax,%r12d
0x00007ffff7b9a986 <wavwritehdr+438>:mov %rcx,0x48(%rsp)
0x00007ffff7b9a98b <wavwritehdr+443>:imul %r14d,%eax
0x00007ffff7b9a98f <wavwritehdr+447>:cmp $0x31,%bp
0x00007ffff7b9a993 <wavwritehdr+451>:mov %eax,0x40(%rsp)
0x00007ffff7b9a997 <wavwritehdr+455>:je 0x7ffff7b9aff0 <wavwritehdr+2080>
0x00007ffff7b9a99d <wavwritehdr+461>:cmp $0x1,%bp
0x00007ffff7b9a9a1 <wavwritehdr+465>:je 0x7ffff7b9b0a8 <wavwritehdr+2264>
0x00007ffff7b9a9a7 <wavwritehdr+471>:movzwl 0x3e(%rsp),%eax
0x00007ffff7b9a9ac <wavwritehdr+476>:movl $0x0,0x34(%rsp)
0x00007ffff7b9a9b4 <wavwritehdr+484>:lea 0x12(%rax),%r13d
0x00007ffff7b9a9b8 <wavwritehdr+488>:mov %r12d,%eax
0x00007ffff7b9a9bb <wavwritehdr+491>:and $0x1,%eax
0x00007ffff7b9a9be <wavwritehdr+494>:movzwl %r13w,%r13d
0x00007ffff7b9a9c2 <wavwritehdr+498>:lea (%r12,%r13,1),%edx
0x00007ffff7b9a9c6 <wavwritehdr+502>:add %edx,%eax
0x00007ffff7b9a9c8 <wavwritehdr+504>:cmp $0x1,%bp
0x00007ffff7b9a9cc <wavwritehdr+508>:setne 0x3d(%rsp)
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/10gx $rsp+10
0x7fffffffdaaa:0x00000000000000000x0056000000000000
0x7fffffffdaba:0x00010000000000d40x0001000000000000
0x7fffffffdaca:0x00000000000800000x0000000000000008
0x7fffffffdada:0x0fe000007fff00000x876000007ffff7bc
0x7fffffffdaea:0x00d000007ffff7610x21a0000000000000
(gdb)
POC:
sox_14.4.2_divide_by_zero_error_2.snd
CVE:
CVE-2017-11359
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42398.zip