NULL POINTER DEREFERENCE Vulnerability in function AP4_Track::GetSampleIndexForTimeStampMs() – Bento4-1.5.1-628
Loginsoft-2018-1052
February 13, 2019
CVE Number
CVE-2019-8380
CWE
CWE-476: NULL Pointer Dereference
Product Details
Bento4/AP4 is a C++ class library designed to read and write ISO-MP4 files. Where Aac2Mp4 converts an AAC ADTS file into an MP4 file.
URL: https://github.com/axiomatic-systems/Bento4.git
Vulnerable Versions
1.5.1-628
Vulnerability Details
We observed a NULL pointer dereference occurred in AP4_Track::GetSampleIndexForTimeStampMs() located in Ap4Track.cpp.The same be triggered by sending a crafted file to the mp4audioclip binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
SYNOPSIS
As per our research the vulnerability exists in function AP4_Track::GetSampleIndexForTimeStampMs( ) at file Ap4Track.cpp. The function AP4_Track::GetSampleIndexForTimeStampMs( ) gets the sample index for time stamps and converts these time stamps in time scale of track’s media.The function GetSampleIndexForTimeStamps() is dereferencing with m_Sampletable which is at 0X0 .when a crafted file is passed to the binary at this line of code return m_SampleTable->GetSampleIndexForTimeStamp(ts, index); the value at m_Sampletable is at address 0x0 ,the vulnerability is being triggered as null pointer dereference.
Vulnerable code
AP4_Track::GetSampleIndexForTimeStampMs(AP4_UI32 ts_ms, AP4_Ordinal& index)
{
AP4_UI64 ts = AP4_ConvertTime(ts_ms, 1000, GetMediaTimeScale());
return m_SampleTable->GetSampleIndexForTimeStamp(ts, index);
}
Analysis
GDB -
0x00000000004585cb in AP4_Track::GetSampleIndexForTimeStampMs (this=0x6040000001d0, ts_ms=0x0, index=@0x7fffffffdb10: 0x0) at /home/ace/Downloads/sources/Bento4/Source/C++/Core/Ap4Track.cpp:485
485 return m_SampleTable->GetSampleIndexForTimeStamp(ts, index);
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x0
$rbx : 0x7fffffffdd70 → 0x0000000000000000
$rcx : 0x0
$rdx : 0x0
$rsp : 0x7fffffffd9d0 → 0x00007fffffffda00 → 0x00007fffffffdda0 → 0x0000000000578490 → push r15
$rbp : 0x7fffffffda00 → 0x00007fffffffdda0 → 0x0000000000578490 → push r15
$rsi : 0x0
$rdi : 0x0
$rip : 0x4585cb → mov rax, QWORD PTR [rax]
$r8 : 0x0
$r9 : 0x0
$r10 : 0x60b0000000e0 → 0x14ffffff00000002
$r11 : 0x7fffffffd1d8 → 0x000060c000000090 → 0x00000000005caca0 → 0x00000000004809d6 → <AP4_List::~AP4_List()+0> push rbp
$r12 : 0xffffffffb56 → 0x0000000000000000
$r13 : 0x7fffffffdab0 → 0x0000000041b58ab3
$r14 : 0x60b0000000f0 → 0x00000000005ecdb0 → 0x000000000048acd4 → push rbp
$r15 : 0x0
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$ss: 0x002b $fs: 0x0000 $es: 0x0000 $ds: 0x0000 $gs: 0x0000 $cs: 0x0033
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffd9d0│+0x00: 0x00007fffffffda00 → 0x00007fffffffdda0 → 0x0000000000578490 → push r15 ← $rsp
0x00007fffffffd9d8│+0x08: 0x00007fffffffdb10 → 0x00007fff00000000
0x00007fffffffd9e0│+0x10: 0x000000000000bb80
0x00007fffffffd9e8│+0x18: 0x00006040000001d0 → 0x0000000000596420 → 0x000000000045725e → push rbp
0x00007fffffffd9f0│+0x20: 0x0000000a00000000 → 0x0000000000000000
0x00007fffffffd9f8│+0x28: 0x0000000000000000
0x00007fffffffda00│+0x30: 0x00007fffffffdda0 → 0x0000000000578490 → push r15 ← $rbp
0x00007fffffffda08│+0x38: 0x0000000000451b68 → test eax, eax
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x4585c0 div BYTE PTR [rax+rcx*1+0x48]
0x4585c4 mov edi, edx
0x4585c6 call 0x451140
→ 0x4585cb mov rax, QWORD PTR [rax]
0x4585ce add rax, 0x40
0x4585d2 mov rdx, rax
0x4585d5 mov rsi, rdx
0x4585d8 shr rsi, 0x3
0x4585dc add rsi, 0x7fff8000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:/home/ace/Downloads/sources/Bento4/Source/C++/Core/Ap4Track.cpp+485 ]────
480 AP4_Track::GetSampleIndexForTimeStampMs(AP4_UI32 ts_ms, AP4_Ordinal& index)
481 {
482 // convert the ts in the timescale of the track's media
483 AP4_UI64 ts = AP4_ConvertTime(ts_ms, 1000, GetMediaTimeScale());
484
→ 485 return m_SampleTable->GetSampleIndexForTimeStamp(ts, index);
486 }
487
488 /*----------------------------------------------------------------------
489 | AP4_Track::GetNearestSyncSampleIndex
490 +---------------------------------------------------------------------*/
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "mp4audioclip", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x4585cb → Name: AP4_Track::GetSampleIndexForTimeStampMs(this=0x6040000001d0, ts_ms=0x0, index=@0x7fffffffdb10)
[#1] 0x451b68 → Name: main(argc=0x7, argv=0x7fffffffdec0)
gef➤ p ts
$4 = 0x0
gef➤ p index
$5 = (AP4_Ordinal &) @0x7fffffffdb10: 0x0
gef➤ p m_SampleTable
$6 = (AP4_SampleTable *) 0x0
gef➤ p m_SampleTable->GetSampleIndexForTimeStamp(ts, index)
Cannot access memory at address 0x0
Tested environment
64-bit ubuntu 16.04 LTS
Proof of Concept
./mp4audioclip --start 0 --duration 100 $POC OUTPUTFILE
Timeline
Vendor Disclosure: 02-02-2019
Public Disclosure: 13-02-2019
Credit
Discovered by ACE Team – Loginsoft