Null pointer dereference vulnerability in the function d_cresc() – abcm2ps-8.14.1
December 19, 2018
CVE Number
–
CWE
CWE-476: NULL Pointer Dereference
Product Details
abcm2ps is a C program which converts music tunes from the ABC music notation to PostScript or SVG.
URL: https://github.com/leesavide/abcm2ps.git
Vulnerable Versions
8.14.1-master
Vulnerability Details
Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.
SYNOPSIS
we observed that the function draw_sym_near() is called to draw the symbols near the notes. Going in deep to draw the music elements tied to the staff, draw_deco_staff is called & within function func_tb[dd->func](de) is used on the basis of the func and de (next and prev) values its calling other functions.
func=0x6 and de (next =0x5555557eb5d8) it calls d_pf() function and when values changes to the func=0x7 and de (next= 0x5555557eb648) it goes in d_cresc() function located at deco.c. Where in d_cresc() at s = de1->s the value of de1 is 0x0 , which triggers a Null pointer dereference vulnerability.
Vulnerable code
s2 = de->s;
de1 = de->start;
if (de1) {
s = de1->s;
x = s->x + 3;}
Analysis
de1 = de->start;
s = de1->s;
x = s->x + 3;
// } else { /* end without start */
// if (!first_note) {
// dd = &deco_def_tb[de->t];
// error(1, s2, "No start of deco !%s!", dd->name);
────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] 0x555555567141 → d_cresc(de=0x5555557eb610)
[#1] 0x5555555698e8 → draw_deco_staff()
[#2] 0x555555572d48 → draw_sym_near()
[#3] 0x555555583dbd → delayed_output(indent=0)
[#4] 0x555555583dbd → output_music()
[#5] 0x555555589501 → generate()
[#6] 0x555555589a78 → gen_ly(eob=0x0)
[#7] 0x55555558f8f8 → do_tune()
[#8] 0x555555561a52 → abc_parse(p=0x5555557f4a20 "", fname=0x5555557f39f0 "POC", ln=0x16b)
[#9] 0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "POC", linenum=0x16b)
gef➤ p de1
$1 = (struct deco_elt *) 0x0
gef➤ p *de1
Cannot access memory at address 0x0
gef➤ p *de1->s
Cannot access memory at address 0x10
gef➤ i r
rax 0x1 0x1
rbx 0x5555557eb610 0x5555557eb610
rcx 0x1b 0x1b
rdx 0xc0 0xc0
rsi 0x1 0x1
rdi 0x5555557eb610 0x5555557eb610
rbp 0x5555557be800 0x5555557be800
rsp 0x7fffffffd4c0 0x7fffffffd4c0
r8 0x0 0x0
r9 0x5555557eb610 0x5555557eb610
r10 0x0 0x0
r11 0x5555557e8390 0x5555557e8390
r12 0x0 0x0
r13 0x5555557be7a0 0x5555557be7a0
r14 0x0 0x0
r15 0x5555557c5760 0x5555557c5760
rip 0x555555567141 0x555555567141
eflags 0x10202 [ IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Valgrind
Process terminating with default action of signal 11 (SIGSEGV) Access not within mapped region at address 0x10 at 0x11B141: d_cresc (deco.c:359) by 0x11D8E7: draw_deco_staff (deco.c:1908) by 0x126D47: draw_sym_near (draw.c:4216) by 0x137DBC: delayed_output (music.c:5085) by 0x137DBC: output_music (music.c:5140) by 0x13D500: generate (parse.c:1039) by 0x13DA77: gen_ly (parse.c:1060) by 0x1438F7: do_tune (parse.c:3633) by 0x115A51: abc_parse (abcparse.c:177) by 0x12DA53: txt_add_eos (front.c:379) by 0x12DEE3: frontend (front.c:891) by 0x110E2C: treat_file (abcm2ps.c:240) by 0x10F9E0: main (abcm2ps.c:1033) Segmentation fault
Tested environment
64-bit ubuntu 16.04 LTS
Proof of Concept
./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Timeline
Vendor Disclosure: 2018-12-13
Public Disclosure:
Credit
Discovered by ACE Team – Loginsoft