Null pointer dereference vulnerability in the function d_cresc() – abcm2ps-8.14.1

December 19, 2018

CVE Number

CWE

CWE-476: NULL Pointer Dereference

Product Details

abcm2ps is a C program which converts music tunes from the ABC music notation to PostScript or SVG.
URL: https://github.com/leesavide/abcm2ps.git

Vulnerable Versions

8.14.1-master

Vulnerability Details

Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.

SYNOPSIS

we observed that the function draw_sym_near() is called to draw the symbols near the notes. Going in deep to draw the music elements tied to the staff, draw_deco_staff is called & within function func_tb[dd->func](de) is used on the basis of the func and de (next and prev) values its calling other functions.
func=0x6 and de (next =0x5555557eb5d8) it calls d_pf() function and when values changes to the func=0x7 and de (next= 0x5555557eb648) it goes in d_cresc() function located at deco.c. Where in d_cresc() at s = de1->s the value of de1 is 0x0 , which triggers a Null pointer dereference vulnerability.

Vulnerable code
s2 = de->s;
de1 = de->start;		
if (de1) {
s = de1->s;
x = s->x + 3;}
Analysis

 

de1 = de->start;
	 		s = de1->s;
   	 		x = s->x + 3;
   	 //	} else {			/* end without start */
   	 //		if (!first_note) {
   	 //			dd = &deco_def_tb[de->t];
   	 //	 		error(1, s2, "No start of deco !%s!", dd->name);
────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] 0x555555567141 → d_cresc(de=0x5555557eb610)
[#1] 0x5555555698e8 → draw_deco_staff()
[#2] 0x555555572d48 → draw_sym_near()
[#3] 0x555555583dbd → delayed_output(indent=0)
[#4] 0x555555583dbd → output_music()
[#5] 0x555555589501 → generate()
[#6] 0x555555589a78 → gen_ly(eob=0x0)
[#7] 0x55555558f8f8 → do_tune()
[#8] 0x555555561a52 → abc_parse(p=0x5555557f4a20 "", fname=0x5555557f39f0 "POC", ln=0x16b)
[#9] 0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "POC", linenum=0x16b)
gef➤  p de1
$1 = (struct deco_elt *) 0x0
gef➤  p *de1
Cannot access memory at address 0x0
gef➤  p *de1->s
Cannot access memory at address 0x10
gef➤   i r 
rax            0x1	0x1
rbx            0x5555557eb610	0x5555557eb610
rcx            0x1b	0x1b
rdx            0xc0	0xc0
rsi            0x1	0x1
rdi            0x5555557eb610	0x5555557eb610
rbp            0x5555557be800	0x5555557be800 
rsp            0x7fffffffd4c0	0x7fffffffd4c0
r8             0x0	0x0
r9             0x5555557eb610	0x5555557eb610
r10            0x0	0x0
r11            0x5555557e8390	0x5555557e8390
r12            0x0	0x0
r13            0x5555557be7a0	0x5555557be7a0
r14            0x0	0x0
r15            0x5555557c5760	0x5555557c5760
rip            0x555555567141	0x555555567141 
eflags         0x10202	[ IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0
Valgrind
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x10
 at 0x11B141: d_cresc (deco.c:359)
 by 0x11D8E7: draw_deco_staff (deco.c:1908)
 by 0x126D47: draw_sym_near (draw.c:4216)
 by 0x137DBC: delayed_output (music.c:5085)
 by 0x137DBC: output_music (music.c:5140)
 by 0x13D500: generate (parse.c:1039)
 by 0x13DA77: gen_ly (parse.c:1060)
 by 0x1438F7: do_tune (parse.c:3633)
 by 0x115A51: abc_parse (abcparse.c:177)
 by 0x12DA53: txt_add_eos (front.c:379)
 by 0x12DEE3: frontend (front.c:891)
 by 0x110E2C: treat_file (abcm2ps.c:240)
 by 0x10F9E0: main (abcm2ps.c:1033)
Segmentation fault
Tested environment

64-bit ubuntu 16.04 LTS

Proof of Concept

./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10

Timeline

Vendor Disclosure: 2018-12-13
Public Disclosure:

Credit

Discovered by ACE Team – Loginsoft