Null pointer dereference vulnerability in the function deco_define() – abcm2ps-8.14.1
December 14, 2018
CVE Number
–
CWE
CWE-476: NULL Pointer Dereference
Product Details
abcm2ps is a C program which converts music tunes from the ABC music notation to PostScript or SVG.
URL: https://github.com/leesavide/abcm2ps.git
Vulnerable Versions
8.14.1-master
Vulnerability Details
Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.
SYNOPSIS
while doing research when get_note() function is called it is having convert decorations function deco_cnv() which calls function deco_intern() to convert the external deco number to the internal one.
By passing crafted .abc file for conversion while reading the symbols from deco to write into the converting file. In deco_define(name=0x0) arg name is 0 accessed from defined symbols and passed to the strlen(name) which leads to NULL Pointer Dereference.
Vulnerable code
l = strlen(name);
for (d = user_deco; d; d = d->next) {
if (strncmp(d->text, name, l) == 0
&& d->text[l] == ' ')
return deco_build(name, d->text);
}
Analysis
In function deco_define()
989 l = strlen(name);
990 for (d = user_deco; d; d = d->next) {
991 if (strncmp(d->text, name, l) == 0
992 && d->text[l] == ' ')
993 return deco_build(name, d->text);
994 }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Id 1, Name: "abcm2ps", stopped, reason: BREAKPOINT
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x555555566a8b → deco_define(name=0x0)
0x555555567ed8 → deco_intern(s=0x555555875a00, ideco=)
0x555555567ed8 → deco_cnv(dc=0x555555875c08, s=0x555555875a00, prev=0x0)
0x55555559024c → get_note(s=)
0x55555559024c → do_tune()
0x555555561a52 → abc_parse(p=0x5555557f4a20 "", fname=0x5555557f39f0 "POC", ln=0x64)
0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "$POC", linenum=0x64)
0x555555579ee4 → frontend(s=, ftype=, fname=, linenum=)
0x55555555ce2d → treat_file(fn=0x7fffffffe26a "$POC", ext=)
0x55555555b9e1 → main(argc=0x17, argv=0x7fffffffde38)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
deco_define (name=name@entry=0x0) at deco.c:989
989 l = strlen(name);
gef➤ p name
$101 = 0x0
gef➤ bt
#0 0x00007ffff69465a1 in __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:62
#1 0x0000555555566a90 in deco_define (name=name@entry=0x0) at deco.c:989
#2 0x0000555555567ed8 in deco_intern (s=0x555555875a00, ideco=) at deco.c:1022
#3 0x0000555555567ed8 in deco_cnv (dc=dc@entry=0x555555875c08, s=s@entry=0x555555875a00, prev=prev@entry=0x0) at deco.c:1049
#4 0x000055555559024c in get_note (s=) at parse.c:4377
#5 0x000055555559024c in do_tune () at parse.c:3510
gef➤ i r
rax 0x5555557c49a0 0x5555557c49a0
rbx 0x1 0x1
rcx 0x0 0x0
rdx 0x0 0x0
rsi 0x555555875a00 0x555555875a00
rdi 0x0 0x0
rbp 0x1 0x1
rsp 0x7fffffffd858 0x7fffffffd858
r8 0x56 0x56
r9 0x555555875550 0x555555875550
r10 0x55555588c408 0x55555588c408
r11 0x5555555a3b88 0x5555555a3b88
r12 0x555555875c08 0x555555875c08
r13 0x0 0x0
r14 0x0 0x0
r15 0x5555557be7d0 0x5555557be7d0
rip 0x7ffff69465a1 0x7ffff69465a1
eflags 0x10283 [ CF SF IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Valgrind
Access not within mapped region at address 0x0 at 0x4C32CF2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x11AA8F: deco_define (deco.c:989) by 0x11BED7: deco_intern (deco.c:1022) by 0x11BED7: deco_cnv (deco.c:1049) by 0x14424B: get_note (parse.c:4377) by 0x14424B: do_tune (parse.c:3510) Segmentation fault
Tested environment
64-bit ubuntu 16.04 LTS
Proof of Concept
./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Timeline
Vendor Disclosure: 2018-12-13
Public Disclosure:
Credit
Discovered by ACE Team – Loginsoft