Null pointer dereference vulnerability in the function get_user() – abcm2ps-8.14.1

December 17, 2018

CVE Number

CWE

CWE-476: NULL Pointer Dereference

Product Details

abcm2ps is a C program which converts music tunes from the ABC music notation to PostScript or SVG.
URL: https://github.com/leesavide/abcm2ps.git

Vulnerable Versions

8.14.1-master

Vulnerability Details

Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.

SYNOPSIS

By observing the functions parse_line() which parse a ABC line and for parse an information field it calls another function parse_info() which calls function get_user() in abcparse.c to get a user defined symbols and then at strcmp(value, "beambreak"), strcmp is accessing the pointer which is already zero,
After deugging we observed that, char * value is assigned by parse.deco_tb[s->u.user.value – 128] which is 0x0 which leads to the Segmentation fault(NULL pointer dereference).

Vulnerable code
value = parse.deco_tb[s->u.user.value - 128];
if (strcmp(value, "beambreak") == 0)
char_tb[c] = CHAR_SPAC;
Analysis

 

In function get_user() in abcparse.c

		value = parse.deco_tb[s->u.user.value - 128];
		if (strcmp(value, "beambreak") == 0)
   	 		char_tb[c] = CHAR_SPAC;
   	 	else if (strcmp(value, "ignore") == 0)
   	 		char_tb[c] = CHAR_IGN;
  	 	else if (strcmp(value, "nil") == 0
   	 	      || strcmp(value, "none") == 0)
────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] 0x55555555dbdb → get_user(p=0x5555557f4a27 "tenu", s=0x55555580da68)
[#1] 0x55555555fb7b → parse_info(p=0x5555557f4a22 "M = !tenu")
[#2] 0x555555561edd → parse_line(p=0x5555557f4a20 "U:M = !tenu")
[#3] 0x555555561edd → abc_parse(p=0x5555557f4a20 "U:M = !tenu", fname=0x5555557f39f0 "POC", ln=0x3)
[#4] 0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "POC", linenum=0x3)
[#5] 0x555555579ee4 → frontend(s=, ftype=, fname=, linenum=)
[#6] 0x55555555ce2d → treat_file(fn=0x7fffffffe26a "POC", ext=)
[#7] 0x55555555b9e1 → main(argc=0x17, argv=0x7fffffffde38)
gef➤  p parse.deco_tb
$1 = {0x0 }
gef➤  ptype value
type = char *
gef➤  p value
$2 = 0x0
gef➤  i r
rax            0x0	0x0
rbx            0x5555557f4a27	0x5555557f4a27
rcx            0xa	0xa
rdx            0x5555557c49a0	0x5555557c49a0
rsi            0x0	0x0
rdi            0x5555555a3005	0x5555555a3005
rbp            0x4d	0x4d
rsp            0x7fffffffd850	0x7fffffffd850
r8             0xe	0xe
r9             0x1	0x1
r10            0xc	0xc
r11            0x246	0x246
r12            0x55555580da68	0x55555580da68
r13            0x5555557b5060	0x5555557b5060
r14            0x55555580fb9e	0x55555580fb9e
r15            0x0	0x0
rip            0x55555555dbdb	0x55555555dbdb 
eflags         0x10282	[ SF IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0
Tested environment

64-bit ubuntu 16.04 LTS

Proof of Concept

./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10

Timeline

Vendor Disclosure: 2018-12-13
Public Disclosure:

Credit

Discovered by ACE Team – Loginsoft