Null pointer dereference vulnerability in the function get_user() – abcm2ps-8.14.1
December 17, 2018
CVE Number
–
CWE
CWE-476: NULL Pointer Dereference
Product Details
abcm2ps is a C program which converts music tunes from the ABC music notation to PostScript or SVG.
URL: https://github.com/leesavide/abcm2ps.git
Vulnerable Versions
8.14.1-master
Vulnerability Details
Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.
SYNOPSIS
By observing the functions parse_line()
which parse a ABC line and for parse an information field it calls another function parse_info()
which calls function get_user()
in abcparse.c
to get a user defined symbols and then at strcmp(value, "beambreak")
, strcmp
is accessing the pointer which is already zero,
After deugging we observed that, char *
value is assigned by parse.deco_tb[s->u.user.value – 128]
which is 0x0
which leads to the Segmentation fault(NULL pointer dereference).
Vulnerable code
value = parse.deco_tb[s->u.user.value - 128]; if (strcmp(value, "beambreak") == 0) char_tb[c] = CHAR_SPAC;
Analysis
In function get_user() in abcparse.c value = parse.deco_tb[s->u.user.value - 128]; if (strcmp(value, "beambreak") == 0) char_tb[c] = CHAR_SPAC; else if (strcmp(value, "ignore") == 0) char_tb[c] = CHAR_IGN; else if (strcmp(value, "nil") == 0 || strcmp(value, "none") == 0) ──────────────────────────────────────────────────────────────────────────────────────────────────────── [#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV ──────────────────────────────────────────────────────────────────────────────────────────────────────── [#0] 0x55555555dbdb → get_user(p=0x5555557f4a27 "tenu", s=0x55555580da68) [#1] 0x55555555fb7b → parse_info(p=0x5555557f4a22 "M = !tenu") [#2] 0x555555561edd → parse_line(p=0x5555557f4a20 "U:M = !tenu") [#3] 0x555555561edd → abc_parse(p=0x5555557f4a20 "U:M = !tenu", fname=0x5555557f39f0 "POC", ln=0x3) [#4] 0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "POC", linenum=0x3) [#5] 0x555555579ee4 → frontend(s=, ftype=, fname=, linenum=) [#6] 0x55555555ce2d → treat_file(fn=0x7fffffffe26a "POC", ext=) [#7] 0x55555555b9e1 → main(argc=0x17, argv=0x7fffffffde38) gef➤ p parse.deco_tb $1 = {0x0 } gef➤ ptype value type = char * gef➤ p value $2 = 0x0 gef➤ i r rax 0x0 0x0 rbx 0x5555557f4a27 0x5555557f4a27 rcx 0xa 0xa rdx 0x5555557c49a0 0x5555557c49a0 rsi 0x0 0x0 rdi 0x5555555a3005 0x5555555a3005 rbp 0x4d 0x4d rsp 0x7fffffffd850 0x7fffffffd850 r8 0xe 0xe r9 0x1 0x1 r10 0xc 0xc r11 0x246 0x246 r12 0x55555580da68 0x55555580da68 r13 0x5555557b5060 0x5555557b5060 r14 0x55555580fb9e 0x55555580fb9e r15 0x0 0x0 rip 0x55555555dbdb 0x55555555dbdb eflags 0x10282 [ SF IF RF ] cs 0x33 0x33 ss 0x2b 0x2b ds 0x0 0x0 es 0x0 0x0 fs 0x0 0x0 gs 0x0 0x0
Tested environment
64-bit ubuntu 16.04 LTS
Proof of Concept
./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Timeline
Vendor Disclosure: 2018-12-13
Public Disclosure:
Credit
Discovered by ACE Team – Loginsoft