Null pointer dereference vulnerability in the function show( ) – abcm2ps-8.14.1
December 26, 2018
CVE Number
–
CWE
CWE-476: NULL Pointer Dereference
Product Details
abcm2ps is a C program which converts music tunes from the ABC music notation to PostScript or SVG.
URL: https://github.com/leesavide/abcm2ps.git
Vulnerable Versions
8.14.1-master
Vulnerability Details
Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.
SYNOPSIS
As per our research we observed that the vulnerability exists in show() located in file svg.c. The function user_ps_write gives user defined postscript sequences then invokes the function svg_write, which writes string length to buffer and goes to ps_exec. when a crafted file is passed to binary abcm2ps, in function show which is triggered by ps_exec, at condition if (stack->type == STR) ,we observed that stack is a structure and has the value NULL in it ,which triggered a null pointer dereference vulnerability.
Vulnerable code
-> if (stack->type == STR) {
s = pop_free_str();
if (!s || s[0] != '(') {
fprintf(stderr, "svg: No string\n");
ps_error = 1;
return;
}
p = s + 1;
}
Analysis
0x00000000004dbda8 in show (type=0x73) at svg.c:1697
1697 if (stack->type == STR) {
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x0
$rbx : 0x7fffffffcd60 → 0x0000000041b58ab3
$rcx : 0x8
$rdx : 0x0
$rsp : 0x7fffffffcd20 → 0x000000000040647f → mov ecx, 0x0
$rbp : 0x7fffffffcde0 → 0x00007fffffffd020 → 0x00007fffffffd280 → 0x00007fffffffd530 → 0x00007fffffffd570 → 0x00007fffffffd860 → 0x00007fffffffd870 → 0x00007fffffffd8b0
$rsi : 0x755900 → 0x000000003f333333 ("333?"?)
$rdi : 0x755888 → 0x0000000000000000
$rip : 0x4dbda8 → movzx eax, BYTE PTR [rax+0x8]
$r8 : 0x800e2b18 → 0x0000000000000000
$r9 : 0x800e2b29 → 0x00f9f9f9f9f9f9f9
$r10 : 0x39a
$r11 : 0x7ffff5a5ff90 → 0xfffda370fffda09f
$r12 : 0x7fffffffcdc0 → 0x00007fffffffcff0 → 0x00007fffffffd020 → 0x00007fffffffd280 → 0x00007fffffffd530 → 0x00007fffffffd570 → 0x00007fffffffd860 → 0x00007fffffffd870
$r13 : 0xffffffff9ac → 0x0000000000000000
$r14 : 0x7fffffffcd60 → 0x0000000041b58ab3
$r15 : 0x7fffffffd5d0 → 0x0000000041b58ab3
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$es: 0x0000 $gs: 0x0000 $fs: 0x0000 $ds: 0x0000 $ss: 0x002b $cs: 0x0033
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffcd20│+0x00: 0x000000000040647f → mov ecx, 0x0 ← $rsp
0x00007fffffffcd28│+0x08: 0x00007f73f58eb830
0x00007fffffffcd30│+0x10: 0x0000000000000000
0x00007fffffffcd38│+0x18: 0x00000000f5a5973b → 0x0000000000000000
0x00007fffffffcd40│+0x20: 0x0000000000000000
0x00007fffffffcd48│+0x28: 0x54fc41fbea02f700
0x00007fffffffcd50│+0x30: 0x0000000000000000
0x00007fffffffcd58│+0x38: 0x00007fffffffcff0 → 0x00007fffffffd020 → 0x00007fffffffd280 → 0x00007fffffffd530 → 0x00007fffffffd570 → 0x00007fffffffd860 → 0x00007fffffffd870
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x4dbd9e je 0x4dbda8
0x4dbda0 mov rdi, rcx
0x4dbda3 call 0x402e20
→ 0x4dbda8 movzx eax, BYTE PTR [rax+0x8]
0x4dbdac cmp al, 0x1
0x4dbdae jne 0x4dbe7a
0x4dbdb4 call 0x4d7f1b
0x4dbdb9 mov QWORD PTR [rbp-0x98], rax
0x4dbdc0 cmp QWORD PTR [rbp-0x98], 0x0
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:svg.c+1697 ]────
1692 p = tmp;
1693 tmp[0] = '\0';
1694 s = NULL;
1695 break;
1696 default:
// type=0x73
→ 1697 if (stack->type == STR) {
1698 s = pop_free_str();
1699 if (!s || s[0] != '(') {
1700 fprintf(stderr, "svg: No string\n");
1701 ps_error = 1;
1702 return;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x4dbda8 → Name: show(type=0x73)
[#1] 0x4e13d9 → Name: ps_exec(op=0x6230000014c8 "gcshow")
[#2] 0x4eb574 → Name: svg_write(buf=0x623000000109 "/octava{\t% usage: w x y octava\n\texch -10 add exch 2 copy\n\tM 0 10 RM /Times-Roman 16 selectfont(8)show\n\t/Times-Roman 12 selectfont(va)show\n\tM 0 6 RL currentpoint stroke M\n\t[6] 0 setdash 30 add 0 RL currentpoint stroke M\n\t[] 0 setdash 0 -6 RL stroke}!\n/octavab{\t% usage: w x y octavab\n\texch -14 add exch 2 copy \n\tM 0 2 RM /Times-Roman 16 selectfont(8)show\n\t/Times-Roman 12 selectfont(va basso)show\n\t22 add M 0 -6 RL currentpoint stroke M\n\t[6] 0 setdash 30 add 0 RL stroke\n\t[] 0 setdash}!\n/bigl{\t\t% usage: str x y bigl\n\t/Times-Bold 26 selectfont\n\t4 add M showc\n\t1 SLW 1 -2 RM \n\t0 22 RL -22 0 RL\n\t0 -22 RL 22 0 RL stroke}!\n/biglc{\t\t% usage: str x y biglc\n\t2 copy 5 2 roll /Times-Bold 22 selectfont\n\t6 add M showc\n\t1 SLW 13 add newpath\n\t12 0 360 arc stroke}!\n/ped{\t\t% usage: str x y ped\n\tgsave 4 add exch -10 add exch T 26 dup scale\n\t0.368 0.074 moveto\n\t0.341 0.121 0.335 0.147 0.371 0.203 curveto\n\t0.435 0.289 0.531 0.243 0.488 0.155 curveto\n\t0.472 0.117 0.434 0.096 0.414 0.080 curveto\n\t0.429 0.038 0.494 -0.006 0.541 0.075 curveto\n\t0.559 0.123 0.558 0.224 0.663 0.252 curveto\n\t0.603 0.354 0.449 0.393 0.461 0.405 curveto\n\t0.902 0.262 0.705 -0.124 0.555 0.046 curveto\n\t0.488 -0.032 0.417 0.021 0.389 0.055 curveto\n\t0.303 -0.018 0.303 -0.020 0.248 0.040 curveto\n\t0.218 0.108 0.191 0.062 0.164 0.047 curveto\n\t0.010 -0.056 0.032 0.019 0.124 0.062 curveto\n\t0.229 0.117 0.200 0.091 0.228 0.195 curveto\n\t0.240 0.241 0.149 0.250 0.166 0.311 curveto\n\t0.207 0.493 lineto\n\t-0.041 0.441 0.049 0.261 0.126 0.387 curveto\n\t0.138 0.381 lineto\n\t-0.020 0.119 -0.100 0.472 0.220 0.507 curveto\n\t0.548 0.486 0.399 0.171 0.254 0.374 curveto\n\t0.264 0.384 lineto\n\t0.338 0.259 0.521 0.449 0.228 0.488 curveto\n\t0.198 0.356 lineto\n\t0.181 0.304 0.273 0.294 0.262 0.241 curveto\n\t0.229 0.101 lineto\n\t0.273 0.070 0.282 -0.038 0.368 0.074 curveto\n\t0.391 0.094 moveto\n\t0.456 0.130 0.476 0.171 0.468 0.213 curveto\n\t0.452 0.276 0.333 0.171 0.391 0.094 curveto\n\t0.627 0.019 moveto\n\t0.533 0.041 0.586 0.228 0.678 0.229 curveto\n\t0.729 0.170 0.712 0.025 0.627 0.019 curveto\n\teofill\n\t0.8 0.04 0.04 0 360 newpath arc fill\n\tpop grestore}!\n/pedoff{\t% usage: str x y pedoff\n\tgsave 4 add exch -5 add exch T 26 dup scale\n\t0.219 0.198 moveto\n\t0.231 0.172 0.195 0.138 0.162 0.173 curveto\n\t0.149 0.219 0.206 0.231 0.219 0.198 curveto\n\t0.144 0.242 moveto\n\t0.166 0.223 0.193 0.230 0.181 0.267 curveto\n\t0.178 0.306 0.144 0.302 0.151 0.335 curveto\n\t0.160 0.381 0.225 0.377 0.224 0.330 curveto\n\t0.228 0.302 0.198 0.306 0.197 0.267 curveto\n\t0.194 0.237 0.213 0.222 0.237 0.247 curveto\n\t0.263 0.276 0.234 0.297 0.268 0.322 curveto\n\t0.314 0.347 0.354 0.297 0.316 0.259 curveto\n\t0.296 0.237 0.273 0.266 0.246 0.237 curveto\n\t0.223 0.217 0.232 0.194 0.266 0.197 curveto\n\t0.303 0.202 0.302 0.232 0.332 0.228 curveto\n\t0.381 0.232 0.388 0.156 0.332 0.152 curveto\n\t0.302 0.148 0.302 0.185 0.266 0.183 curveto\n\t0.231 0.186 0.228 0.169 0.245 0.143 curveto\n\t0.273 0.116 0.297 0.141 0.316 0.117 curveto\n\t0.350 0.075 0.303 0.029 0.258 0.062 curveto\n\t0.237 0.082 0.261 0.102 0.233 0.133 curveto\n\t0.212 0.151 0.194 0.147 0.197 0.113 curveto\n\t0.203 0.075 0.232 0.075 0.230 0.043 curveto\n\t0.223 -0.004 0.159 -0.002 0.152 0.042 curveto\n\t0.148 0.075 0.185 0.076 0.183 0.113 curveto\n\t0.183 0.147 0.163 0.150 0.141 0.133 curveto\n\t0.113 0.104 0.140 0.079 0.113 0.059 curveto\n\t0.069 0.037 0.033 0.077 0.063 0.117 curveto\n\t0.082 0.141 0.104 0.117 0.132 0.142 curveto\n\t0.153 0.163 0.144 0.188 0.113 0.182 curveto\n\t0.073 0.182 0.075 0.147 0.046 0.152 curveto\n\t-0.003 0.152 -0.003 0.227 0.048 0.227 curveto\n\t0.075 0.231 0.075 0.198 0.113 0.196 curveto\n\t0.141 0.197 0.147 0.207 0.133 0.237 curveto\n\t0.102 0.264 0.082 0.237 0.062 0.261 curveto\n\t0.028 0.302 0.077 0.347 0.118 0.318 curveto\n\t0.138 0.297 0.116 0.275 0.144 0.242 curveto\n\tfill pop grestore}!\n/glissup{\t% usage: x y glissup\n\tgsave T 5 0 T\n\t25 rotate 10 0 T 0 0 M\n\t0 8 8{\n\t\t2 -1.15 2.30 150 30 arcn 4 0 T\n\t\t2 1.15 2.30 -150 -30 arc 4 0 T pop\n\t}for\n\t1 SLW stroke grestore}!\n/tr3{\t\t% usage: x y tr3 - mordent with 3 peeks\n\tM 2.2 2.2 RL 2.1 -2.9 RL 0.7 0.7 RL\n\t2.2 2.2 RL 2.1 -2.9 RL 0.7 0.7 RL\n\t2.2 2.2 RL 2.1 -2.9 RL 0.7 0.7 RL\n\t-2.2 -2.2 RL -2.1 2.9 RL -0.7 -0.7 RL\n\t-2.2 -2.2 RL -2.1 2.9 RL -0.7 -0.7 RL\n\t-2.2 -2.2 RL -2.1 2.9 RL -0.7 -0.7 RL fill}!\n/t2ub{\t\t% usage: x y t2ub - mordent ending with an upper bar\n\t2 copy umrd 0.6 SLW\n\tM 5 4 RM 0 6 RL stroke}!\n/t3tab{\t\t% usage: x y t3tab - mordent + upper turn and bar\n\t4 add 2 copy exch 7.5 sub exch tr3 exch 7.5 add exch\n\t2 copy 0.6 SLW M 2 6 14 6 16 0 RC\n\tM 8 1 RM 0 6 RL stroke}!\n/ubt3ta{\t% usage: x y ubt3ta - up bar + mordent + upper turn\n\t4 add 2 copy 0.6 SLW\n\tM -7.5 0 RM 0 6 RL stroke\n\t2 copy exch 7.5 sub exch tr3\n\tM 7.5 0 RM 2 6 14 6 16 0 RC stroke}!\n/tbt3{\t\t% usage: x y tbt3 - low turn + long mordent\n\texch 10 sub exch 6 add 2 copy 0.6 SLW\n\tM -8 0 RM 2 -6 14 -6 16 0 RC stroke\n\texch 8 add exch tr3}!\n/t2ta{\t\t% usage: x y t2ta - mordent + upper turn\n\t2 copy umrd\n\tM 5 4 RM 1 5 9 5 10 0 RC stroke}!\n/t3b{\t\t% usage: x y t3b - upper + lower mordent\n\t2 copy exch -7.5 add exch 4 add tr3 0.6 SLW\n\tM 2.5 0 RM 0 8 RL stroke}!\n gcshow", len=0x6c7)
[#3] 0x4d697d → Name: user_ps_write()
[#4] 0x41c747 → Name: init_page()
[#5] 0x41e58a → Name: write_buffer()
[#6] 0x4200c8 → Name: check_buffer()
[#7] 0x49a25c → Name: output_music()
[#8] 0x4a1368 → Name: generate()
[#9] 0x4a16eb → Name: gen_ly(eob=0x0)
gef➤ p stack
$1 = (struct elt_s *) 0x0
gef➤ p *stack
Cannot access memory at address 0x0
Tested environment
64-bit ubuntu 16.04 LTS
Proof of Concept
./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Timeline
Vendor Disclosure: 2018-12-13
Public Disclosure:
Credit
Discovered by ACE Team – Loginsoft