A Heap-buffer-overflow vulnerability in the function AP4_BitStream::ReadBytes() – Bento4-1.5.1-628

Loginsoft-2018-1063

February 13, 2019

CVE Number

CVE-2019-8378

CWE

CWE-122: Heap-based Buffer Overflow

Product Details

Bento4/AP4 is a C++ class library designed to read and write ISO-MP4 files. Where Aac2Mp4 converts an AAC ADTS file into an MP4 file.
URL: https://github.com/axiomatic-systems/Bento4.git

Vulnerable Versions

1.5.1-628

Vulnerability Details

During our research there is a heap-based buffer overflow discovered in AP4_BitStream::ReadBytes() in Ap4BitStream.cpp.The same can be triggered by sending a crafted file to the aac2mp4 binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

SYNOPSIS

We observed that in the main () in line frame.m_Source->ReadBytes() here it calls to another function ReadBytes(), wherein this particular function in the line AP4_CopyMemory() when we are sending a crafted aac file, we can notice that AP4_CopyMemory(bytes, m_Buffer + m_Out, byte_count) here the m_Buffer is an unsigned char it consists of value 0xa4 & m_Out is an unsigned int it consists of value 0x866, in byte_count the value is 0xfffffff9 here it contains a negative value. Hence, we cannot copy the value from source to destination, because the size is of negative value. It causes an error heap-buffer overflow and raises a signal SIGSEGV.

Vulnerable code
/* Get other bytes */
if (byte_count > 0) {
if (m_Out = byte_count) chunk = byte_count;
Analysis

 

ASAN REPORT:
==2056==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000002100 at pc 0x7ffff6e93733 bp 0x7fffffffc840 sp 0x7fffffffbfe8
READ of size 4294967289 at 0x625000002100 thread T0
#0 0x7ffff6e93732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
#1 0x555555868840 in AP4_BitStream::ReadBytes(unsigned char*, unsigned int) /home/aceteam/Desktop/packages/Bento4/Source/C++/Codecs/Ap4BitStream.cpp:192
#2 0x555555864ecb in main /home/aceteam/Desktop/packages/Bento4/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp:142
#3 0x7ffff64a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#4 0x555555864369 in _start (/home/aceteam/Desktop/packages/Bento4/builds/aac2mp4+0x310369)


0x625000002100 is located 0 bytes to the right of 8192-byte region [0x625000000100,0x625000002100)
allocated by thread T0 here:
#0 0x7ffff6efa618 in operator new [] (unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0618)
#1 0x555555867a67 in AP4_BitStream: AP4_BitStream () /home/aceteam/Desktop/packages/Bento4/Source/C++/Codecs/Ap4BitStream.cpp:45
#2 0x5555558661f2 in AP4_AdtsParser: AP4_AdtsParser () /home/aceteam/Desktop/packages/Bento4/Source/C++/Codecs/Ap4AdtsParser.cpp:125
#3 0x55555586492a in main /home/aceteam/Desktop/packages/Bento4/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp:100
#4 0x7ffff64a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)


SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 
Shadow bytes around the buggy address:
0x0c4a7fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8420: [fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2056==ABORTING
GDB -  
Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax   : 0x7ffef70a4010      →  0x0000000000000000
$rbx   : 0x7fffffffcc48      →  0x000055555588f8d0  →  0xf7c6e70fa88241a4
$rcx   : 0x555555890136      →  0x100389d9fd941721
$rdx   : 0xfffffff9        
$rsp   : 0x7fffffffcb48      →  0x00005555555bd601  →   mov rax, QWORD PTR [rbp-0x18]
$rbp   : 0x7fffffffcb80      →  0x00007fffffffdca0  →  0x0000555555631190  →   push r15
$rsi   : 0x555555890136      →  0x100389d9fd941721
$rdi   : 0x7ffef70a4010      →  0x0000000000000000
$rip   : 0x7ffff74fe6d3      →   movups xmm8, XMMWORD PTR [rsi+rdx*1-0x10]
$r8    : 0xffffffff        
$r9    : 0x0               
$r10   : 0x22              
$r11   : 0x246             
$r12   : 0xfffffff9        
$r13   : 0x7fffffffdd80      →  0x0000000000000003
$r14   : 0x0               
$r15   : 0x0               
$eflags: [zero carry parity ADJUST sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$gs: 0x0000  $fs: 0x0000  $ds: 0x0000  $ss: 0x002b  $es: 0x0000  $cs: 0x0033  
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffcb48│+0x00: 0x00005555555bd601  →   mov rax, QWORD PTR [rbp-0x18]     ← $rsp
0x00007fffffffcb50│+0x08: 0x00007fffffffcb80  →  0x00007fffffffdca0  →  0x0000555555631190  →   push r15
0x00007fffffffcb58│+0x10: 0xfffffff95589a0a0
0x00007fffffffcb60│+0x18: 0x00007ffef70a4010  →  0x0000000000000000
0x00007fffffffcb68│+0x20: 0x00007fffffffcc48  →  0x000055555588f8d0  →  0xf7c6e70fa88241a4
0x00007fffffffcb70│+0x28: 0x000055555589a070  →  0x00005555558714c8  →  0x00005555555bec94  →   push rbp
0x00007fffffffcb78│+0x30: 0xe9967b959a292100
0x00007fffffffcb80│+0x38: 0x00007fffffffdca0  →  0x0000555555631190  →   push r15     ← $rbp
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
   0x7ffff74fe6c6  movups xmm5, XMMWORD PTR es:[rsi+0x10]
   0x7ffff74fe6cb  movups xmm6, XMMWORD PTR [rsi+0x20]
   0x7ffff74fe6cf  movups xmm7, XMMWORD PTR [rsi+0x30]
→ 0x7ffff74fe6d3  movups xmm8, XMMWORD PTR [rsi+rdx*1-0x10]
   0x7ffff74fe6d9  lea    r11, [rdi+rdx*1-0x10]
   0x7ffff74fe6de  lea    rcx, [rsi+rdx*1-0x10]
   0x7ffff74fe6e3  mov    r9, r11
   0x7ffff74fe6e6  mov    r8, r11
   0x7ffff74fe6e9  and    r8, 0xf
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "aac2mp4", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff74fe6d3 → Name: __memmove_sse2_unaligned_erms()
[#1] 0x5555555bd601 → Name: AP4_BitStream::ReadBytes(this=0x7fffffffcc48, bytes=0x7ffef70a4010 "", byte_count=0xfffffff9)
[#2] 0x5555555bc395 → Name: main(argc=0x3, argv=0x7fffffffdd88)
Tested environment

64-bit ubuntu 16.04 LTS

Proof of Concept

./aac2mp4 $POC output.mp4

Timeline

Vendor Disclosure: 29-01-2019
Public Disclosure: 13-02-2019

Credit

Discovered by ACE Team – Loginsoft