[UNIX] SoX Local Buffer Overflow Vulnerabilities (st_wavstartread)

From: SecuriTeam (support_at_securiteam.com)
Date: 07/30/04 

To: list@securiteam.com
Date: 30 Jul 2004 11:18:34 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  SoX Local Buffer Overflow Vulnerabilities (st_wavstartread)
------------------------------------------------------------------------

SUMMARY

SoX is a command line utility that converts various formats of computer
audio files to other formats.

SoX is vulnerable to a buffer overflow attack when processing WAV files.
The condition occurs due to a user controlled length variable which is
used to copy data to a local buffer without any bounds checking.

DETAILS

Vulnerable Systems:
 * SoX versions 12.17.4, 12.17.3, 12.17.2

Immune Systems:
 * SoX versions 12.17.1, 12.17, 12.16

Impact:
Successful exploitation of this vulnerability allows an attacker to
execute arbitrary code

Technical details:
Both overflows occur in wav.c in the function st_wavstartread(). In both
cases, the program first reads 4 bytes from the .WAV file into a variable.
Then it reads as many bytes as that variable says from the .WAV file into
a 256 bytes long char array, without checking if the data from the .WAV
file fits in that array. This leads to a stack-based buffer overflow with
control over EIP, as you can see in this session capture:

$ play buffy.wav
playing buffy.wav
/usr/bin/play: line 1: 4990 Segmentation fault sox $volume
$fopts $fopts2 "$filename_0" $arch_defines $device $effects

$ sox buffy.wav -t ossdsp /dev/dsp
Segmentation fault
$ gdb /usr/bin/sox
GNU gdb 6.1-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-linux"......Using host libthread_db
library "/lib/libthread_db.so.1".

(gdb) r buffy.wav -t ossdsp /dev/dsp
Starting program: /usr/bin/sox buffy.wav -t ossdsp /dev/dsp
Program received signal SIGSEGV, Segmentation fault.
0x55555555 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0x0 0
edx 0x0 0
ebx 0x55555555 1431655765
esp 0xbffff940 0xbffff940
ebp 0x55555555 0x55555555
esi 0x55555555 1431655765
edi 0x55555555 1431655765
eip 0x55555555 0x55555555
eflags 0x10282 66178
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb) bt
#0 0x55555555 in ?? ()
#1 0x55555555 in ?? ()
#2 0x55555555 in ?? ()
#3 0x55555555 in ?? ()
#4 0x55555555 in ?? ()
#5 0x55555555 in ?? ()
#6 0x55555555 in ?? ()
#7 0xbffff900 in ?? ()
#8 0x08072fa2 in _IO_stdin_used ()
#9 0x00008572 in ?? ()
#10 0x45564157 in ?? ()
#11 0x002a5550 in ?? ()
#12 0x0807d0b8 in ?? ()
#13 0x0807d3c4 in ?? ()
#14 0x080a4400 in ?? ()
#15 0xbffff9a8 in ?? ()
#16 0x0804c9b7 in ?? ()
#17 0x08072f56 in _IO_stdin_used ()
#18 0xbffffb74 in ?? ()
#19 0x00000000 in ?? ()
#20 0x00000000 in ?? ()
#21 0x080a4400 in ?? ()
#22 0x00000005 in ?? ()
#23 0xbffff9c8 in ?? ()
#24 0x0804ad4b in ?? ()
#25 0x080a3cd8 in ?? ()
#26 0x00000001 in ?? ()
#27 0xbffff9c8 in ?? ()
#28 0x0804a42b in ?? ()
#29 0x080a4400 in ?? ()
#30 0x000005b4 in ?? ()
#31 0x76000001 in ?? ()
#32 0x00000005 in ?? ()
#33 0x080a4400 in ?? ()
#34 0x00000005 in ?? ()
#35 0xbffff9f8 in ?? ()
#36 0x0804a08b in ?? ()
#37 0x080a4400 in ?? ()
#38 0x00000005 in ?? ()
#39 0xbffffa54 in ?? ()
#40 0x080725bb in ?? ()
#41 0x402a5550 in ?? () from /lib/libc.so.6
#42 0x08072600 in ?? ()
#43 0x00000001 in ?? ()
#44 0x402a5550 in ?? () from /lib/libc.so.6
#45 0x400164a0 in ?? () from /lib/ld-linux.so.2
#46 0xbffffa54 in ?? ()
#47 0xbffffa28 in ?? ()
#48 0x4018bdc6 in __libc_start_main () from /lib/libc.so.6
Previous frame inner to this frame (corrupt stack?)
(gdb) q
The program is running. Exit anyway? (y or n) y
$

ADDITIONAL INFORMATION

This information has been provided by
<http://www.advogato.org/person/metaur/> Ulf Harnhammar

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages