A Heap-buffer-overflow vulnerability in the function AP4_BitStream::ReadBytes() - Bento4-1.5.1-628
Loginsoft-2018-1063
February 13, 2019
CVE Number
CVE-2019-8378
CWE
CWE-122: Heap-based Buffer Overflow
Product Details
Bento4/AP4 is a C++ class library designed to read and write ISO-MP4 files. Where Aac2Mp4 converts an AAC ADTS file into an MP4 file.
URL:https://github.com/axiomatic-systems/Bento4.git
Vulnerable Versions
1.5.1-628
Vulnerability Details
During our research there is a heap-based buffer overflow discovered in AP4_BitStream::ReadBytes() in Ap4BitStream.cpp.The same can be triggered by sending a crafted file to the aac2mp4 binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
SYNOPSIS
We observed that in the main () in line frame.m_Source->ReadBytes() here it calls to another function ReadBytes(), wherein this particular function in the line AP4_CopyMemory() when we are sending a crafted aac file, we can notice that AP4_CopyMemory(bytes, m_Buffer + m_Out, byte_count) here the m_Buffer is an unsigned char it consists of value 0xa4 & m_Out is an unsigned int it consists of value 0x866, in byte_count the value is 0xfffffff9 here it contains a negative value. Hence, we cannot copy the value from source to destination, because the size is of negative value. It causes an error heap-buffer overflow and raises a signal SIGSEGV.
Vulnerable code
/* Get other bytes */
if (byte_count > 0) {
if (m_Out = byte_count) chunk = byte_count;
Analysis
ASAN REPORT:
==2056==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000002100 at pc 0x7ffff6e93733 bp 0x7fffffffc840 sp 0x7fffffffbfe8
READ of size 4294967289 at 0x625000002100 thread T0
#0 0x7ffff6e93732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
#1 0x555555868840 in AP4_BitStream::ReadBytes(unsigned char*, unsigned int) /home/aceteam/Desktop/packages/Bento4/Source/C++/Codecs/Ap4BitStream.cpp:192
#2 0x555555864ecb in main /home/aceteam/Desktop/packages/Bento4/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp:142
#3 0x7ffff64a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#4 0x555555864369 in _start (/home/aceteam/Desktop/packages/Bento4/builds/aac2mp4+0x310369)
0x625000002100 is located 0 bytes to the right of 8192-byte region [0x625000000100,0x625000002100)
allocated by thread T0 here:
#0 0x7ffff6efa618 in operator new [] (unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0618)
#1 0x555555867a67 in AP4_BitStream: AP4_BitStream () /home/aceteam/Desktop/packages/Bento4/Source/C++/Codecs/Ap4BitStream.cpp:45
#2 0x5555558661f2 in AP4_AdtsParser: AP4_AdtsParser () /home/aceteam/Desktop/packages/Bento4/Source/C++/Codecs/Ap4AdtsParser.cpp:125
#3 0x55555586492a in main /home/aceteam/Desktop/packages/Bento4/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp:100
#4 0x7ffff64a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
Shadow bytes around the buggy address:
0x0c4a7fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8420: [fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2056==ABORTING
GDB :
Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x7ffef70a4010 → 0x0000000000000000
$rbx : 0x7fffffffcc48 → 0x000055555588f8d0 → 0xf7c6e70fa88241a4
$rcx : 0x555555890136 → 0x100389d9fd941721
$rdx : 0xfffffff9
$rsp : 0x7fffffffcb48 → 0x00005555555bd601 → mov rax, QWORD PTR [rbp-0x18]
$rbp : 0x7fffffffcb80 → 0x00007fffffffdca0 → 0x0000555555631190 → push r15
$rsi : 0x555555890136 → 0x100389d9fd941721
$rdi : 0x7ffef70a4010 → 0x0000000000000000
$rip : 0x7ffff74fe6d3 → movups xmm8, XMMWORD PTR [rsi+rdx*1-0x10]
$r8 : 0xffffffff
$r9 : 0x0
$r10 : 0x22
$r11 : 0x246
$r12 : 0xfffffff9
$r13 : 0x7fffffffdd80 → 0x0000000000000003
$r14 : 0x0
$r15 : 0x0
$eflags: [zero carry parity ADJUST sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$gs: 0x0000 $fs: 0x0000 $ds: 0x0000 $ss: 0x002b $es: 0x0000 $cs: 0x0033
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffcb48│+0x00: 0x00005555555bd601 → mov rax, QWORD PTR [rbp-0x18] ← $rsp
0x00007fffffffcb50│+0x08: 0x00007fffffffcb80 → 0x00007fffffffdca0 → 0x0000555555631190 → push r15
0x00007fffffffcb58│+0x10: 0xfffffff95589a0a0
0x00007fffffffcb60│+0x18: 0x00007ffef70a4010 → 0x0000000000000000
0x00007fffffffcb68│+0x20: 0x00007fffffffcc48 → 0x000055555588f8d0 → 0xf7c6e70fa88241a4
0x00007fffffffcb70│+0x28: 0x000055555589a070 → 0x00005555558714c8 → 0x00005555555bec94 → push rbp
0x00007fffffffcb78│+0x30: 0xe9967b959a292100
0x00007fffffffcb80│+0x38: 0x00007fffffffdca0 → 0x0000555555631190 → push r15 ← $rbp
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x7ffff74fe6c6 movups xmm5, XMMWORD PTR es:[rsi+0x10]
0x7ffff74fe6cb movups xmm6, XMMWORD PTR [rsi+0x20]
0x7ffff74fe6cf movups xmm7, XMMWORD PTR [rsi+0x30]
→ 0x7ffff74fe6d3 movups xmm8, XMMWORD PTR [rsi+rdx*1-0x10]
0x7ffff74fe6d9 lea r11, [rdi+rdx*1-0x10]
0x7ffff74fe6de lea rcx, [rsi+rdx*1-0x10]
0x7ffff74fe6e3 mov r9, r11
0x7ffff74fe6e6 mov r8, r11
0x7ffff74fe6e9 and r8, 0xf
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "aac2mp4", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff74fe6d3 → Name: __memmove_sse2_unaligned_erms()
[#1] 0x5555555bd601 → Name: AP4_BitStream::ReadBytes(this=0x7fffffffcc48, bytes=0x7ffef70a4010 "", byte_count=0xfffffff9)
[#2] 0x5555555bc395 → Name: main(argc=0x3, argv=0x7fffffffdd88)
Tested environment
64-bit ubuntu 16.04 LTS
Proof of Concept
./aac2mp4 $POC output.mp4
Timeline
Vendor Disclosure: 29-01-2019
Public Disclosure: 13-02-2019
Credit
Discovered by ACE Team - Loginsoft