Null pointer dereference vulnerability in the function deco_define()

Null pointer dereference vulnerability in the function deco_define() - abcm2ps-8.14.1

Bug Reports

December 14, 2018

Jason Franscisco

Null pointer dereference vulnerability in the function deco_define() - abcm2ps-8.14.1

‍December 14, 2018

CVE Number

CWE

CWE-476: NULL Pointer Dereference

Product Details

abcm2ps is a C program which converts music tunes from the ABC music notation to PostScript or SVG.‍

URL:https://github.com/leesavide/abcm2ps.git

Vulnerable Versions

8.14.1-master

Vulnerability Details

Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.

SYNOPSIS

while doing research when get_note() function is called it is having convert decorations function deco_cnv() which calls function deco_intern() to convert the external deco number to the internal one.By passing crafted .abc file for conversion while reading the symbols from deco to write into the converting file. In deco_define(name=0x0) arg name is 0 accessed from defined symbols and passed to the strlen(name) which leads to NULL Pointer Dereference.

Vulnerable code


l = strlen(name);
 for (d = user_deco; d; d = d->next) {
if (strncmp(d->text, name, l) == 0
&& d->text[l] == ' ')
return deco_build(name, d->text);
}

Analysis


In function deco_define()

 989	 	l = strlen(name);
  990	 	for (d = user_deco; d; d = d->next) {
    991	 		if (strncmp(d->text, name, l) == 0
    992	 		 && d->text[l] == ' ')
    993	 			return deco_build(name, d->text);
    994	 	}
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Id 1, Name: "abcm2ps", stopped, reason: BREAKPOINT
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 0x555555566a8b → deco_define(name=0x0)
 0x555555567ed8 → deco_intern(s=0x555555875a00, ideco=)
 0x555555567ed8 → deco_cnv(dc=0x555555875c08, s=0x555555875a00, prev=0x0)
 0x55555559024c → get_note(s=)
 0x55555559024c → do_tune()
 0x555555561a52 → abc_parse(p=0x5555557f4a20 "", fname=0x5555557f39f0 "POC", ln=0x64)
 0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "$POC", linenum=0x64)
 0x555555579ee4 → frontend(s=, ftype=, fname=, linenum=)
 0x55555555ce2d → treat_file(fn=0x7fffffffe26a "$POC", ext=)
 0x55555555b9e1 → main(argc=0x17, argv=0x7fffffffde38)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
deco_define (name=name@entry=0x0) at deco.c:989
989		l = strlen(name);
gef➤  p name
$101 = 0x0
gef➤  bt
#0  0x00007ffff69465a1 in __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:62
#1  0x0000555555566a90 in deco_define (name=name@entry=0x0) at deco.c:989
#2  0x0000555555567ed8 in deco_intern (s=0x555555875a00, ideco=) at deco.c:1022
#3  0x0000555555567ed8 in deco_cnv (dc=dc@entry=0x555555875c08, s=s@entry=0x555555875a00, prev=prev@entry=0x0) at deco.c:1049
#4  0x000055555559024c in get_note (s=) at parse.c:4377
#5  0x000055555559024c in do_tune () at parse.c:3510
gef➤  i r
rax            0x5555557c49a0	0x5555557c49a0
rbx            0x1	0x1
rcx            0x0	0x0
rdx            0x0	0x0
rsi            0x555555875a00	0x555555875a00
rdi            0x0	0x0
rbp            0x1	0x1
rsp            0x7fffffffd858	0x7fffffffd858
r8             0x56	0x56
r9             0x555555875550	0x555555875550
r10            0x55555588c408	0x55555588c408
r11            0x5555555a3b88	0x5555555a3b88
r12            0x555555875c08	0x555555875c08
r13            0x0	0x0
r14            0x0	0x0
r15            0x5555557be7d0	0x5555557be7d0
rip            0x7ffff69465a1	0x7ffff69465a1 
eflags         0x10283	[ CF SF IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0

Valgrind


  Access not within mapped region at address 0x0
   at 0x4C32CF2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  by 0x11AA8F: deco_define (deco.c:989)
  by 0x11BED7: deco_intern (deco.c:1022)
  by 0x11BED7: deco_cnv (deco.c:1049)
  by 0x14424B: get_note (parse.c:4377)
  by 0x14424B: do_tune (parse.c:3510)
  Segmentation fault

Tested environment

64-bit ubuntu 16.04 LTS

Proof of Concept

./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10

Timeline

Vendor Disclosure: 2018-12-13

Public Disclosure:

Credit

Discovered by ACE Team - Loginsoft