mp3gain: A malformed mp3 file allows arbitrary code execution

Debian Bug report logs - #740268
mp3gain: A malformed mp3 file allows arbitrary code execution

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Gustavo Grieco <gustavo.grieco@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mp3gain: A malformed mp3 file allows arbitrary code execution

Date: Thu, 27 Feb 2014 16:43:35 +0000

[Message part 1 (text/plain, inline)]

Package: mp3gain
Version: 1.5.2-r2-3
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

a buffer overflow in mp3gain can be used to execute code using a malformed
mp3 file. A POC is attached. Running it inside gdb gives more information:

gdb --args mp3gain PoC.mp3

....

45% of 98432 bytes analyzed               
Program received signal SIGSEGV, Segmentation fault.
0xf7e6830f in __GI_memcpy (dstpp=0xffffdfd5, srcpp=0x8464300, len=206) at memcpy.c:54
54	memcpy.c: No such file or directory.
(gdb) bt
#0  0xf7e6830f in __GI_memcpy (dstpp=0xffffdfd5, srcpp=0x8464300, len=206) at memcpy.c:54
#1  0x08054e2b in ?? ()
#2  0x0805560b in ?? ()
#3  0x0804ac83 in ?? ()
#4  0x3bf3dcd6 in ?? ()
#5  0x733f7dd5 in ?? ()
#6  0x0b1ea714 in ?? ()
#7  0x7294c782 in ?? ()

....

As you can see, the stack trace is smashed and the values come from the bytes in the input file.
We generate an exploit for this bug.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Shell: /bin/sh linked to /bin/dash

Versions of packages mp3gain depends on:
ii  libc6  2.17-93

mp3gain recommends no packages.

mp3gain suggests no packages.

-- debconf information excluded

[PoC.mp3 (audio/mpeg, attachment)]

Message #10 received at 740268@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Gustavo Grieco <gustavo.grieco@gmail.com>, 740268@bugs.debian.org

Subject: Re: Bug#740268: mp3gain: A malformed mp3 file allows arbitrary code execution

Date: Mon, 10 Mar 2014 10:50:31 +0000

On Thu, 27 Feb 2014 at 16:43:35 +0000, Gustavo Grieco wrote:
> a buffer overflow in mp3gain can be used to execute code using a malformed
> mp3 file. A POC is attached.

Hi,
Have you already reported this bug to mp3gain's upstream developer
<http://mp3gain.sourceforge.net/> or requested a CVE ID for it?

How did you find this overflow? Did you use a fuzzer or similar to construct
your PoC, or did you locate a specific buffer that was overflowed by
inspecting the source code, or what?

Do you have any advice on fixing or mitigating this class of vulnerability?

`gcc -fsanitize=address` appears to catch this overflow, so I've uploaded
version 1.5.2-r2-4 built with that option in order to mitigate this bug.
That produces what's probably a more useful backtrace:

(gdb) break __asan_report_error
...
(gdb) run
...
(gdb) bt
#0  0x00007ffff4e66b90 in __asan_report_error ()
   from /usr/lib/x86_64-linux-gnu/libasan.so.0
#1  0x00007ffff4e5d40b in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#2  0x00000000004230b3 in memcpy (__len=209, __src=<optimized out>, 
    __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
#3  copy_mp (mp=mp@entry=0x7fffffff68d0, size=size@entry=49818, 
    ptr=0x7fffffff6c29 "\036\307\354\266Dž") at mpglibDBL/interface.c:188
#4  0x0000000000424fc7 in decodeMP3 (mp=mp@entry=0x7fffffff68d0, 
    in=<optimized out>, isize=isize@entry=209, done=done@entry=0x7fffffff2010)
    at mpglibDBL/interface.c:686
#5  0x0000000000404e25 in main (argc=2, argv=<optimized out>) at mp3gain.c:2289

From the details given when not breaking on __asan_report_error, it appears
that (on x86-64) 209 bytes are written to a position 31895 bytes into the
31920 byte struct mpstr_tag mp, overflowing it. If my arithmetic is correct,
that starting position is close to the end of the array 'synth_buffs'.

I don't know this codebase well - Fabrizio, you're the maintainer, any ideas?

Regards,
    S

Message #15 received at 740268@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Gustavo Grieco <gustavo.grieco@gmail.com>, 740268@bugs.debian.org

Subject: Re: Bug#740268: mp3gain: A malformed mp3 file allows arbitrary code execution

Date: Mon, 10 Mar 2014 12:34:21 +0000

(Please keep the bug's email address in Cc with any information on this
bug that is intended to be public.)

On 10/03/14 12:06, Gustavo Grieco wrote:
>     Have you already reported this bug to mp3gain's upstream developer
>     <http://mp3gain.sourceforge.net/> 
> 
> I haven't. Should I now?

You probably know more about this bug and its implications than I do, so
yes, please do. Please reply to this bug report with a link to the
upstream bug.

I must admit I'm rather surprised to see a member of a "team working in
vulnerability research" reporting this as a public bug to Debian without
having notified either upstream or the Debian security team privately.
Please consider practising responsible disclosure in future
vulnerability reports.

>     How did you find this overflow? Did you use a fuzzer or similar to
>     construct
>     your PoC, or did you locate a specific buffer that was overflowed by
>     inspecting the source code, or what?
> 
> In fact, no source code was used. For the vulnerability discovery, we
> used Mayhem combined with a new technique to fuzz based on automatic
> input detection and seed minimization.
> And for exploitation, we used a blackbox tool that automatically
> generate a working exploit. It is very effective (it requires to disable
> DEP and ASRL, but these are only additions to the exploitation process).
> We have hundreds of these small exploits, waiting for a response from
> the Debian Security team on how to submit them (since we don't want to
> SPAM them).

I think it's highly unlikely that the desired submission mechanism is
going to be "open public bugs in Debian without notifying the packages'
upstreams"...

> I'm not very familiar with the -fsanitize flag of gcc. Nevertheless, i
> think that enabling the full stack protection available in gcc
> (-fstack-protector-all) will be an effective mitigation.

I'm not so sure. It's already compiled with "-fstack-protector
--param=ssp-buffer-size=4", and the static buffer in question is
considerably larger than 4 bytes, so I don't see how
-fstack-protector-all would help us.

From the buildd reports I've had back, it looks as though
-fsanitize=address only works on x86, so I'm going to have to undo this
mitigation on other architectures.

    S

Message #20 received at 740268@bugs.debian.org (full text, mbox, reply):

From: Gustavo Grieco <gustavo.grieco@gmail.com>

To: Simon McVittie <smcv@debian.org>

Cc: 740268@bugs.debian.org

Subject: Re: Bug#740268: mp3gain: A malformed mp3 file allows arbitrary code execution

Date: Mon, 10 Mar 2014 11:07:26 -0300

[Message part 1 (text/plain, inline)]

2014-03-10 9:34 GMT-03:00 Simon McVittie <smcv@debian.org>:

> (Please keep the bug's email address in Cc with any information on this
> bug that is intended to be public.)
>

Sorry about that!


>
> On 10/03/14 12:06, Gustavo Grieco wrote:
> >     Have you already reported this bug to mp3gain's upstream developer
> >     <http://mp3gain.sourceforge.net/>
> >
> > I haven't. Should I now?
>
> You probably know more about this bug and its implications than I do, so
> yes, please do. Please reply to this bug report with a link to the
> upstream bug.
>

I was waiting to receive a response from the package maintainer to submit a
bug report to the upstream developer. Anyway, the upstream report is here:

https://sourceforge.net/p/mp3gain/bugs/36/


>
> I must admit I'm rather surprised to see a member of a "team working in
> vulnerability research" reporting this as a public bug to Debian without
> having notified either upstream or the Debian security team privately.
> Please consider practising responsible disclosure in future
> vulnerability reports.
>

I had an interesting discussion with one of the member of the Debian
Security team, and he told me not to email them with 'private' reports if
the vulnerability disclosed wasn't very important in terms of surface of
attack (like the some other bugs we reported recently). I doubt that was a
'serious' vulnerability (mp3gain is not a very popular program and it is
very unlikely that someone will run it with an untrusted mp3 file) so i
started reporting it to the Debian BTS publicly as they suggested me
(upstream was another option they told me).

[Message part 2 (text/html, inline)]

Message #27 received at 740268-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 740268-close@bugs.debian.org

Subject: Bug#740268: fixed in mp3gain 1.5.2-r2-6

Date: Wed, 19 Mar 2014 10:20:15 +0000

Source: mp3gain
Source-Version: 1.5.2-r2-6

We believe that the bug you reported is fixed in the latest version of
mp3gain, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 740268@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated mp3gain package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 19 Mar 2014 09:24:09 +0000
Source: mp3gain
Binary: mp3gain
Architecture: source amd64
Version: 1.5.2-r2-6
Distribution: unstable
Urgency: high
Maintainer: Fabrizio Regalli <fabreg@fabreg.it>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 mp3gain    - Lossless mp3 normalizer with statistical analysis
Closes: 740268
Changes: 
 mp3gain (1.5.2-r2-6) unstable; urgency=high
 .
   * Add various patches from Daniel Kobras' mpg123 packaging to fix
     buffer overflows in the embedded copy/fork of mpglib
     - CVE-2003-0577 (originally #201698 in mpg123)
     - CVE-2004-0805 (originally #270542 in mpg123)
     - CVE-2004-0991
     - CVE-2006-1655 (originally #361863 in mpg123)
     (Closes: #740268, hopefully)
   * debian/patches/*.diff: adjust so gbp-pq can import all of them
   * debian/patches/*.diff: update Sourceforge bug URLs to new layout
     (but keep the old versions for posterity)
Checksums-Sha1: 
 d716fa773cf5dc110d774f58abe2598830dec1cc 1869 mp3gain_1.5.2-r2-6.dsc
 25a8fc372ae43f1dc64ccf7f883afad0157ab96f 16696 mp3gain_1.5.2-r2-6.debian.tar.xz
 ef54e54c762c5b03735688a4eefba8eb6a56f89d 100602 mp3gain_1.5.2-r2-6_amd64.deb
Checksums-Sha256: 
 bdd3862534113fb57b7c3b14928b5f3272759404b97ea3c726ff15a4bacab6e8 1869 mp3gain_1.5.2-r2-6.dsc
 f14572f7c37c663ea18d7e62aeb26f7a43ec3bb7a759cc138cc2018a1f4e6b7e 16696 mp3gain_1.5.2-r2-6.debian.tar.xz
 9a8a8a8872da70f5000ea24ce431573f1b44d6fdd8936ef278e9c275cbc5b94f 100602 mp3gain_1.5.2-r2-6_amd64.deb
Files: 
 8cebcd68f5077506f722b188ff3ef01e 1869 sound optional mp3gain_1.5.2-r2-6.dsc
 fae320a3b8a7adc95065350170c297ff 16696 sound optional mp3gain_1.5.2-r2-6.debian.tar.xz
 ebb4d4dfb47a8f1116af9f2c68a52576 100602 sound optional mp3gain_1.5.2-r2-6_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBUylr5k3o/ypjx8yQAQjIfRAAixCM8TjQer3KqXR8G1rSfyHnj5+u0d8K
uMPf/T9QTrWm2R2sxaE/Hg4398XylSC1K7vSlUQedsvIPtOCkzV7swUkzHJE8QlZ
nydiWQ0S7CU+aVMBfXxtrS9pxu2kdXns60+ewxE4O6vx0Z0nrWM5zK7diKriZJzQ
Dy+++Op1QyNSRzwLgLoJgut4FTfW6+K0MQ+DcnuCFs932EighA5ZGB4YPis3ra4Y
fkZdQlcrFtiyqB8H9iINoN2qGKuC1GZBdBZ+P1tka7XXWdyu0BZrn8ddM4b8wFCc
+zvgCqP3eVRO+ImpOz6EUEbCE48bAJKVK1GGWHo3xDzadeUwq0vyEA4Q5nWld5Tf
Tg+iiVIwz+Qnr7Mub5zNmqxrIn9lfMBLDIdPuLfMA1c9iBvlgghx2LSzQ6RN9cmu
2BYW64bPKXmqro1PUrqZcv4p7NQ3Nhzj4unsS068eBzpmTN+NSStQni17vcJq1HT
cInaM0NnZ2j9QfCHYU9mrr9jSFxUuy6gKjSRPqi9ephhiPVdYlOIham3W7Z3rW7M
nGgnQZ9mSXtCWW0a9FSWw0eP8ONvAzXzz7XeZo7Phez2WFzFvGxnH//E4CsBpeQw
gneLLaMIg2Xj49V3WBNujzl1X6hwp3PDTTphVwZDxG2ekXrN1L7Q1bs4hSkuwLjD
UKrX+Qx9Wt0=
=e3Jg
-----END PGP SIGNATURE-----

Message #32 received at 740268-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 740268-close@bugs.debian.org

Subject: Bug#740268: fixed in mp3gain 1.5.2-r2-2+deb7u1

Date: Sun, 13 Apr 2014 17:02:04 +0000

Source: mp3gain
Source-Version: 1.5.2-r2-2+deb7u1

We believe that the bug you reported is fixed in the latest version of
mp3gain, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 740268@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated mp3gain package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 02 Apr 2014 09:06:57 +0100
Source: mp3gain
Binary: mp3gain
Architecture: source amd64
Version: 1.5.2-r2-2+deb7u1
Distribution: wheezy
Urgency: high
Maintainer: Fabrizio Regalli <fabreg@fabreg.it>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 mp3gain    - Lossless mp3 normalizer with statistical analysis
Closes: 740268
Changes: 
 mp3gain (1.5.2-r2-2+deb7u1) wheezy; urgency=high
 .
   * Add various patches from Daniel Kobras' mpg123 packaging to fix
     buffer overflows in the embedded copy/fork of mpglib
     - CVE-2003-0577 (originally #201698 in mpg123)
     - CVE-2004-0805 (originally #270542 in mpg123)
     - CVE-2004-0991
     - CVE-2006-1655 (originally #361863 in mpg123)
     (Closes: #740268)
Checksums-Sha1: 
 4c8842c052b7dab2119ffc5a544c0f0c046a748d 1897 mp3gain_1.5.2-r2-2+deb7u1.dsc
 f58a5cf1e05e13998b22336db17d3dce941097e5 16606 mp3gain_1.5.2-r2-2+deb7u1.debian.tar.gz
 ae27beba140e4970729e24518315b278b60a8eeb 74834 mp3gain_1.5.2-r2-2+deb7u1_amd64.deb
Checksums-Sha256: 
 5be6134d232093453b7811a801587f099aa30d7b60a2b0b11bf45588a91e160f 1897 mp3gain_1.5.2-r2-2+deb7u1.dsc
 dc9cfb38d3c0c59b08a1ae5ac7cce19aaee12d0e51e95fe46ae7c8455572a66a 16606 mp3gain_1.5.2-r2-2+deb7u1.debian.tar.gz
 ee2db8322eb3b36b5b76f5da854ba862dc179d70b88c2ad54282736b40213021 74834 mp3gain_1.5.2-r2-2+deb7u1_amd64.deb
Files: 
 9ea1b90f209dd40c0edf2001041ff57a 1897 sound optional mp3gain_1.5.2-r2-2+deb7u1.dsc
 09b51103224f68755b588636b64350f4 16606 sound optional mp3gain_1.5.2-r2-2+deb7u1.debian.tar.gz
 67146cb370935a355da4b238c2064331 74834 sound optional mp3gain_1.5.2-r2-2+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBU0mqkE3o/ypjx8yQAQivqxAAgqbM2g9htAdWK4MHQj2KMDd4520N9L9w
YlMUZjoVccHLT1n8vVFhTxUVreiOi+SOkLMFuyDbKidOUeEjFKkpy8UVo5YNPNF8
Bm89Xhg44qL9vPpnz1jalO3P7Hj1LpbryxoNrqJXSRiGJ1EcDxIDbVJ+iJCEFzcl
3Pse0lrsa4J97/F4DHaSxrf4aWVzYgvKTTfD2nhxOd0qUq322NrNkF4WOIBOPO9f
rXuadOuINIiCqVOTptzBmTyaRoJImAFSMgunnhXRnGzClA9aTFhneWdY0jhM+PN6
IhOrF0TYb00RHp8z/5uAxWohYa5VXZl40L19vt482teqM0U/C56vAGmI2NZUfuv6
m0GV7hpwdYV/FVngCKuc/Pbe2JdBHN3U+gM8ka2suvWz7B6kVMXNtrrJtfPvg3/3
t959srdcTK9SFCT4mNpJms89AJRPt9sOVFJpctkWjxQt5z+9NqPkOPAwc6vSUQG8
wEp3hAeI+D8DH01H/aaFRBeU12B6T7plpwidFW24OqUAId8RopWgQ9OV5dPxJa8a
1WbbGR0BVnoAjPSKIF7gSnlLDt9z9CCoHRfYmPrJ6z1mXCotKw4F2i9RBtull4ut
EozsTXPN3CdXO2yiyctS0Mixuibm5OdBwX4WfyVpsddOEbe6jcpRj8cxqdsawlx5
q7D591Bkq8Q=
=p2en
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.