Headline
CVE-2019-8379: AdvanceMAME / Bugs / #271 null pointer dereference in be_uint32_read()
An issue was discovered in AdvanceCOMP through 2.1. A NULL pointer dereference exists in the function be_uint32_read() located in endianrw.h. It can be triggered by sending a crafted file to a binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.
- Summary
- Files
- Reviews
- Support
- Mailing Lists
- Tickets ▾
- Patches
- Feature Requests
- Bugs
- Discussion
- Donate
- Git ▾
- advancecd
- makebootfat
Menu ▾ ▴
Status: closed-fixed
Owner: nobody
Labels: None
Priority: 5
Updated: 2019-05-09
Created: 2019-01-03
Private: No
What is the vulnerability:
During our research on advancecomp we found null pointer dereference in this function be_uint32_read() located in endianrw.h which is giving SIG_SEGV on unknown address.
Package - advancecomp
Version - 2.1
Tetsted environment - Ubuntu 16.04 Lts 32-bit.
Command - advmng -l -0 -1 -2 -3 -4 -i 8 -r -e $POC
Vulnerable code -
switch (type) { case ADV_MNG_CN_MHDR : cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8); return (unsigned)ptr8[3] | (unsigned)ptr8[2] << 8 | (unsigned)ptr8[1] << 16 | (unsigned)ptr8[0] << 24;
Debug -
198 return (unsigned)ptr8[3] | (unsigned)ptr8[2] << 8 | (unsigned)ptr8[1] << 16 | (unsigned)ptr8[0] << 24;
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x3
$rbx : 0x6567e0 → 0x00007ffff7bb4960 → 0x00007ffff7943c00 → <std::basic_ostream<char,+0> mov rax, QWORD PTR [rip+0x272721] # 0x7ffff7bb6328
$rcx : 0x3a687464
$rdx : 0x7ffff7bb4960 → 0x00007ffff7943c00 → <std::basic_ostream<char,+0> mov rax, QWORD PTR [rip+0x272721] # 0x7ffff7bb6328
$rsp : 0x7fffffffdb00 → 0x00007fffffffdb50 → 0x00007fffffffdc20 → 0x00007fffffffdc90 → 0x00007fffffffdd70 → 0x00007fffffffddc0 → 0x00000000004439e0 → <__libc_csu_init+0> push r15
$rbp : 0x7fffffffdb00 → 0x00007fffffffdb50 → 0x00007fffffffdc20 → 0x00007fffffffdc90 → 0x00007fffffffdd70 → 0x00007fffffffddc0 → 0x00000000004439e0 → <__libc_csu_init+0> push r15
$rsi : 0x0
$rdi : 0x0
$rip : 0x409372 → <be_uint32_read(void+0> movzx eax, BYTE PTR [rax]
$r8 : 0x7
$r9 : 0x7ffff730b620 → 0x00000000fbad2a84
$r10 : 0x1
$r11 : 0x1002
$r12 : 0x4031c0 → <_start+0> xor ebp, ebp
$r13 : 0x7fffffffdea0 → 0x000000000000000c
$r14 : 0x0
$r15 : 0x0
$eflags: [carry PARITY adjust zero sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$gs: 0x0000 $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $fs: 0x0000 $es: 0x0000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffdb00│+0x00: 0x00007fffffffdb50 → 0x00007fffffffdc20 → 0x00007fffffffdc90 → 0x00007fffffffdd70 → 0x00007fffffffddc0 → 0x00000000004439e0 → <__libc_csu_init+0> push r15 ← $rsp, $rbp
0x00007fffffffdb08│+0x08: 0x0000000000409e79 → <png_print_chunk(unsigned+0> mov esi, eax
0x00007fffffffdb10│+0x10: 0x0000000000000000
0x00007fffffffdb18│+0x18: 0x4d48445200000000
0x00007fffffffdb20│+0x20: 0x00007fffffffdb80 → 0x0000000000000000
0x00007fffffffdb28│+0x28: 0x000000000066ac50 → 0x0000000000000001
0x00007fffffffdb30│+0x30: 0x005244484dffdb50
0x00007fffffffdb38│+0x38: 0x27f2a27d5f1e4400
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x409364 <be_uint32_read(void+0> rex.RB call 0xfffffffff8861cb2
0x40936a <be_uint32_read(void+0> mov rax, QWORD PTR [rbp-0x8]
0x40936e <be_uint32_read(void+0> add rax, 0x3
→ 0x409372 <be_uint32_read(void+0> movzx eax, BYTE PTR [rax]
0x409375 <be_uint32_read(void+0> movzx eax, al
0x409378 <be_uint32_read(void+0> mov rdx, QWORD PTR [rbp-0x8]
0x40937c <be_uint32_read(void+0> add rdx, 0x2
0x409380 <be_uint32_read(void+0> movzx edx, BYTE PTR [rdx]
0x409383 <be_uint32_read(void+0> movzx edx, dl
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:lib/endianrw.h+198 ]────
193 {
194 #ifdef USE_MSB
195 return cpu_uint32_read(ptr);
196 #else
197 const unsigned char* ptr8 = (const unsigned char*)ptr;
// ptr8=0x00007fffffffdaf8 → 0x0000000000000000
→ 198 return (unsigned)ptr8[3] | (unsigned)ptr8[2] << 8 | (unsigned)ptr8[1] << 16 | (unsigned)ptr8[0] << 24;
199 #endif
200 }
201 /*@}*/
202
203 /** \name Write
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: “advmng", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x409372 → Name: be_uint32_read(ptr=0x0)
[#1] 0x409e79 → Name: png_print_chunk(type=0x4d484452, data=0x0, size=0x0)
[#2] 0x405c3b → Name: mng_print(path="/home/loginsoft/$POC”)
[#3] 0x4077d4 → Name: list_all(argc=0x1, argv=0x7fffffffdf00)
[#4] 0x40861e → Name: process(argc=0xc, argv=0x7fffffffdea8)
[#5] 0x40895e → Name: main(argc=0xc, argv=0x7fffffffdea8)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 Attachments
Related
Bugs: #1
Bugs: #2
Bugs: #3
Bugs: #4
Bugs: #5
Discussion
Log in to post a comment.