NULL POINTER DEREFERENCE Vulnerability in function AP4_List:Find() - Bento4-1.5.1-628
Loginsoft-2018-1062
February 13, 2019
CVE Number
CVE-2019-8382
CWE
CWE-476: NULL Pointer Dereference
Product Details
Bento4/AP4 is a C++ class library designed to read and write ISO-MP4 files. Where Aac2Mp4 converts an AAC ADTS file into an MP4 file.
URL:https://github.com/axiomatic-systems/Bento4.git
Vulnerable Versions
1.5.1-628
Vulnerability Details
We observed a NULL pointer dereference occurred in function AP4_List: Find () located in Ap4List.h.The same be triggered by sending a crafted file to the mp4dump binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
SYNOPSIS
We observed that in function DumpTrackData () in line AP4_Track* track = mp4_file. GetMovie()->GetTrack(track_id) from this it calls to another function AP4_Movie::GetTrack () where this function will get the details of the track_id, here in line if (AP4_SUCCEEDED(m_Tracks.Find(AP4_TrackFinderById(track_id), track))) here track is initialized as NULL, and it calls to another function AP4_TrackFinderById () it will track the id by trackfinder, from this line now it invokes to another function AP4_List: Find (), here when we are sending a crafted input file, in the line Item* item = m_Head where item consists of data & in this particular line it throwing an error which is invalid memory access of m_Head. This results in an error which throws a signal SIGSEGV.
Vulnerable code
AP4_Track::GetSampleIndexForTimeStampMs(AP4_UI32 ts_ms, AP4_Ordinal& index)
{
AP4_UI64 ts = AP4_ConvertTime(ts_ms, 1000, GetMediaTimeScale());
return m_SampleTable->GetSampleIndexForTimeStamp(ts, index);
}
Analysis
GDB - 0x00000000004585cb in AP4_Track::GetSampleIndexForTimeStampMs (this=0x6040000001d0, ts_ms=0x0, index=@0x7fffffffdb10: 0x0) at /home/ace/Downloads/sources/Bento4/Source/C++/Core/Ap4Track.cpp:485
485 return m_SampleTable->GetSampleIndexForTimeStamp(ts, index);
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x0
$rbx : 0x7fffffffdd70 → 0x0000000000000000
$rcx : 0x0
$rdx : 0x0
$rsp : 0x7fffffffd9d0 → 0x00007fffffffda00 → 0x00007fffffffdda0 → 0x0000000000578490 → push r15
$rbp : 0x7fffffffda00 → 0x00007fffffffdda0 → 0x0000000000578490 → push r15
$rsi : 0x0
$rdi : 0x0
$rip : 0x4585cb → mov rax, QWORD PTR [rax]
$r8 : 0x0
$r9 : 0x0
$r10 : 0x60b0000000e0 → 0x14ffffff00000002
$r11 : 0x7fffffffd1d8 → 0x000060c000000090 → 0x00000000005caca0 → 0x00000000004809d6 → push rbp
$r12 : 0xffffffffb56 → 0x0000000000000000
$r13 : 0x7fffffffdab0 → 0x0000000041b58ab3
$r14 : 0x60b0000000f0 → 0x00000000005ecdb0 → 0x000000000048acd4 → push rbp
$r15 : 0x0
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$ss: 0x002b $fs: 0x0000 $es: 0x0000 $ds: 0x0000 $gs: 0x0000 $cs: 0x0033
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffd9d0│+0x00: 0x00007fffffffda00 → 0x00007fffffffdda0 → 0x0000000000578490 → push r15 ← $rsp
0x00007fffffffd9d8│+0x08: 0x00007fffffffdb10 → 0x00007fff00000000
0x00007fffffffd9e0│+0x10: 0x000000000000bb80
0x00007fffffffd9e8│+0x18: 0x00006040000001d0 → 0x0000000000596420 → 0x000000000045725e → push rbp
0x00007fffffffd9f0│+0x20: 0x0000000a00000000 → 0x0000000000000000
0x00007fffffffd9f8│+0x28: 0x0000000000000000
0x00007fffffffda00│+0x30: 0x00007fffffffdda0 → 0x0000000000578490 → push r15 ← $rbp
0x00007fffffffda08│+0x38: 0x0000000000451b68 → test eax, eax
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x4585c0 div BYTE PTR [rax+rcx*1+0x48]
0x4585c4 mov edi, edx
0x4585c6 call 0x451140
→ 0x4585cb mov rax, QWORD PTR [rax]
0x4585ce add rax, 0x40
0x4585d2 mov rdx, rax
0x4585d5 mov rsi, rdx
0x4585d8 shr rsi, 0x3
0x4585dc add rsi, 0x7fff8000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:/home/ace/Downloads/sources/Bento4/Source/C++/Core/Ap4Track.cpp+485 ]────
480 AP4_Track::GetSampleIndexForTimeStampMs(AP4_UI32 ts_ms, AP4_Ordinal& index)
481 {
482 // convert the ts in the timescale of the track's media
483 AP4_UI64 ts = AP4_ConvertTime(ts_ms, 1000, GetMediaTimeScale());
484
→ 485 return m_SampleTable->GetSampleIndexForTimeStamp(ts, index);
486 }
487
488 /*----------------------------------------------------------------------
489 | AP4_Track::GetNearestSyncSampleIndex
490 +---------------------------------------------------------------------*/
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "mp4audioclip", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x4585cb → Name: AP4_Track::GetSampleIndexForTimeStampMs(this=0x6040000001d0, ts_ms=0x0, index=@0x7fffffffdb10)
[#1] 0x451b68 → Name: main(argc=0x7, argv=0x7fffffffdec0)
gef➤ p ts
$4 = 0x0
gef➤ p index
$5 = (AP4_Ordinal &) @0x7fffffffdb10: 0x0
gef➤ p m_SampleTable
$6 = (AP4_SampleTable *) 0x0
gef➤ p m_SampleTable->GetSampleIndexForTimeStamp(ts, index)
Cannot access memory at address 0x0
Tested environment
64-bit ubuntu 16.04 LTS
Proof of Concept
./mp4dump --track 1:E791400BC075044176E34136E3C134F35E3513BE430B907B --format text $POC
Timeline
Vendor Disclosure: 02-02-2019
Public Disclosure: 13-02-2019
Credit
Discovered by ACE Team - Loginsoft
