CVE-2015-7805 libsndfile 1.0.25 Heap Overflow

I found this vulnerability during a security research session "for fun and no-profit" and i've released a PoC about that.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7805
https://packetstormsecurity.com/files/133926/libsndfile-1.0.25-Heap-Overflow.html

Affected products: All products using libsndfile (a non-exhaustive list below)

PusleAudio http://www.freedesktop.org/wiki/Software/PulseAudio/

Installed by default on most linux environments with libsndfile too
(Ex.: Ubuntu, Debian)

Jack AudioConnectionKit http://www.jackaudio.org

Available for Linux, Win, OSX
(List of applications http://www.jackaudio.org/applications/)

Adobe Audition http://www.adobe.com/products/audition.html
Audacity http://www.audacityteam.org/
Asterisk-eSpeak Module https://zaf.github.io/Asterisk-eSpeak/

<br
run an apt-cache rdepends libsndfile1 on ubuntu, to see other interesting dependencies
searching around i found that it's widely used on IOS and Android projects too

Vulnerability is based on the wrong management of the headindex and headend values.
While parsing a specially crafted AIFF header the attacker can manage index values in order to use memcpy(...) to overwrite memory heap.

To touch this bug with your hands take a look to aiff.c in the while(!done) { ... }, common.c and file_io.c
If someone needs more details i will spend more time to write a better post :)

22 Nov 2015 - libsndfile fix released:
https://github.com/erikd/libsndfile/commit/53c9f0bcaf20203bb4ee56da760a6e5118e6f93b


Timeline
  • 30 Sep 2015 Bug discovered
  • 09 Oct 2015 Mitre.org contacted (no response)
  • 12 Oct 2015 Disclosed to the project's maintainer
  • 10 Nov 2015 CVE-2015-7805 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7805 Mitre contacted me back with CVE ID
  • 22 Nov 2015 libsndfile fixed (Version 1.0.26 (November 22 2015) Fix for CVE-2014-9496, CVE-2014-9756 and CVE-2015-7805.)
References