I found this vulnerability during a security research session "for fun and no-profit" and i've released a PoC about that.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7805
https://packetstormsecurity.com/files/133926/libsndfile-1.0.25-Heap-Overflow.html
Affected products: All products using libsndfile (a non-exhaustive list below)
PusleAudio http://www.freedesktop.org/wiki/Software/PulseAudio/
Installed by default on most linux environments with libsndfile too
(Ex.: Ubuntu, Debian)
Jack AudioConnectionKit http://www.jackaudio.org
Available for Linux, Win, OSX
(List of applications http://www.jackaudio.org/applications/)
Adobe Audition http://www.adobe.com/products/audition.html
Audacity http://www.audacityteam.org/
Asterisk-eSpeak Module https://zaf.github.io/Asterisk-eSpeak/
<br
run an apt-cache rdepends libsndfile1 on ubuntu, to see other interesting dependencies
searching around i found that it's widely used on IOS and Android projects too
Vulnerability is based on the wrong management of the headindex and headend values.
While parsing a specially crafted AIFF header the attacker can manage index values in order to use memcpy(...) to overwrite memory heap.
To touch this bug with your hands take a look to aiff.c in the while(!done) { ... }, common.c and file_io.c
If someone needs more details i will spend more time to write a better post :)
22 Nov 2015 - libsndfile fix released:
https://github.com/erikd/libsndfile/commit/53c9f0bcaf20203bb4ee56da760a6e5118e6f93b
Timeline
- 30 Sep 2015 Bug discovered
- 09 Oct 2015 Mitre.org contacted (no response)
- 12 Oct 2015 Disclosed to the project's maintainer
- 10 Nov 2015 CVE-2015-7805 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7805 Mitre contacted me back with CVE ID
- 22 Nov 2015 libsndfile fixed (Version 1.0.26 (November 22 2015) Fix for CVE-2014-9496, CVE-2014-9756 and CVE-2015-7805.)