Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE/CVE-2019-19513/
CVE/CVE-2019-19513/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2019-19513

Out-of-bounds write

Software affected

BASS_MIDI.DLL <= 2.4.12.1 Used in AIMP, MusicBee etc.

Description

Out-of-bounds write in the deltatime of a MIDI TrackChunk. The file must be parsed by bass_midi.dll. So streaming or locally execute the file should both trigger the OOW. I think if you groom the heap right it maybe is possible to get code execution.

Details

Assembly

The out-of-bounds write happens at

bass_midi+0xab4c

Instructions at bass.dll + 0xab4c:


movzx eax,bl
shr ebx,8
xor edx,edx
mov byte ptr [eax+esi+6DCh],bl <-- OOW

The actual boundary is at esi+6dc+0x87. Because we can control eax with a byte we can write about 0x76 bytes out of bounds.

Registers:

eax   =       0xE4 <-- offset
ebx   =        0x0 <-- char to write
ecx   =        0xF	
edx   =        0x0
esi   =  0x766E89C
edi   =  0x761ECB0	
esp   =   0x6FF798
ebp   =   0x6FF7A8

The callstack:

bassmidi.dll + 0xAB4C
bassmidi.dll + 0xC333 
bassmidi.dll + 0xC6F1

PoC

Use the midi_bass_poc.py to generate a poc midi file.