CVE-2020-15359: VDALabs Uses Mayhem To Find MP3Gain Stack Overflow
Researchers from VDA Labs used ForAllSecure Mayhem to discover a stack overflow (CVE-2020-15359) in a popular open source sound utility, MP3Gain. MP3Gain analyzes and adjusts MP3 files so that they have the same volume by using statistical analysis to determine what those levels should be. The researchers at VDA Labs said in a blog post “a bad actor could use this bug to develop an exploit, which could result in something like the compromise of a workstation running MP3Gain.”
VDA Labs chose to test this app because it is an open source C++ application running on Linux, that is easy to input (just pass in an MP3 file) and has about 12,000 downloads per week, according to SourceForge.
In this blog, we will cover:
1) VDA Labs
2) Finding CVE-2020-15359
3) Setting up Mayhem
4) What was found
Who is VDA Labs?
VDA Labs, LLC, was founded in 2007 to make the world safer by providing world class cyber security services, products, and training to organizations of all sizes. VDA designs out-of-the-box solutions, leverages past performance, and provides quality designs at an affordable price. The team incorporates decades of cyber knowledge to various industries such as the intelligence community (IC)/Department of Defense (DoD), commercial enterprises, IoT, and high-tech vendors.
Finding CVE-2020-15359 Through Fuzzing
To fuzz test MP3Gain, VDA Labs did not need to create a harness. A harness is an entry-point executable that allows the fuzzer to pass inputs into the library function that requires testing. So, this means that VDA was able to use an example binary included with MP3Gain to create a Docker image ready for Mayhem.
Once VDA Labs had its Dockerfile, they created a Mayhemfile to fuzz the application. Mayhem has a CLI available to download and that was used on a local Linux host. The Mayhem CLI allowed VDA Labs to package the files needed and push them to Mayhem using a web browser.
Creating a Mayhem File
- cmd: mp3gain -c -p -r -d 2.0 @@
- - The first line of the Mayhem file is the version number.
- - The next line is an internal project name and allows you to group similar project types together. In this instance, “docker”.
- - The third line is a designated a target name, “mp3gain”. This is used to differentiate between versions of a project under the same project type.
- - In the fourth line, Mayhem is instructed to pull the image from the Docker.io repository.
- - The fifth line in this example, tells Mayhem how long to fuzz the project in seconds. In this instance, 259,200 seconds equates to 3 days.
- - Finally, configure the command section of our Mayhem file. This is the actual Linux command Mayhem will execute and fuzz inside the Docker build. The @@ at the end of the command is the placeholder for the file input being passed to the command during each iteration of fuzzing. Mayhem will substitute this when it begins the fuzzing process -- mutating the file along the way.
What Was Found
During the fuzz test of the MP3Gain utility, VDA Labs discovered nearly 1,600 crash conditions out of over 6,000 test suites. Mayhem condensed these countless crashes into three unique defects, including a stack overflow condition in a local variable.
A stack overflow occurs when a particular computer program tries to use more memory space than the call stack has available. If the stack buffer is filled with data from a bad actor, then that user can potentially inject executable code into the running program and take control of the process. This is one of the most reliable methods for bad actors to gain unauthorized access to a computer.
To verify results manually, VDA Labs downloaded crash files of interest, and then ran them with a local debugger. VDA Labs said it was part of their process in learning more about how Mayhem reports crashes and gave them better insight into working with Mayhem to trace these types of crashes.
Mayhem provided the location in code for the vulnerability.
In the example crash shown below, VDA Labs passed in an MP3 file with a modified MP3GainTagInfo element. This was not properly validated before being passed in to the tractPeak structure in the WriteMP3GainAPETag function, triggering the stack overflow.
Starting program: /root/triage/MP3Gain/source/mp3gain -c -p -r -d 2.0 test -2787
No changes to test -2787 are necessary
… but tag needs update: Writing tag information for test -2787
Program received signal SIGSEGV, Segmentation fault.
0x000000000040ab03 in WriteMP3GainAPETag (filename 0x7fffffffe7a1 “test -2787”, info=0x8e24a0, fileTags=0x8e25f0, 579 memcpy(mp3gainTagData, valueString, 8):
Armed with this information VDA Labs researchers then looked at the related source code. To isolate the vulnerability, they set debugger breaks in the MP3Gain application before the crash occurred. This allowed them to use the debugger to step into the memory corruption and then observe what caused the crash. They observed that some pointers to variables are overwritten and could be used to hijack control of code execution. With this, they begin the process of developing an exploit for this application.
ForAllSecure maintains a vulnerability repository on GitHub where you can find reproducible environments and proof of concept artifacts to experiment with. Additionally, if you are a Mayhem user, you can run all of those locally. Example Dockerfiles and artifacts for CVE-2020-15359 are available.