Researchers from VDA Labs used ForAllSecure Mayhem to discover a stack overflow (CVE-2020-15359) in a popular open source sound utility, MP3Gain. MP3Gain analyzes and adjusts MP3 files so that they have the same volume by using statistical analysis to determine what those levels should be. The researchers at VDA Labs said in a blog post “a bad actor could use this bug to develop an exploit, which could result in something like the compromise of a workstation running MP3Gain.”
VDA Labs chose to test this app because it is an open source C++ application running on Linux, that is easy to input (just pass in an MP3 file) and has about 12,000 downloads per week, according to SourceForge.
In this blog, we will cover:
1) VDA Labs
2) Finding CVE-2020-15359
3) Setting up Mayhem
4) What was found
VDA Labs, LLC, was founded in 2007 to make the world safer by providing world class cyber security services, products, and training to organizations of all sizes. VDA designs out-of-the-box solutions, leverages past performance, and provides quality designs at an affordable price. The team incorporates decades of cyber knowledge to various industries such as the intelligence community (IC)/Department of Defense (DoD), commercial enterprises, IoT, and high-tech vendors.
Finding CVE-2020-15359 Through Fuzzing
To fuzz test MP3Gain, VDA Labs did not need to create a harness. A harness is an entry-point executable that allows the fuzzer to pass inputs into the library function that requires testing. So, this means that VDA was able to use an example binary included with MP3Gain to create a Docker image ready for Mayhem.
Once VDA Labs had its Dockerfile, they created a Mayhemfile to fuzz the application. Mayhem has a CLI available to download and that was used on a local Linux host. The Mayhem CLI allowed VDA Labs to package the files needed and push them to Mayhem using a web browser.
version: 1.0 project: docker target: mp3gain Baseimage: bitst0rm/mp3gain Duration: 259200 cmds: - cmd: mp3gain -c -p -r -d 2.0 @@
During the fuzz test of the MP3Gain utility, VDA Labs discovered nearly 1,600 crash conditions out of over 6,000 test suites. Mayhem condensed these countless crashes into three unique defects, including a stack overflow condition in a local variable.
A stack overflow occurs when a particular computer program tries to use more memory space than the call stack has available. If the stack buffer is filled with data from a bad actor, then that user can potentially inject executable code into the running program and take control of the process. This is one of the most reliable methods for bad actors to gain unauthorized access to a computer.
See other zero-days Mayhem, a ForAllSecure fuzz testing technology, has found.
To verify results manually, VDA Labs downloaded crash files of interest, and then ran them with a local debugger. VDA Labs said it was part of their process in learning more about how Mayhem reports crashes and gave them better insight into working with Mayhem to trace these types of crashes.
Mayhem provided the location in code for the vulnerability.
In the example crash shown below, VDA Labs passed in an MP3 file with a modified MP3GainTagInfo element. This was not properly validated before being passed in to the tractPeak structure in the WriteMP3GainAPETag function, triggering the stack overflow.
#include <iostream> Starting program: /root/triage/MP3Gain/source/mp3gain -c -p -r -d 2.0 test -2787 Test -2787 No changes to test -2787 are necessary … but tag needs update: Writing tag information for test -2787 Program received signal SIGSEGV, Segmentation fault. 0x000000000040ab03 in WriteMP3GainAPETag (filename 0x7fffffffe7a1 “test -2787”, info=0x8e24a0, fileTags=0x8e25f0, 579 memcpy(mp3gainTagData, valueString, 8): (gdb)
Armed with this information VDA Labs researchers then looked at the related source code. To isolate the vulnerability, they set debugger breaks in the MP3Gain application before the crash occurred. This allowed them to use the debugger to step into the memory corruption and then observe what caused the crash. They observed that some pointers to variables are overwritten and could be used to hijack control of code execution. With this, they begin the process of developing an exploit for this application.
ForAllSecure maintains a vulnerability repository on GitHub where you can find reproducible environments and proof of concept artifacts to experiment with. Additionally, if you are a Mayhem user, you can run all of those locally. Example Dockerfiles and artifacts for CVE-2020-15359 are available.
Thank you for subscribing!