Vigil@nce: libsndfile, overflow via AIFF
June 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malicious AIFF file and invite the victim
to open it, in order to execute code in applications linked to
libsndfile.
Severity: 2/4
Consequences: user access/rights, denial of service of client
Provenance: document
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 26/05/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The AIFF format is used to store audio data. They contain several
chunks:
– INST : instruments
– MARK : marks
– etc.
Marks can be used to create loops, when an instrument always plays
the same score. A mark contains:
– an identifier
– an offset, relative to the start of the record
– the size of the name
– a name
The aiff_read_header() function of the src/aiff.c file of
libsndfile analyzes headers of a AIFF file and logs the mark name.
However, if the size indicated for the mark name is larger than
the name, a buffer overflow occurs when the name is stored in a
buffer.
An attacker can therefore create a malicious AIFF file and invite
the victim to open it, in order to execute code in applications
linked to libsndfile.
CHARACTERISTICS
Identifiers: BID-34978, CVE-2009-1791, VIGILANCE-VUL-8738
http://vigilance.fr/vulnerability/libsndfile-overflow-via-AIFF-8738