Vulnerabilities > CVE-2004-0557 - Buffer Overflow vulnerability in SoX WAV File
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Multiple buffer overflows in the st_wavstartread function in wav.c for Sound eXchange (SoX) 12.17.2 through 12.17.4 allow remote attackers to execute arbitrary code via certain WAV file header fields.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 | |
| OS | 3 | |
| OS | 1 | |
| OS | 6 |
Exploit-Db
description SoX Local Buffer Overflow Exploit. CVE-2004-0557. Local exploit for linux platform id EDB-ID:369 last seen 2016-01-31 modified 2004-08-01 published 2004-08-01 reporter Serkan Akpolat source https://www.exploit-db.com/download/369/ title SoX - Local Buffer Overflow Exploit description SoX Local Buffer Overflow Exploiter (Via Crafted WAV File). CVE-2004-0557. Local exploit for linux platform id EDB-ID:374 last seen 2016-01-31 modified 2004-08-04 published 2004-08-04 reporter Rave source https://www.exploit-db.com/download/374/ title SoX - .wav Local Buffer Overflow Exploiter
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_3E4FFE76E0D411D89B0A000347A4FA7D.NASL description Ulf Harnhammar discovered a pair of buffer overflows in the WAV file handling code of SoX. If an attacker can cause her victim to process a specially crafted WAV file with SoX (e.g. through social engineering or through some other program that relies on SoX), arbitrary code can be executed with the privileges of the victim. last seen 2020-06-01 modified 2020-06-02 plugin id 36863 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36863 title FreeBSD : SoX buffer overflows when handling .WAV files (3e4ffe76-e0d4-11d8-9b0a-000347a4fa7d) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(36863); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:36"); script_cve_id("CVE-2004-0557"); script_xref(name:"Secunia", value:"12175"); script_name(english:"FreeBSD : SoX buffer overflows when handling .WAV files (3e4ffe76-e0d4-11d8-9b0a-000347a4fa7d)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Ulf Harnhammar discovered a pair of buffer overflows in the WAV file handling code of SoX. If an attacker can cause her victim to process a specially crafted WAV file with SoX (e.g. through social engineering or through some other program that relies on SoX), arbitrary code can be executed with the privileges of the victim." ); # http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0014.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1eb17d28" ); # https://vuxml.freebsd.org/freebsd/3e4ffe76-e0d4-11d8-9b0a-000347a4fa7d.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?50fcbb22" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:sox"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/28"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"sox>12.17.1<=12.17.4_1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2004-235.NASL description Updated sox packages that fix buffer overflows in the WAV file handling code are now available. Buffer overflows existed in the parsing of WAV file header fields. It was possible that a malicious WAV file could have caused arbitrary code to be executed when the file was played or converted. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 13850 published 2004-07-28 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13850 title Fedora Core 1 : sox-12.17.4-4.fc1 (2004-235) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-235. # include("compat.inc"); if (description) { script_id(13850); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2004-0557"); script_xref(name:"FEDORA", value:"2004-235"); script_name(english:"Fedora Core 1 : sox-12.17.4-4.fc1 (2004-235)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated sox packages that fix buffer overflows in the WAV file handling code are now available. Buffer overflows existed in the parsing of WAV file header fields. It was possible that a malicious WAV file could have caused arbitrary code to be executed when the file was played or converted. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-July/000237.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ae70a913" ); script_set_attribute( attribute:"solution", value:"Update the affected sox, sox-debuginfo and / or sox-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:sox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:sox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:sox-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC1", reference:"sox-12.17.4-4.fc1")) flag++; if (rpm_check(release:"FC1", reference:"sox-debuginfo-12.17.4-4.fc1")) flag++; if (rpm_check(release:"FC1", reference:"sox-devel-12.17.4-4.fc1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sox / sox-debuginfo / sox-devel"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-565.NASL description Ulf Harnhammar has reported two vulnerabilities in SoX, a universal sound sample translator, which may be exploited by malicious people to compromise a user last seen 2020-06-01 modified 2020-06-02 plugin id 15663 published 2004-11-10 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15663 title Debian DSA-565-1 : sox - buffer overflow NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-076.NASL description Ulf Harnhammar discovered two buffer overflows in SoX. They occur when the sox or play commands handle malicious .WAV files. Versions 12.17.4, 12.17.3 and 12.17.2 are vulnerable to these overflows. 12.17.1, 12.17 and 12.16 are some versions that are not. last seen 2020-06-01 modified 2020-06-02 plugin id 14174 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14174 title Mandrake Linux Security Advisory : sox (MDKSA-2004:076) NASL family FreeBSD Local Security Checks NASL id FREEBSD_SOX_12174_1.NASL description The following package needs to be updated: sox last seen 2016-09-26 modified 2004-08-27 plugin id 14383 published 2004-08-27 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=14383 title FreeBSD : SoX buffer overflows when handling .WAV files (181) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200407-23.NASL description The remote host is affected by the vulnerability described in GLSA-200407-23 (SoX: Multiple buffer overflows) Ulf Harnhammar discovered two buffer overflows in the sox and play commands when handling WAV files with specially crafted header fields. Impact : By enticing a user to play or convert a specially crafted WAV file an attacker could execute arbitrary code with the permissions of the user running SoX. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of SoX. last seen 2020-06-01 modified 2020-06-02 plugin id 14556 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14556 title GLSA-200407-23 : SoX: Multiple buffer overflows NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-409.NASL description Updated sox packages that fix buffer overflows in the WAV file handling code are now available. SoX (Sound eXchange) is a sound file format converter. SoX can convert between many different digitized sound formats and perform simple sound manipulation functions, including sound effects. Buffer overflows existed in the parsing of WAV file header fields. It was possible that a malicious WAV file could have caused arbitrary code to be executed when the file was played or converted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0557 to these issues. All users of sox should upgrade to these updated packages, which resolve these issues as well as fix a number of minor bugs. last seen 2020-06-01 modified 2020-06-02 plugin id 13853 published 2004-07-30 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/13853 title RHEL 3 : sox (RHSA-2004:409) NASL family Fedora Local Security Checks NASL id FEDORA_2004-244.NASL description Updated sox packages that fix buffer overflows in the WAV file handling code are now available. Buffer overflows existed in the parsing of WAV file header fields. It was possible that a malicious WAV file could have caused arbitrary code to be executed when the file was played or converted. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 13851 published 2004-07-28 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13851 title Fedora Core 2 : sox-12.17.4-4.fc2 (2004-244)
Oval
| accepted | 2013-04-29T04:22:22.072-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | Multiple buffer overflows in the st_wavstartread function in wav.c for Sound eXchange (SoX) 12.17.2 through 12.17.4 allow remote attackers to execute arbitrary code via certain WAV file header fields. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:9801 | ||||||||
| status | accepted | ||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||
| title | Buffer overflow in the JBIG2Bitmap::JBIG2Bitmap function in JBIG2Stream.cc in Xpdf, as used in products such as gpdf, kpdf, pdftohtml, poppler, teTeX, CUPS, libextractor, and others, allows attackers to modify memory and possibly execute arbitrary code via unknown attack vectors. | ||||||||
| version | 25 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/33934/evil_song.py |
| id | PACKETSTORM:33934 |
| last seen | 2016-12-05 |
| published | 2004-08-05 |
| reporter | Serkan Akpolat |
| source | https://packetstormsecurity.com/files/33934/evil_song.py.html |
| title | evil_song.py |
Redhat
| advisories |
| ||||
| rpms |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:5273 last seen 2017-11-19 modified 2006-10-27 published 2006-10-27 reporter Root source https://www.seebug.org/vuldb/ssvid-5273 title SoX Local Buffer Overflow Exploiter (Via Crafted WAV File) bulletinFamily exploit description No description provided by source. id SSV:62845 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-62845 title SoX - (.wav) Local Buffer Overflow Exploiter
References
- http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0014.html
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000855
- http://lwn.net/Articles/95529/
- http://lwn.net/Articles/95530/
- http://seclists.org/fulldisclosure/2004/Jul/1227.html
- http://secunia.com/advisories/12175
- http://www.debian.org/security/2004/dsa-565
- http://www.gentoo.org/security/en/glsa/glsa-200407-23.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:076
- http://www.redhat.com/support/errata/RHSA-2004-409.html
- http://www.securityfocus.com/bid/10819
- https://bugzilla.fedora.us/show_bug.cgi?id=1945
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16827
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9801