Vulnerabilities > CVE-2012-0270 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Csounds Csound

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
csounds
CWE-119
nessus
exploit available
metasploit

Summary

Multiple stack-based buffer overflows in Csound before 5.16.6 allow remote attackers to execute arbitrary code via a crafted (1) hetro file to the getnum function in util/heti_main.c or (2) PVOC file to the getnum function in util/pv_import.c.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionCsound hetro File Handling Stack Buffer Overflow. CVE-2012-0270. Local exploit for windows platform
idEDB-ID:18710
last seen2016-02-02
modified2012-04-06
published2012-04-06
reportermetasploit
sourcehttps://www.exploit-db.com/download/18710/
titleCsound hetro File Handling Stack Buffer Overflow

Metasploit

descriptionThis module exploits a buffer overflow in Csound before 5.16.6. The overflow occurs when trying to import a malicious hetro file from tabular format. In order to achieve exploitation the user should import the malicious file through csound with a command like "csound -U het_import msf.csd file.het". This exploit doesn't work if the "het_import" command is used directly to convert the file.
idMSF:EXPLOIT/WINDOWS/FILEFORMAT/CSOUND_GETNUM_BOF
last seen2020-06-01
modified2017-07-24
published2012-04-05
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/csound_getnum_bof.rb
titleCsound hetro File Handling Stack Buffer Overflow

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_4_CSOUND-120227.NASL
    descriptionThis update of csound fixes two stack-based buffer overflows that could be exploited via malformed hetro and pvoc files (CVE-2012-0270).
    last seen2020-06-05
    modified2014-06-13
    plugin id75805
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75805
    titleopenSUSE Security Update : csound (openSUSE-SU-2012:0315-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update csound-5889.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(75805);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2012-0270");
    
      script_name(english:"openSUSE Security Update : csound (openSUSE-SU-2012:0315-1)");
      script_summary(english:"Check for the csound-5889 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of csound fixes two stack-based buffer overflows that
    could be exploited via malformed hetro and pvoc files (CVE-2012-0270)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=749073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2012-02/msg00066.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected csound package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Csound hetro File Handling Stack Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:csound");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2012/02/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.4", reference:"csound-5.06.0-139.140.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "csound");
    }
    
  • NASL familyWindows
    NASL idCSOUND_GETNUM_BUFFER_OVERFLOW.NASL
    descriptionThe version of Csound installed on the remote Windows host is less than 5.16.6. As such, it is reportedly affected by multiple stack- based buffer overflows present in the getnum() function located in util/heti_main.c and util/pv_import.c By tricking a user into opening a specially crafted file, an attacker may be able to execute arbitrary code subject to the user
    last seen2020-06-01
    modified2020-06-02
    plugin id58989
    published2012-05-04
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/58989
    titleCsound getnum() getnum Function Multiple Buffer Overflows
    code
    #
    #  (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(58989);
      script_version("1.7");
      script_cvs_date("Date: 2018/11/15 20:50:26");
    
      script_cve_id("CVE-2012-0270");
      script_bugtraq_id(52144);
      script_xref(name:"EDB-ID", value:"18710");
    
      script_name(english:"Csound getnum() getnum Function Multiple Buffer Overflows");
      script_summary(english:"Checks version of Csound install");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host has an application installed that is affected by
    multiple buffer overflow vulnerabilities."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The version of Csound installed on the remote Windows host is less
    than 5.16.6.  As such, it is reportedly affected by multiple stack-
    based buffer overflows present in the getnum() function located in
    util/heti_main.c and util/pv_import.c
    
    By tricking a user into opening a specially crafted file, an attacker
    may be able to execute arbitrary code subject to the user's
    privileges."
      );
      script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2012-3/");
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5b3b83d2");
      script_set_attribute(attribute:"solution", value:"Upgrade to Csound version 5.16.6 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Csound hetro File Handling Stack Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/02/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/02/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/04");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:csounds:csound");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl");
      script_require_keys("SMB/Registry/Enumerated");
      script_require_ports(139, 445);
    
      exit(0); 
    }
    
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_reg_query.inc");
    include("misc_func.inc");
    include("audit.inc");
    
    appname = 'Csound';
    port = get_kb_item("SMB/transport");
    
    registry_init();
    hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
    key = "SOFTWARE\Classes\CsoundFile\DefaultIcon";
    key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
    if (isnull(key_h))
    {
      RegCloseKey(handle:hklm);
      close_registry();
      audit(AUDIT_NOT_INST, appname);
    }
    
    res = RegQueryValue(handle:key_h);
    RegCloseKey(handle:key_h);
    RegCloseKey(handle:hklm);
    
    if (isnull(res))
    {
      close_registry();
      exit(1, "Unable to get read the registry key 'HKLM\" + key + "'."); 
    }
    
    item = eregmatch(pattern: "(.+)bin\\[^\\]+\.exe,0", string: res[1]);
    if (isnull(item))
    {
      close_registry();
      exit(1, "Failed to get the path from the registry key 'HKLM\" + key + "'.");
    }
    close_registry(close:FALSE);
    
    path = item[1];
    
    version_file = ereg_replace(pattern:"^[A-Za-z]:(.*)\\?", 
                                replace:"\1\include\version.h", string:path);
    share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
    
    login  = kb_smb_login();
    pass   = kb_smb_password();
    domain = kb_smb_domain();
    
    rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
    
    if (isnull(rc))
    {
      NetUseDel();
      audit(AUDIT_SHARE_FAIL, share);
    }
    
    fh = CreateFile(
      file:version_file,
      desired_access:GENERIC_READ,
      file_attributes:FILE_ATTRIBUTE_NORMAL,
      share_mode:FILE_SHARE_READ,
      create_disposition:OPEN_EXISTING
    );
    if (isnull(fh))
    {
      NetUseDel();
      exit(0, "Evidence of a previous Csound installation exists in the Windows Registry (HKLM\" + key + "), but it does not currently appear to be installed."); 
    }
    
    content = "";
      
    length = GetFileSize(handle:fh);
    content = ReadFile(handle:fh, offset:0, length:length);
    CloseFile(handle:fh);
    
    NetUseDel();
    
    if (content == "")
      exit(1, "Failed to read '" + path + "include\version.h'.");
    
    #define CS_VERSION          (5)
    #define CS_SUBVER           (16)
    #define CS_PATCHLEVEL       (2)
    #define CS_APIVERSION       2   /* should be increased anytime a new version
    #define CS_APISUBVER        6   /* for minor changes that will still allow
    
    major_ver = NULL;
    sub_ver = NULL;
    patchlevel = NULL;
    
    item = eregmatch(pattern: "CS_VERSION[ \t]+\(([0-9]+)\)", string: content);
    if (!isnull(item[1]))  major_ver = item[1];
    item = eregmatch(pattern: "CS_SUBVER[ \t]+\(([0-9]+)\)", string: content);
    if (!isnull(item[1])) sub_ver = item[1];
    item = eregmatch(pattern: "CS_PATCHLEVEL[ \t]+\(([0-9]+)\)", string: content);
    if (!isnull(item[1])) patchlevel = item[1];
    
    version = NULL;
    if (!isnull(major_ver) && !isnull(sub_ver) && !isnull(patchlevel))
      version = major_ver + '.' + sub_ver + '.' + patchlevel;
    
    if (isnull(version))
      exit(1, "Unable to extract version information from '" + path + "include\version.h'.");
    
    set_kb_item(name:"SMB/Csound/Installed", value:TRUE);
    set_kb_item(name:"SMB/Csound/Version", value:version); 
    set_kb_item(name:"SMB/Csound/Path", value:path); 
    
    api_major = NULL;
    api_subver = NULL;
    
    item = eregmatch(pattern: "CS_APIVERSION[ \t]+([0-9]+)[^0-9]", string: content);
    if (!isnull(item[1])) api_major = item[1];
    
    item = eregmatch(pattern: "CS_APISUBVER[ \t]+([0-9]+)[^0-9]", string: content);
    if (!isnull(item[1])) api_subver = item[1];
    
    if (!isnull(api_major) && !isnull(api_subver))
    {
      api_version = api_major + '.' + api_subver;
      set_kb_item(name:"SMB/Csound/APIVersion", value:api_version);
    }
    
    if (ver_compare(ver:version, fix:'5.16.6', strict:FALSE) == -1)
    {
      if (report_verbosity > 0) 
      {
        report = '\n  Path              : ' + path +
                 '\n  Installed version : ' + version +
                 '\n  Fixed version     : 5.16.6\n';
        security_hole(port:port,extra:report);
      }
      else security_hole(port);
      exit(0);
    } 
    else audit(AUDIT_INST_VER_NOT_VULN, appname, version);
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2012-162.NASL
    descriptionspecially crafted hetro and pvoc files could cause buffer overflows in csound
    last seen2020-06-05
    modified2014-06-13
    plugin id74567
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74567
    titleopenSUSE Security Update : csound (openSUSE-SU-2012:0370-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2012-162.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(74567);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2012-0270");
    
      script_name(english:"openSUSE Security Update : csound (openSUSE-SU-2012:0370-1)");
      script_summary(english:"Check for the openSUSE-2012-162 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "specially crafted hetro and pvoc files could cause buffer overflows in
    csound"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=749073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2012-03/msg00027.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected csound package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Csound hetro File Handling Stack Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:csound");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2012/03/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE12\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE12.1", reference:"csound-5.06.0-142.3.2") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "csound");
    }
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/111648/csound_getnum_bof.rb.txt
idPACKETSTORM:111648
last seen2016-12-05
published2012-04-07
reporterSecunia
sourcehttps://packetstormsecurity.com/files/111648/Csound-hetro-File-Handling-Stack-Buffer-Overflow.html
titleCsound hetro File Handling Stack Buffer Overflow