Vulnerabilities > CVE-2017-9872 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Lame Project Lame 3.99.5

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
lame-project
CWE-119
nessus
exploit available

Summary

The III_dequantize_sample function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.

Vulnerable Configurations

Part Description Count
Application
Lame_Project
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionLAME 3.99.5 - 'III_dequantize_sample' Stack-Based Buffer Overflow. CVE-2017-9872. Dos exploit for Linux platform. Tags: Denial of Service (DoS)
fileexploits/linux/dos/42259.txt
idEDB-ID:42259
last seen2017-06-27
modified2017-06-26
platformlinux
port
published2017-06-26
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/42259/
titleLAME 3.99.5 - 'III_dequantize_sample' Stack-Based Buffer Overflow
typedos

Nessus

NASL familySuSE Local Security Checks
NASL idOPENSUSE-2018-214.NASL
descriptionThis update for lame fixes the following issues : Lame was updated to version 3.100 : - Improved detection of MPEG audio data in RIFF WAVE files. sf#3545112 Invalid sampling detection - New switch --gain <decibel>, range -20.0 to +12.0, a more convenient way to apply Gain adjustment in decibels, than the use of --scale <factor>. - Fix for sf#3558466 Bug in path handling - Fix for sf#3567844 problem with Tag genre - Fix for sf#3565659 no progress indication with pipe input - Fix for sf#3544957 scale (empty) silent encode without warning - Fix for sf#3580176 environment variable LAMEOPT doesn
last seen2020-06-05
modified2018-02-28
plugin id107048
published2018-02-28
reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/107048
titleopenSUSE Security Update : lame (openSUSE-2018-214)
code
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2018-214.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(107048);
  script_version("3.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2015-9100", "CVE-2015-9101", "CVE-2017-11720", "CVE-2017-13712", "CVE-2017-15019", "CVE-2017-9410", "CVE-2017-9411", "CVE-2017-9412", "CVE-2017-9869", "CVE-2017-9870", "CVE-2017-9871", "CVE-2017-9872");

  script_name(english:"openSUSE Security Update : lame (openSUSE-2018-214)");
  script_summary(english:"Check for the openSUSE-2018-214 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for lame fixes the following issues :

Lame was updated to version 3.100 :

  - Improved detection of MPEG audio data in RIFF WAVE
    files. sf#3545112 Invalid sampling detection

  - New switch --gain <decibel>, range -20.0 to +12.0, a
    more convenient way to apply Gain adjustment in
    decibels, than the use of --scale <factor>.

  - Fix for sf#3558466 Bug in path handling

  - Fix for sf#3567844 problem with Tag genre

  - Fix for sf#3565659 no progress indication with pipe
    input

  - Fix for sf#3544957 scale (empty) silent encode without
    warning

  - Fix for sf#3580176 environment variable LAMEOPT doesn't
    work anymore

  - Fix for sf#3608583 input file name displayed with wrong
    character encoding (on windows console with CP_UTF8)

  - Fix dereference NULL and Buffer not NULL terminated
    issues. (CVE-2017-15019 bsc#1082317 CVE-2017-13712
    bsc#1082399 CVE-2015-9100 bsc#1082401)

  - Fix dereference of a NULL pointer possible in loop.

  - Make sure functions with SSE instructions maintain their
    own properly aligned stack. Thanks to Fabian Greffrath

  - Multiple Stack and Heap Corruptions from Malicious File.
    (CVE-2017-9872 bsc#1082391 CVE-2017-9871 bsc#1082392
    CVE-2017-9870 bsc#1082393 CVE-2017-9869 bsc#1082395
    CVE-2017-9411 bsc#1082397 CVE-2015-9101 bsc#1082400)

  - CVE-2017-11720: Fix a division by zero vulnerability.
    (bsc#1082311)

  - CVE-2017-9410: Fix fill_buffer_resample function in
    libmp3lame/util.c heap-based buffer over-read and ap
    (bsc#1082333)

  - CVE-2017-9411: Fix fill_buffer_resample function in
    libmp3lame/util.c invalid memory read and application
    crash (bsc#1082397)

  - CVE-2017-9412: FIx unpack_read_samples function in
    frontend/get_audio.c invalid memory read and application
    crash (bsc#1082340)

  - Fix clip detect scale suggestion unaware of scale input
    value

  - HIP decoder bug fixed: decoding mixed blocks of lower
    sample frequency Layer3 data resulted in internal buffer
    overflow.

  - Add lame_encode_buffer_interleaved_int()"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082311"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082317"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082333"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082340"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082391"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082392"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082393"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082395"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082397"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082399"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082400"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082401"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected lame packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:lame");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:lame-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:lame-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:lame-mp3rtp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:lame-mp3rtp-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmp3lame-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmp3lame0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmp3lame0-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmp3lame0-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmp3lame0-debuginfo-32bit");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/02/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/28");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE42.3", reference:"lame-3.100-7.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"lame-debuginfo-3.100-7.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"lame-debugsource-3.100-7.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"lame-mp3rtp-3.100-7.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"lame-mp3rtp-debuginfo-3.100-7.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"libmp3lame-devel-3.100-7.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"libmp3lame0-3.100-7.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"libmp3lame0-debuginfo-3.100-7.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libmp3lame0-32bit-3.100-7.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libmp3lame0-debuginfo-32bit-3.100-7.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "lame / lame-debuginfo / lame-debugsource / lame-mp3rtp / etc");
}