Sam Hocevar’s .plan
This is an experimental blog engine. RSS feeds: everything | blog | Debian (DPL only) | VideoLAN | GNOME | Mono
Exposing file parsing vulnerabilities
Posted on Tue, 16 Jan 2007 11:18:39 +0100 - Keywords:
Binary file parsing is difficult. There is a lot of byte swapping, offset computation and magic bit mask handling involved. Add to that the fact that many binary formats were reverse-engineered and do not even have a public spec, are so convoluted that there is no way to write a decent parser, or have so many buggy writer implementations that the readers need to accommodate for that.
Media players, web browsers and email clients are probably the most exposed ones. These programs are full of bugs, not more than any other program, but more dangerous bugs. Admit it, you just play any video you find on the Intarweb, click any image link and read your email (seriously, even mutt uses antiword to read .doc attachments). It is no longer necessary to have network listening services to be exposed to security issues, the users themselves listen to the world.
Using my fuzzing tool zzuf that I eventually decided to release, I found more than 40 bugs in common Unix tools, popular media players and other utilities, simply by reading valid files and slightly corrupting them. The most scary ones are the media player bugs:
VLC | MPlayer | xine | FFmpeg (ffplay) | GStreamer (gst-launch) | mpg321 | ogg123 | |
MP3 | robust | SIGSEGV | robust | robust | robust | robust | N/A |
Ogg Vorbis | robust | SIGSEGV | robust | SIGSEGV | SIGSEGV | N/A | robust |
MPEG-1 | SIGSEGV | SIGSEGV | SIGSEGV | SIGSEGV | robust | N/A | N/A |
MPEG-2 | SIGSEGV | SIGSEGV | robust | SIGSEGV | SIGSEGV | N/A | N/A |
MPEG-4 AVI | SIGSEGV | SIGSEGV | SIGSEGV | SIGSEGV | deadlock? | N/A | N/A |
FLAC | robust | SIGSEGV | robust | heap corruption | robust | N/A | SIGFPE |
Ogg Theora | robust | SIGSEGV | robust | SIGSEGV | robust | N/A | N/A |
WMV | SIGSEGV | SIGSEGV | N/A | SIGSEGV | robust | N/A | N/A |
AAC | heap corruption | SIGSEGV | SIGSEGV | N/A | N/A | N/A | N/A |
AC-3/A52 | SIGSEGV | robust (I KID YOU NOT) | robust | SIGSEGV | N/A | N/A | N/A |
Each of these segmentation fault bugs is a potential security hole in Debian. zzuf also found bugs in Firefox, Openoffice.org, antiword, ImageMagick and even objdump. And there is more to come.