CVE-2012-0270
published 2014-02-17CVE-2012-0270: Multiple stack-based buffer overflows in Csound before 5.16.6 allow remote attackers to execute arbitrary code via a crafted (1) hetro file to the getnum…
PriorityP357high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
54.67%
98.9th percentile
Multiple stack-based buffer overflows in Csound before 5.16.6 allow remote attackers to execute arbitrary code via a crafted (1) hetro file to the getnum function in util/heti_main.c or (2) PVOC file to the getnum function in util/pv_import.c.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| csounds | csound | <= 5.16.1 | — |
| csounds | csound | — | — |
| csounds | csound | — | — |
| csounds | csound | — | — |
| csounds | csound | — | — |
| csounds | csound | — | — |
| csounds | csound | — | — |
| csounds | csound | — | — |
| csounds | csound | — | — |
| csounds | csound | >= 0 < 1:5.16.6~dfsg-1 | 1:5.16.6~dfsg-1 |
| csounds | csound | >= 0 < 1:5.16.6~dfsg-1 | 1:5.16.6~dfsg-1 |
| csounds | csound | >= 0 < 1:5.16.6~dfsg-1 | 1:5.16.6~dfsg-1 |
| csounds | csound | >= 0 < 1:5.16.6~dfsg-1 | 1:5.16.6~dfsg-1 |
| debian | csound | < csound 1:5.16.6~dfsg-1 (bookworm) | csound 1:5.16.6~dfsg-1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commit;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f↗
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →The exploit targets the getnum() function in util/heti_main.c (hetro file) and util/pv_import.c (PVOC file); monitor process execution of csound with the '-U het_import' flag and a .het or .csd file argument as a trigger indicator. ↗
- →The exploit does NOT trigger when het_import is invoked directly; exploitation requires csound to be called with '-U het_import', so detection should focus on the csound parent process invoking het_import as a utility subcommand. ↗
- →The ROP gadget 'push esp; ret' is located in libgcc_s_dw2-1.dll at address 0x6e955446 on Windows XP SP3 / Windows 7 SP1; presence of this return address on the stack during csound execution is a strong exploit indicator. ↗
- →The stack-adjustment prepend encoder bytes (\x81\xc4\x54\xf2\xff\xff, i.e., 'add esp, -3500') will appear immediately after the return address in the malicious .het/.csd file payload; scan crafted hetro/PVOC files for this byte sequence. ↗
- →Bad characters excluded from payload are \x00, \x0a, \x1a, \x2c, \xff; these are not present in the shellcode, which can help tune NIDS signatures to avoid false negatives on encoded payloads. ↗
- →The overflow offset to the return address is 132 bytes; a hetro or PVOC file with a field value string of 132+ bytes followed by a 4-byte little-endian value is characteristic of exploitation attempts. ↗
- ·The Metasploit module targets only Csound 5.15 on Windows XP SP3 and Windows 7 SP1; the ROP gadget address (0x6e955446 in libgcc_s_dw2-1.dll) is specific to these platforms and will differ on other OS versions or Csound builds. ↗
- ·The vulnerability also affects PVOC files via getnum() in util/pv_import.c, not only hetro files; detection and patching must cover both attack vectors. ↗
- ·The payload space is limited to 650 bytes; larger or staged shellcode may not fit within the default Metasploit module configuration. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qrqf-p6p9-8q2w: Multiple stack-based buffer overflows in Csound before 5
ghsa_unreviewed·2022-05-04
CVE-2012-0270 [HIGH] CWE-119 GHSA-qrqf-p6p9-8q2w: Multiple stack-based buffer overflows in Csound before 5
Multiple stack-based buffer overflows in Csound before 5.16.6 allow remote attackers to execute arbitrary code via a crafted (1) hetro file to the getnum function in util/heti_main.c or (2) PVOC file to the getnum function in util/pv_import.c.
OSV
CVE-2012-0270: Multiple stack-based buffer overflows in Csound before 5
osv·2014-02-17·CVSS 7.5
CVE-2012-0270 [HIGH] CVE-2012-0270: Multiple stack-based buffer overflows in Csound before 5
Multiple stack-based buffer overflows in Csound before 5.16.6 allow remote attackers to execute arbitrary code via a crafted (1) hetro file to the getnum function in util/heti_main.c or (2) PVOC file to the getnum function in util/pv_import.c.
Debian
CVE-2012-0270: csound - Multiple stack-based buffer overflows in Csound before 5.16.6 allow remote attac...
vendor_debian·2012·CVSS 7.5
CVE-2012-0270 [HIGH] CVE-2012-0270: csound - Multiple stack-based buffer overflows in Csound before 5.16.6 allow remote attac...
Multiple stack-based buffer overflows in Csound before 5.16.6 allow remote attackers to execute arbitrary code via a crafted (1) hetro file to the getnum function in util/heti_main.c or (2) PVOC file to the getnum function in util/pv_import.c.
Scope: local
bookworm: resolved (fixed in 1:5.16.6~dfsg-1)
bullseye: resolved (fixed in 1:5.16.6~dfsg-1)
forky: resolved (fixed in 1:5.16.6~dfsg-1)
sid: resolved (fixed in 1:5.16.6~dfsg-1)
trixie: resolved (fixed in 1:5.16.6~dfsg-1)
No detection rules found.
Exploit-DB
Csound - '.hetro' File Handling Stack Buffer Overflow (Metasploit)
exploitdb·2012-04-06
CVE-2012-0270 Csound - '.hetro' File Handling Stack Buffer Overflow (Metasploit)
Csound - '.hetro' File Handling Stack Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Csound hetro File Handling Stack Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Csound before 5.16.6.
The overflow occurs when trying to import a malicious hetro file
from tabular format.
In order to achieve exploitation the user should import the malicious
file through csound with a command like "csound -U het_import msf.csd file.het".
This exploit doesn't work if the "het_import" command is used directly
to conv
Metasploit
Csound hetro File Handling Stack Buffer Overflow
metasploit
Csound hetro File Handling Stack Buffer Overflow
Csound hetro File Handling Stack Buffer Overflow
This module exploits a buffer overflow in Csound before 5.16.6. The overflow occurs when trying to import a malicious hetro file from tabular format. In order to achieve exploitation the user should import the malicious file through csound with a command like "csound -U het_import msf.csd file.het". This exploit doesn't work if the "het_import" command is used directly to convert the file.
Bugzilla
CVE-2012-0270 csound: two buffer overflow flaws in getnum()
bugzilla·2012-02-24·CVSS 7.5
CVE-2012-0270 [HIGH] CVE-2012-0270 csound: two buffer overflow flaws in getnum()
CVE-2012-0270 csound: two buffer overflow flaws in getnum()
It was discovered [1] that Csound contained two boundary errors that could be exploited by tricking a user into converting a malicious file, leading to a stack-based buffer overflow and the possible execution of arbitrary code. The first is in the getnum() function (util/heti_main.c) when processing a hetro file, the second is in the getnum() function (util/pv_import.c) when processing a PVOC file.
This flaw is confirmed in 5.13.0 (currently in Feodra) and is fixed in upstream 5.16.6 [2].
[1] http://secunia.com/secunia_research/2012-3/
[2] http://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commitdiff;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f
Discussion:
Created csound tracking bugs for this issue
Affect
Bugzilla
CVE-2012-0270 csound: two buffer overflow flaws in getnum() [fedora-all]
bugzilla·2012-02-24·CVSS 7.5
CVE-2012-0270 [HIGH] CVE-2012-0270 csound: two buffer overflow flaws in getnum() [fedora-all]
CVE-2012-0270 csound: two buffer overflow flaws in getnum() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bu
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00027.htmlhttp://lists.opensuse.org/opensuse-updates/2012-03/msg00027.htmlhttp://secunia.com/advisories/47585http://secunia.com/secunia_research/2012-3/http://sourceforge.net/projects/csound/files/csound5/csound5.16/Version5.16_Notes/viewhttp://lists.opensuse.org/opensuse-security-announce/2012-02/msg00027.htmlhttp://lists.opensuse.org/opensuse-updates/2012-03/msg00027.htmlhttp://secunia.com/advisories/47585http://secunia.com/secunia_research/2012-3/http://sourceforge.net/projects/csound/files/csound5/csound5.16/Version5.16_Notes/view
2014-02-17
Published