cbcvebase.
CVE-2012-0270
published 2014-02-17

CVE-2012-0270: Multiple stack-based buffer overflows in Csound before 5.16.6 allow remote attackers to execute arbitrary code via a crafted (1) hetro file to the getnum…

PriorityP357high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
54.67%
98.9th percentile
Multiple stack-based buffer overflows in Csound before 5.16.6 allow remote attackers to execute arbitrary code via a crafted (1) hetro file to the getnum function in util/heti_main.c or (2) PVOC file to the getnum function in util/pv_import.c.

Affected

14 ranges
VendorProductVersion rangeFixed in
csoundscsound<= 5.16.1
csoundscsound
csoundscsound
csoundscsound
csoundscsound
csoundscsound
csoundscsound
csoundscsound
csoundscsound
csoundscsound>= 0 < 1:5.16.6~dfsg-11:5.16.6~dfsg-1
csoundscsound>= 0 < 1:5.16.6~dfsg-11:5.16.6~dfsg-1
csoundscsound>= 0 < 1:5.16.6~dfsg-11:5.16.6~dfsg-1
csoundscsound>= 0 < 1:5.16.6~dfsg-11:5.16.6~dfsg-1
debiancsound< csound 1:5.16.6~dfsg-1 (bookworm)csound 1:5.16.6~dfsg-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

commandcsound -U het_import msf.csd file.het
other0x6e955446
urlhttp://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commit;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f
bytes
\x81\xc4\x54\xf2\xff\xff
  • The exploit targets the getnum() function in util/heti_main.c (hetro file) and util/pv_import.c (PVOC file); monitor process execution of csound with the '-U het_import' flag and a .het or .csd file argument as a trigger indicator.
  • The exploit does NOT trigger when het_import is invoked directly; exploitation requires csound to be called with '-U het_import', so detection should focus on the csound parent process invoking het_import as a utility subcommand.
  • The ROP gadget 'push esp; ret' is located in libgcc_s_dw2-1.dll at address 0x6e955446 on Windows XP SP3 / Windows 7 SP1; presence of this return address on the stack during csound execution is a strong exploit indicator.
  • The stack-adjustment prepend encoder bytes (\x81\xc4\x54\xf2\xff\xff, i.e., 'add esp, -3500') will appear immediately after the return address in the malicious .het/.csd file payload; scan crafted hetro/PVOC files for this byte sequence.
  • Bad characters excluded from payload are \x00, \x0a, \x1a, \x2c, \xff; these are not present in the shellcode, which can help tune NIDS signatures to avoid false negatives on encoded payloads.
  • The overflow offset to the return address is 132 bytes; a hetro or PVOC file with a field value string of 132+ bytes followed by a 4-byte little-endian value is characteristic of exploitation attempts.
  • ·The Metasploit module targets only Csound 5.15 on Windows XP SP3 and Windows 7 SP1; the ROP gadget address (0x6e955446 in libgcc_s_dw2-1.dll) is specific to these platforms and will differ on other OS versions or Csound builds.
  • ·The vulnerability also affects PVOC files via getnum() in util/pv_import.c, not only hetro files; detection and patching must cover both attack vectors.
  • ·The payload space is limited to 650 bytes; larger or staged shellcode may not fit within the default Metasploit module configuration.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.