cbcvebase.
CVE-2015-7805
published 2015-11-17

CVE-2015-7805: Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file.

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
13.40%
95.9th percentile
Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianlibsndfile< libsndfile 1.0.25-10 (bookworm)libsndfile 1.0.25-10 (bookworm)
libsndfile_projectlibsndfile>= 0 < 1.0.25-101.0.25-10
libsndfile_projectlibsndfile>= 0 < 1.0.25-101.0.25-10
libsndfile_projectlibsndfile>= 0 < 1.0.25-101.0.25-10
libsndfile_projectlibsndfile>= 0 < 1.0.25-101.0.25-10
libsndfile_projectlibsndfile>= 0 < 1.0.25-7ubuntu2.11.0.25-7ubuntu2.1
mega-nerdlibsndfile
opensuseopensuse
opensuseopensuse

Detection & IOCsextracted from sources · hover to see the quote

filenamenemux.aiff
command/usr/bin/paplay nemux.aiff
command/usr/bin/audacity namux.aiff
bytes
46 4F 52 4D 00 00 D0 7C 41 49 46 43 42 56 45 52 00 00 00 04 A2 80 51 40 43 4F 4D 4D 00 00 00 11 00 01 00 00 00 00 00 10 F3 0C FA 00 00 00 00 00 00 4E 4F 4E 45 0E 6E 6F 74 20 63 63 6D 92 72 65 73 53 65 64 00
  • The exploit triggers a heap overflow via a specially crafted AIFF file with manipulated headindex/headend values in the AIFF header, causing memcpy to overwrite heap memory. Look for AIFF files with anomalous COMT chunk item counts (e.g. 0x2503 or 0x36B0 items) or malformed/duplicate SSND chunks.
  • Attack surface includes email attachments, TCP socket audio streams, and file uploads to server-side audio processing services. Any application calling libsndfile to open an AIFF file is a potential vector.
  • The crafted AIFF payload contains the string 'MOMIMANHACKERNOW' repeated as padding. This string can be used as a memory/file content signature to detect exploit attempts.
  • ·The exploit PoC was written for libsndfile 1.0.25 specifically. The Debian fixed version is 1.0.25-10; systems running unpatched 1.0.25 packages on RHEL 6/7 are marked 'Will not fix' by Red Hat.
  • ·The exploit author notes the pulseaudio attack path (paplay) was tested, but the SWF/Audio browser path was not tested. Detection coverage should prioritize command-line and server-side audio processing vectors.
  • ·Adobe Audition triggers the bug passively during directory scanning, not just on explicit file open — detection should account for directory-level file scanning by audio applications.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
vendor_ubuntu2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.