With certain table types, Bento4 will attempt to atomically update a record's data with a call to AP4_StszAtom::SetData(), but if there is an error, the record will not be updated. If an attacker is able to inject data into an AP4_StszAtom::SetData() call and the record's data type is one that does not support atomically updating the record's data, then a NULL pointer dereference will occur. This could lead to a denial of service attack and/or potentially arbitrary code execution.
A vulnerable installation of Bento4 can be exploited after an attacker modifies a database table to contain a piece of data that will cause a NULL pointer dereference during an attempt to atomically update the record's data. At the time of this advisory's publication, the example SQL injection payload is: Bento4 1.6.0-639 and older versions are vulnerable.
Bento4 through 1.6.0-639 are vulnerable. Bento5 is not vulnerable any longer.
Mitigation
A patch has been released for Bento4 through 1.6.0-639. Users of these versions should upgrade to a fixed version.
End users of Bento4 through 1.6.0-639 can protect their installations against this issue by disabling AP4_StszAtom::SetData() completely.
Bento5 is not vulnerable any longer.
Bento5 is not vulnerable any longer.
Bento4 and Bento5 are types of databases and are vulnerable to this issue.
Timeline
Published on: 09/18/2022 19:15:00 UTC
Last modified on: 09/21/2022 14:39:00 UTC