CVE-2023-37328 - Exploiting a Heap-based Buffer Overflow in GStreamer’s PGS File Parsing

TL;DR:
A critical vulnerability, CVE-2023-37328 (ZDI-CAN-20994), was discovered in GStreamer’s handling of PGS subtitle files. Insufficient validation of user-supplied data can lead to heap-based buffer overflow, enabling remote code execution (RCE) under certain conditions. Code exploit, technical explanations, and mitigation tips are included in this deep-dive.

What is GStreamer and Why Does This Matter?

GStreamer is a widely used open-source multimedia framework powering video and audio playback on many Linux desktops (like GNOME) as well as several embedded systems, streaming servers, and media players.

Subtitle parsing is a common feature, and PGS (Presentation Graphic Stream) is a subtitle format mainly used in Blu-ray titles. When GStreamer apps or services (like media players using GStreamer) open files containing PGS subtitles, they trust the contents to a certain extent.

Vulnerability: Heap-based Buffer Overflow in PGS Subtitle Parsing

- CVE ID: CVE-2023-37328
- ZDI Reference: ZDI-CAN-20994

Impact: Remote Code Execution

- Attack Vector: By supplying a crafted PGS subtitle file and tricking a user (or application, automated system) into parsing it.
- Requirements: Victim must process (not necessarily watch!) an attacker-controlled PGS subtitle file via GStreamer.

Technical Deep Dive

If you look at the GStreamer Bad Plugins source (specifically the PGS subtitle handling), you’ll find code paths that parse chunks of subtitle data. Here, size fields within the subtitle data are assumed legitimate — a dangerous assumption.

Root Cause:
> The length of certain data fields from a PGS subtitle chunk is accepted by code and blindly copied to a heap-allocated buffer, without checking if the length was within buffer bounds.

In C, it often looks like this

// Simplified, not the exact code!
guint8 *buf = g_malloc(chunk_size);
memcpy(buf, pgs_data + offset, chunk_size); // chunk_size may be attacker-controlled
// ... use buf ...
g_free(buf);

If chunk_size (taken from the file) is bigger than expected, memcpy will read outside the array and write past the end of the heap buffer (buf). If an attacker carefully crafts the subtitle file, they control both the data written and the overflow distance. In modern systems, this often leads to:

- Overwriting heap metadata/adjacent buffers

Hijacking control flow (function pointers, vtables, etc.)

Result:
Arbitrary code execution as the user running the GStreamer application — which is often a regular desktop user but could be a system service.

Exploit Scenario

1. Attacker crafts a malicious .sup or .pgs file with binary data that sets an internal length field larger than the actual buffer.
2. The victim is tricked into opening or processing this file with any GStreamer-based tool. This could happen by:

Opening a downloaded movie with embedded subtitles in a media player (like Totem).

- Automated processing/thumbnailing tools (on a file indexer or media server).

Malicious files in chat, email, or websites.

3. During parsing, the heap overflow occurs, overwriting key memory and deploying attacker shellcode or payload.

Below is a hypothetical snippet of how an attacker might build such a PGS file

# Conceptual, for educational purposes
with open('evil.sup', 'wb') as f:
    f.write(b'\x50\x47\x53\x00')   # 'PGS' header
    f.write(b'\x00\x00')           # Chunk ID
    f.write(b'\xff\xff')           # Maliciously large chunk size (65535)
    f.write(b'\x41' * 65535)       # Data that overflows the buffer with 'A's
    # ... additional crafted blocks could follow

This simple example could overwrite heap memory when parsed, potentially leading to a crash, or, with more advanced payload construction, enabling code execution.

Links to the Original References

- CVE-2023-37328 on NIST NVD
- ZDI-23-804 Advisory (ZDI-CAN-20994)
- GStreamer Security Page

Patch Immediately:

Upgrade your GStreamer (specifically the *gst-plugins-bad* module) to the version where this issue is addressed. Latest releases here.

Application Sandbox:

Restrict multimedia applications using AppArmor or SELinux so a compromise is limited in impact.

- Automatic Scanning/Thumbnailing:
If you operate systems that automatically process files (e.g., media servers, cloud storage), disable scanning of untrusted subtitle files or run it in a locked-down environment.

Who’s at Risk?

Any system or product parsing PGS subtitles through GStreamer — Linux desktop users, streaming boxes, some video servers, developers embedding GStreamer in applications, and corporations handling untrusted media.

Conclusion

CVE-2023-37328 is a serious heap overflow in GStreamer tied to PGS subtitle parsing. This bug, exploitable via a simple file, can be leveraged for remote code execution if unpatched. Always keep your systems updated, avoid handling suspicious media files, and sandbox your multimedia apps. Attackers will continue targeting file parsers — and this serves as a timely reminder why robust input validation is critical in any code dealing with external data.

Stay safe. Patch early, patch often!

*Feel free to share (with attribution) — original writeup by an independent security researcher for 2024.*

Timeline

Published on: 05/03/2024 02:15:43 UTC
Last modified on: 06/04/2024 17:24:31 UTC