Description

Due to insufficient sanitization of the music file name, it is possible to execute arbitrary commands on the victims computer, through a specially crafted file name. Note that this bug was only found exploitable only on the MacOS version of this application. Although still applicable to other distributions, it is not possible to exploit the bug on them because:

• Windows does not allow characters like ", |, * in its file name.

• On Linux the application is distributed as an AppImage, which mounts the files onto a temporary read-only filesystem when executed.

• This causes an error on line #39, which prevents the code from reaching the exec() call.

Proof of Concept

• The name of the music file is passed to the IPC “pitch-song” through the function “unrealtimePitch()”.

• The IPC definition can be found here.

• Observe that on line #43, the file name is passed into an exec() call, with no sanitization what so ever.

• Using a specially named music file, it is possible to get RCE on a victims computer.

• Download a sample audio file, any valid extension should work.

• Rename the file to asdf" | id | touch rce | echo "exp.wav

• Run the application, and then click on “Upload” to open the file selection dialogue.

• Select the file we just renamed. Now Set both the pitch and realtime options to 0, and uncheck them.

• Check the directory when the executable of the application is present. Observe that a “rce” file has been created.