Headline
CVE-2021-45779: [bug #61726] NULL Pointer Dereference in unsetcmd() at inetutils/telnet/
A NULL pointer dereference in unsetcmd() at inetutils/telnet/commands.c of GNU Inetutils v2.2.16-cf091 can lead to a segmentation fault or application crash.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
From:
AiDai
Subject:
[bug #61726] NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227
Date:
Thu, 23 Dec 2021 09:14:18 -0500 (EST)
User-agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
URL: https://savannah.gnu.org/bugs/?61726\
Summary: NULL Pointer Dereference in unsetcmd() at
inetutils/telnet/commands.c:1227 Project: GNU Networking Utilities Submitted by: aidai Submitted on: Thu 23 Dec 2021 02:14:16 PM UTC Category: None Severity: 3 - Normal Item Group: None Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Details:
NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227
Description
A NULL Pointer Dereference was discovered in unsetcmd() at inetutils/telnet/commands.c:1227. The vulnerability causes a segmentation fault and application crash.
**version**
``` ./telnet --version telnet (GNU inetutils) 2.2.16-cf091 Copyright © 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html\. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Written by many authors. ```
**System information** Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
Proof of Concept
**poc**
``` base64 poc dQsiIA== ```
**command:**
``` ./telnet < ./poc ```
**Result**
``` ./telnet < ./poc [3] 2387443 segmentation fault ./telnet < ./poc ```
**gdb**
``` Program received signal SIGSEGV, Segmentation fault. unsetcmd (argc=0, argv=0x55555557c110 <margv+16>) at commands.c:1227 1227 *(ct->charp) = _POSIX_VDISABLE; LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX 0x0 RBX 0x55555557bee2 (line+2) ◂— 0x20 /* ' ' */ RCX 0xfbad2098 RDX 0x0 RDI 0x55555557ab20 (Setlist+128) —▸ 0x555555571a7d ◂— 0x67756265640020 /* ' ' */ RSI 0x555555571a7d ◂— 0x67756265640020 /* ' ' */ R8 0x55555557bee0 (line) ◂— 0x200075 /* ‘u’ */ R9 0x7c R10 0x555555572e4c ◂— 0x69626d413f00203e /* '> ' */ R11 0x246 R12 0x555555559d20 (_start) ◂— endbr64 R13 0x7fffffffe210 ◂— 0x1 R14 0x0 R15 0x0 RBP 0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120 ◂— 0x0 RSP 0x7fffffffe030 —▸ 0x55555557c110 (margv+16) ◂— 0x0 RIP 0x55555555b592 (unsetcmd+717) ◂— mov byte ptr [rax], 0 ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── ► 0x55555555b592 <unsetcmd+717> mov byte ptr [rax], 0 0x55555555b595 <unsetcmd+720> mov rax, qword ptr [rbp - 0x20] 0x55555555b599 <unsetcmd+724> mov rax, qword ptr [rax + 0x18] 0x55555555b59d <unsetcmd+728> movzx eax, byte ptr [rax] 0x55555555b5a0 <unsetcmd+731> movzx eax, al 0x55555555b5a3 <unsetcmd+734> mov edi, eax 0x55555555b5a5 <unsetcmd+736> call control <control>
0x55555555b5aa <unsetcmd+741> mov rdx, rax 0x55555555b5ad <unsetcmd+744> mov rax, qword ptr [rbp - 0x20] 0x55555555b5b1 <unsetcmd+748> mov rax, qword ptr [rax] 0x55555555b5b4 <unsetcmd+751> mov rsi, rax ──────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────── In file: /root/disk2/fuzzing/inetutils/inetutils/telnet/commands.c 1222 (*ct->handler) (0); 1223 printf ("%s reset to \"%s\".\n", ct->name, (char *) ct->charp); 1224 } 1225 else 1226 { ► 1227 *(ct->charp) = _POSIX_VDISABLE; 1228 printf ("%s character is '%s’.\n", ct->name, 1229 control (*(ct->charp))); 1230 } 1231 } 1232 return 1; ──────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffe030 —▸ 0x55555557c110 (margv+16) ◂— 0x0 01:0008│ 0x7fffffffe038 ◂— 0x5555d867 02:0010│ 0x7fffffffe040 —▸ 0x55555557ab20 (Setlist+128) —▸ 0x555555571a7d ◂— 0x67756265640020 /* ' ' */ 03:0018│ 0x7fffffffe048 —▸ 0x55555557bee0 (line) ◂— 0x200075 /* ‘u’ */ 04:0020│ 0x7fffffffe050 ◂— 0x0 05:0028│ 0x7fffffffe058 —▸ 0x55555557b360 (cmdtab+256) —▸ 0x555555572e2f ◂— 0x6f74007465736e75 /* ‘unset’ */ 06:0030│ rbp 0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120 ◂— 0x0 07:0038│ 0x7fffffffe068 —▸ 0x55555555dab9 (command+550) ◂— test eax, eax ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x55555555b592 unsetcmd+717 f 1 0x55555555dab9 command+550 f 2 0x55555555e3c8 main+776 f 3 0x7ffff7db50b3 __libc_start_main+243 ────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> bt #0 unsetcmd (argc=0, argv=0x55555557c110 <margv+16>) at commands.c:1227 #1 0x000055555555dab9 in command (top=1, tbuf=0x0, cnt=0) at commands.c:3044 #2 0x000055555555e3c8 in main (argc=0, argv=0x7fffffffe220) at main.c:423 #3 0x00007ffff7db50b3 in __libc_start_main (main=0x55555555e0c0 <main>, argc=1, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at …/csu/libc-start.c:308 #4 0x0000555555559d4e in _start () ```
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Reply to this item at:
https://savannah.gnu.org/bugs/?61726\
_______________________________________________ Message sent via Savannah https://savannah.gnu.org/
[Prev in Thread]
Current Thread
[Next in Thread]
[bug #61726] NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227, AiDai <=
Prev by Date: [bug #61725] NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094
Next by Date: Infinite Loop in domacro at domacro.c:258
Previous by thread: [bug #61725] NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094
Next by thread: Infinite Loop in domacro at domacro.c:258
Index(es):
- Date
- Thread