Headline
CVE-2021-46060: NULL Pointer Dereference in setcmd () at commands.c:1152
A NULL Pointer Dereference vulnerability exists in GNU inetutils 2.2 via the setcmd function at commands.c, which causes a denial of service.
Copyright © 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
[POC1](https://drive.google.com/file/d/1snLElamVgMu5SO1vkKvSQqOByBlX0zxb/view?usp=sharing)
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x10
RBX: 0x3
RCX: 0x3
RDX: 0x0
RSI: 0x55555556d0c5 --> 0x6572207325006666 (‘ff’)
RDI: 0x555555577068 --> 0xa001c23
RBP: 0x555555576ea0 --> 0x555555577060 --> 0x100b002000746553
RSP: 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553
RIP: 0x55555555b7cd (<setcmd+701>: mov BYTE PTR [rdx],al)
R8 : 0x555555577067 --> 0xa001c2310
R9 : 0x0
R10: 0x55555556d439 --> 0x69626d413f00203e ('> ')
R11: 0x7fffffffe65c --> 0x550074656e6c6574 (‘telnet’)
R12: 0x555555575b60 --> 0x55555556f7fb --> 0x4341492073250020 (' ')
R13: 0x7fffffffe380 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x55555555b7bf <setcmd+687>: cmove eax,edx
0x55555555b7c2 <setcmd+690>: nop WORD PTR [rax+rax*1+0x0]
0x55555555b7c8 <setcmd+696>: mov rdx,QWORD PTR [r12+0x18]
=> 0x55555555b7cd <setcmd+701>: mov BYTE PTR [rdx],al
0x55555555b7cf <setcmd+703>: mov rax,QWORD PTR [r12+0x18]
0x55555555b7d4 <setcmd+708>: movzx edi,BYTE PTR [rax]
0x55555555b7d7 <setcmd+711>: call 0x55555555aed0 <control>
0x55555555b7dc <setcmd+716>: mov rdx,QWORD PTR [r12]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553
0008| 0x7fffffffe1b8 --> 0x5555555754e0 --> 0x55555556d48c --> 0x67676f7400746573 (‘set’)
0016| 0x7fffffffe1c0 --> 0x0
0024| 0x7fffffffe1c8 --> 0x1
0032| 0x7fffffffe1d0 --> 0x7fffffffe380 --> 0x1
0040| 0x7fffffffe1d8 --> 0x55555555dadb (<command+411>: test eax,eax)
0048| 0x7fffffffe1e0 --> 0x0
0056| 0x7fffffffe1e8 --> 0x7fffffffe390 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152
1152 *(ct->charp) = (cc_t) value;
gdb-peda$ bt
#0 0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152
#1 0x000055555555dadb in command (top=0x1, tbuf=0x0, cnt=<optimized out>) at commands.c:3047
#2 0x0000555555559fe4 in main (argc=0x0, argc@entry=0x1, argv=0x7fffffffe390, argv@entry=0x7fffffffe388) at main.c:426
#3 0x00007ffff7db60b3 in __libc_start_main (main=0x555555559d60 <main>, argc=0x1, argv=0x7fffffffe388, init=<optimized out>, fini=<optimized out>,
rtld\_fini=<optimized out>, stack\_end=0x7fffffffe378) at ../csu/libc-start.c:308
#4 0x000055555555a01e in _start () at main.c:426