## Description A NULL Pointer Dereference was discovered in setcmd () at commands.c:1152. The vulnerability causes a segmentation fault and application crash.
**version** ``` ./telnet --version telnet (GNU inetutils) 2.2 Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. ``` **System information** Ubuntu 20.04.1 LTS, clang version 10.0.0-4ubuntu1 ## Proof of Concept [POC1](https://drive.google.com/file/d/1snLElamVgMu5SO1vkKvSQqOByBlX0zxb/view?usp=sharing) **command:** ``` ./telnet < POC1 ``` **Result** ``` ./telnet < POC1 [1] 728662 segmentation fault ./telnet < ./poc ``` **gdb** ``` Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x10 RBX: 0x3 RCX: 0x3 RDX: 0x0 RSI: 0x55555556d0c5 --> 0x6572207325006666 ('ff') RDI: 0x555555577068 --> 0xa001c23 RBP: 0x555555576ea0 --> 0x555555577060 --> 0x100b002000746553 RSP: 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553 RIP: 0x55555555b7cd (<setcmd+701>:mov BYTE PTR [rdx],al) R8 : 0x555555577067 --> 0xa001c2310 R9 : 0x0 R10: 0x55555556d439 --> 0x69626d413f00203e ('> ') R11: 0x7fffffffe65c --> 0x550074656e6c6574 ('telnet') R12: 0x555555575b60 --> 0x55555556f7fb --> 0x4341492073250020 (' ') R13: 0x7fffffffe380 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x55555555b7bf <setcmd+687>:cmove eax,edx 0x55555555b7c2 <setcmd+690>:nop WORD PTR [rax+rax*1+0x0] 0x55555555b7c8 <setcmd+696>:mov rdx,QWORD PTR [r12+0x18] => 0x55555555b7cd <setcmd+701>:mov BYTE PTR [rdx],al 0x55555555b7cf <setcmd+703>:mov rax,QWORD PTR [r12+0x18] 0x55555555b7d4 <setcmd+708>:movzx edi,BYTE PTR [rax] 0x55555555b7d7 <setcmd+711>:call 0x55555555aed0 <control> 0x55555555b7dc <setcmd+716>:mov rdx,QWORD PTR [r12] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553 0008| 0x7fffffffe1b8 --> 0x5555555754e0 --> 0x55555556d48c --> 0x67676f7400746573 ('set') 0016| 0x7fffffffe1c0 --> 0x0 0024| 0x7fffffffe1c8 --> 0x1 0032| 0x7fffffffe1d0 --> 0x7fffffffe380 --> 0x1 0040| 0x7fffffffe1d8 --> 0x55555555dadb (<command+411>:test eax,eax) 0048| 0x7fffffffe1e0 --> 0x0 0056| 0x7fffffffe1e8 --> 0x7fffffffe390 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152 1152 *(ct->charp) = (cc_t) value; gdb-peda$ bt #0 0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152 #1 0x000055555555dadb in command (top=0x1, tbuf=0x0, cnt=<optimized out>) at commands.c:3047 #2 0x0000555555559fe4 in main (argc=0x0, argc@entry=0x1, argv=0x7fffffffe390, argv@entry=0x7fffffffe388) at main.c:426 #3 0x00007ffff7db60b3 in __libc_start_main (main=0x555555559d60 <main>, argc=0x1, argv=0x7fffffffe388, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe378) at ../csu/libc-start.c:308 #4 0x000055555555a01e in _start () at main.c:426 ```
POC1
Description: Binary data
