## Description A heap-buffer-overflow in another () at cmds.c:202, The vulnerability causes a abort fault and application crash.
**version** ``` ./ftp--version ftp (GNU inetutils) 2.2 Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law ``` **System information** Ubuntu 20.04.1 LTS, clang version 10.0.0-4ubuntu1 ## Proof of Concept [POC2](https://drive.google.com/file/d/1mwTNmF7uWuD8gbN7RCH68qQNvxA1DGmT/view?usp=sharing) **command:** ``` ./ftp< POC2 ``` **Result** ``` ./telnet < POC1 [1] 728662 segmentation fault ./telnet < ./poc ``` **gdb** ``` Program received signal SIGABRT, Aborted. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x7ffff7fb2600 (0x00007ffff7fb2600) RCX: 0x7ffff7e0518b (<__GI_raise+203>:mov rax,QWORD PTR [rsp+0x108]) RDX: 0x0 RSI: 0x7fffffffdd00 --> 0x0 RDI: 0x2 RBP: 0x7fffffffe050 --> 0x5555555815a0 --> 0x0 RSP: 0x7fffffffdd00 --> 0x0 RIP: 0x7ffff7e0518b (<__GI_raise+203>:mov rax,QWORD PTR [rsp+0x108]) R8 : 0x0 R9 : 0x7fffffffdd00 --> 0x0 R10: 0x8 R11: 0x246 R12: 0x7fffffffdf70 --> 0x0 R13: 0x10 R14: 0x7ffff7ffb000 --> 0x6c61657200001000 R15: 0x1 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7e0517f <__GI_raise+191>:mov edi,0x2 0x7ffff7e05184 <__GI_raise+196>:mov eax,0xe 0x7ffff7e05189 <__GI_raise+201>:syscall => 0x7ffff7e0518b <__GI_raise+203>:mov rax,QWORD PTR [rsp+0x108] 0x7ffff7e05193 <__GI_raise+211>:xor rax,QWORD PTR fs:0x28 0x7ffff7e0519c <__GI_raise+220>:jne 0x7ffff7e051c4 <__GI_raise+260> 0x7ffff7e0519e <__GI_raise+222>:mov eax,r8d 0x7ffff7e051a1 <__GI_raise+225>:add rsp,0x118 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdd00 --> 0x0 0008| 0x7fffffffdd08 --> 0x55555557f0c0 --> 0x55555557ebb0 --> 0x7ffff7539000 --> 0x10102464c457f 0016| 0x7fffffffdd10 --> 0x3 0024| 0x7fffffffdd18 --> 0xd45be60417d36d00 0032| 0x7fffffffdd20 --> 0x1f7fcf580 0040| 0x7fffffffdd28 --> 0x7ffff753a000 --> 0x11001200000565 0048| 0x7fffffffdd30 --> 0x555555581790 --> 0x0 0056| 0x7fffffffdd38 --> 0xffffffffffffffff [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGABRT __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50 50../sysdeps/unix/sysv/linux/raise.c: No such file or directory. gdb-peda$ bt #0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff7de4859 in __GI_abort () at abort.c:79 #2 0x00007ffff7e4f3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f79285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155 #3 0x00007ffff7e5747c in malloc_printerr (str=str@entry=0x7ffff7f775a8 "realloc(): invalid next size") at malloc.c:5347 #4 0x00007ffff7e5b12c in _int_realloc (av=av@entry=0x7ffff7faab80 <main_arena>, oldp=oldp@entry=0x5555555815a0, oldsize=oldsize@entry=0x20, nb=0x20) at malloc.c:4564 #5 0x00007ffff7e5d136 in __GI___libc_realloc (oldmem=0x5555555815b0, bytes=0x11) at malloc.c:3226 #6 0x000055555555a8a0 in another (pargc=pargc@entry=0x7fffffffe16c, pargv=pargv@entry=0x7fffffffe160, prompt=prompt@entry=0x55555556d727 "macro name") at cmds.c:202 #7 0x000055555555f2ac in macdef (argc=<optimized out>, argv=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:107 #8 0x000055555555fb93 in domacro (argc=<optimized out>, argv=<optimized out>) at domacro.c:261 #9 0x0000555555564e12 in cmdscanner (top=<optimized out>) at main.c:464 #10 0x000055555555a1c2 in main (argc=0x0, argc@entry=0x1, argv=<optimized out>, argv@entry=0x7fffffffe388) at main.c:313 #11 0x00007ffff7de60b3 in __libc_start_main (main=0x555555559f10 <main>, argc=0x1, argv=0x7fffffffe388, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe378) at ../csu/libc-start.c:308 #12 0x000055555555a27e in _start () ``` **ASAN** ``` ==2120832==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000dbe at pc 0x000000480e4e bp 0x7fff39918270 sp 0x7fff39917a30 WRITE of size 39 at 0x602000000dbe thread T0 #0 0x480e4d in strcpy (/home/zxq/CVE_testing/project/inetutils-2.2/build/bin/ftp+0x480e4d) #1 0x4de01b in domacro /home/zxq/CVE_testing/project/inetutils-2.2/ftp/domacro.c:269:8 #2 0x4f3068 in cmdscanner /home/zxq/CVE_testing/project/inetutils-2.2/ftp/main.c:464:7 #3 0x4f2165 in main /home/zxq/CVE_testing/project/inetutils-2.2/ftp/main.c:313:7 #4 0x7effdd27b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x41c5cd in _start (/home/zxq/CVE_testing/project/inetutils-2.2/build/bin/ftp+0x41c5cd) 0x602000000dbe is located 0 bytes to the right of 14-byte region [0x602000000db0,0x602000000dbe) allocated by thread T0 here: #0 0x495029 in realloc (/home/zxq/CVE_testing/project/inetutils-2.2/build/bin/ftp+0x495029) #1 0x4c4910 in another /home/zxq/CVE_testing/project/inetutils-2.2/ftp/cmds.c:202:9 #2 0x4da640 in macdef /home/zxq/CVE_testing/project/inetutils-2.2/ftp/cmds.c:2594:20 #3 0x4ddf28 in domacro /home/zxq/CVE_testing/project/inetutils-2.2/ftp/domacro.c:261:8 #4 0x4ddf28 in domacro /home/zxq/CVE_testing/project/inetutils-2.2/ftp/domacro.c:261:8 #5 0x4f3068 in cmdscanner /home/zxq/CVE_testing/project/inetutils-2.2/ftp/main.c:464:7 SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/zxq/CVE_testing/project/inetutils-2.2/build/bin/ftp+0x480e4d) in strcpy Shadow bytes around the buggy address: 0x0c047fff8160: fa fa 00 fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8170: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8180: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047fff8190: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff81a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa =>0x0c047fff81b0: fa fa fd fd fa fa 00[06]fa fa fd fa fa fa fd fa 0x0c047fff81c0: fa fa 04 fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2120832==ABORTING ```
POC2
Description: Binary data