A heap-buffer-overflow in another () at cmds.c:202

ZFeiXQ Sat, 25 Dec 2021 07:05:42 -0800

## Description

A heap-buffer-overflow in another () at cmds.c:202, The vulnerability causes a 
abort fault and application crash.


**version**

```
./ftp--version


ftp (GNU inetutils) 2.2

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law

```

**System information**
Ubuntu 20.04.1 LTS, clang version 10.0.0-4ubuntu1



## Proof of Concept


[POC2](https://drive.google.com/file/d/1mwTNmF7uWuD8gbN7RCH68qQNvxA1DGmT/view?usp=sharing)


**command:**

```
./ftp< POC2
```

**Result**

```
./telnet < POC1
[1]    728662 segmentation fault  ./telnet < ./poc
```


**gdb**
```
Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7ffff7fb2600 (0x00007ffff7fb2600)
RCX: 0x7ffff7e0518b (<__GI_raise+203>:mov    rax,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7fffffffdd00 --> 0x0 
RDI: 0x2 
RBP: 0x7fffffffe050 --> 0x5555555815a0 --> 0x0 
RSP: 0x7fffffffdd00 --> 0x0 
RIP: 0x7ffff7e0518b (<__GI_raise+203>:mov    rax,QWORD PTR [rsp+0x108])
R8 : 0x0 
R9 : 0x7fffffffdd00 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x7fffffffdf70 --> 0x0 
R13: 0x10 
R14: 0x7ffff7ffb000 --> 0x6c61657200001000 
R15: 0x1
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7e0517f <__GI_raise+191>:mov    edi,0x2
   0x7ffff7e05184 <__GI_raise+196>:mov    eax,0xe
   0x7ffff7e05189 <__GI_raise+201>:syscall 
=> 0x7ffff7e0518b <__GI_raise+203>:mov    rax,QWORD PTR [rsp+0x108]
   0x7ffff7e05193 <__GI_raise+211>:xor    rax,QWORD PTR fs:0x28
   0x7ffff7e0519c <__GI_raise+220>:jne    0x7ffff7e051c4 <__GI_raise+260>
   0x7ffff7e0519e <__GI_raise+222>:mov    eax,r8d
   0x7ffff7e051a1 <__GI_raise+225>:add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdd00 --> 0x0 
0008| 0x7fffffffdd08 --> 0x55555557f0c0 --> 0x55555557ebb0 --> 0x7ffff7539000 
--> 0x10102464c457f 
0016| 0x7fffffffdd10 --> 0x3 
0024| 0x7fffffffdd18 --> 0xd45be60417d36d00 
0032| 0x7fffffffdd20 --> 0x1f7fcf580 
0040| 0x7fffffffdd28 --> 0x7ffff753a000 --> 0x11001200000565 
0048| 0x7fffffffdd30 --> 0x555555581790 --> 0x0 
0056| 0x7fffffffdd38 --> 0xffffffffffffffff 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7de4859 in __GI_abort () at abort.c:79
#2  0x00007ffff7e4f3ee in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x7ffff7f79285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7e5747c in malloc_printerr (str=str@entry=0x7ffff7f775a8 
"realloc(): invalid next size") at malloc.c:5347
#4  0x00007ffff7e5b12c in _int_realloc (av=av@entry=0x7ffff7faab80 
<main_arena>, oldp=oldp@entry=0x5555555815a0, oldsize=oldsize@entry=0x20, 
nb=0x20) at malloc.c:4564
#5  0x00007ffff7e5d136 in __GI___libc_realloc (oldmem=0x5555555815b0, 
bytes=0x11) at malloc.c:3226
#6  0x000055555555a8a0 in another (pargc=pargc@entry=0x7fffffffe16c, 
pargv=pargv@entry=0x7fffffffe160, prompt=prompt@entry=0x55555556d727 "macro 
name") at cmds.c:202
#7  0x000055555555f2ac in macdef (argc=<optimized out>, argv=<optimized out>) 
at /usr/include/x86_64-linux-gnu/bits/stdio2.h:107
#8  0x000055555555fb93 in domacro (argc=<optimized out>, argv=<optimized out>) 
at domacro.c:261
#9  0x0000555555564e12 in cmdscanner (top=<optimized out>) at main.c:464
#10 0x000055555555a1c2 in main (argc=0x0, argc@entry=0x1, argv=<optimized out>, 
argv@entry=0x7fffffffe388) at main.c:313
#11 0x00007ffff7de60b3 in __libc_start_main (main=0x555555559f10 <main>, 
argc=0x1, argv=0x7fffffffe388, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe378) at 
../csu/libc-start.c:308
#12 0x000055555555a27e in _start ()



```
**ASAN**
```
==2120832==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x602000000dbe at pc 0x000000480e4e bp 0x7fff39918270 sp 0x7fff39917a30
WRITE of size 39 at 0x602000000dbe thread T0
    #0 0x480e4d in strcpy 
(/home/zxq/CVE_testing/project/inetutils-2.2/build/bin/ftp+0x480e4d)
    #1 0x4de01b in domacro 
/home/zxq/CVE_testing/project/inetutils-2.2/ftp/domacro.c:269:8
    #2 0x4f3068 in cmdscanner 
/home/zxq/CVE_testing/project/inetutils-2.2/ftp/main.c:464:7
    #3 0x4f2165 in main 
/home/zxq/CVE_testing/project/inetutils-2.2/ftp/main.c:313:7
    #4 0x7effdd27b0b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41c5cd in _start 
(/home/zxq/CVE_testing/project/inetutils-2.2/build/bin/ftp+0x41c5cd)


0x602000000dbe is located 0 bytes to the right of 14-byte region 
[0x602000000db0,0x602000000dbe)
allocated by thread T0 here:
    #0 0x495029 in realloc 
(/home/zxq/CVE_testing/project/inetutils-2.2/build/bin/ftp+0x495029)
    #1 0x4c4910 in another 
/home/zxq/CVE_testing/project/inetutils-2.2/ftp/cmds.c:202:9
    #2 0x4da640 in macdef 
/home/zxq/CVE_testing/project/inetutils-2.2/ftp/cmds.c:2594:20
    #3 0x4ddf28 in domacro 
/home/zxq/CVE_testing/project/inetutils-2.2/ftp/domacro.c:261:8
    #4 0x4ddf28 in domacro 
/home/zxq/CVE_testing/project/inetutils-2.2/ftp/domacro.c:261:8
    #5 0x4f3068 in cmdscanner 
/home/zxq/CVE_testing/project/inetutils-2.2/ftp/main.c:464:7


SUMMARY: AddressSanitizer: heap-buffer-overflow 
(/home/zxq/CVE_testing/project/inetutils-2.2/build/bin/ftp+0x480e4d) in strcpy
Shadow bytes around the buggy address:
  0x0c047fff8160: fa fa 00 fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8170: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8180: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fff8190: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff81a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff81b0: fa fa fd fd fa fa 00[06]fa fa fd fa fa fa fd fa
  0x0c047fff81c0: fa fa 04 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2120832==ABORTING


```

POC2
Description: Binary data

A heap-buffer-overflow in another () at cmds.c:202

Reply via email to