[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #61725] NULL Pointer Dereference in help() at inetutils/telnet/comm
From: |
AiDai |
Subject: |
[bug #61725] NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094 |
Date: |
Thu, 23 Dec 2021 09:13:58 -0500 (EST) |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 |
URL:
<https://savannah.gnu.org/bugs/?61725>
Summary: NULL Pointer Dereference in help() at
inetutils/telnet/commands.c:3094
Project: GNU Networking Utilities
Submitted by: aidai
Submitted on: Thu 23 Dec 2021 02:13:56 PM UTC
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
# NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094
## Description
A NULL Pointer Dereference was discovered in help() at
inetutils/telnet/commands.c:3094. The vulnerability causes a segmentation
fault and application crash.
**version**
```
./telnet --version
telnet (GNU inetutils) 2.2.16-cf091
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by many authors.
```
**System information**
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
## Proof of Concept
**poc**
```
base64 poc
ID8JCQn/CQn/CQj/////CQlkCQkJCQnwCQkJCQloCQkJCQn/////CQlkCQkJCQnwCQkJ7ekJCQkJ
CQkJCeoICQkZCQkJKiwJCQkJCQkJCQkJCQk=
```
**command:**
```
./telnet < ./poc
```
**Result**
```
./telnet < poc
telnet> ?Invalid help command �
?Invalid help command �
?Invalid help command����
display operating parameters
?Invalid help command �
[3] 398703 segmentation fault ./telnet < poc
```
**gdb**
```
Breakpoint 2, 0x000055555555dbd3 in help (argc=8, argv=0x55555557c130
<margv+48>) at commands.c:3094
3094 printf ("%s\n", c->help);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[
REGISTERS
]─────────────────────────────────────────────
*RAX 0x0
*RBX 0x55555557b480 (cmdtab2) —▸ 0x555555571232 ◂— 0x6f6400706c6568
/* 'help' */
RCX 0x0
*RDX 0xc6
*RDI 0x0
*RSI 0x5555555719cc ◂— 0x646f6d7263 /* 'crmod' */
R8 0x0
*R9 0x18
R10 0x555555572ee2 ◂— 0x2500454d4f48000a /* '\n' */
R11 0x246
*R12 0x55555557befd (line+29) ◂— 0xffff090909090068 /* 'h' */
R13 0x7fffffffe210 ◂— 0x1
R14 0x0
R15 0x0
RBP 0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120 ◂— 0x0
RSP 0x7fffffffe040 —▸ 0x55555557c130 (margv+48) —▸ 0x55555557befd
(line+29) ◂— 0xffff090909090068 /* 'h' */
RIP 0x55555555dbd3 (help+212) ◂— call 0x555555559790
──────────────────────────────────────────────[
DISASM
]──────────────────────────────────────────────
0x55555555dbcc <help+205> mov rax, qword ptr [rbx + 8]
0x55555555dbd0 <help+209> mov rdi, rax
► 0x55555555dbd3 <help+212> call puts@plt <puts@plt>
s: 0x0
0x55555555dbd8 <help+217> sub dword ptr [rbp - 0x14], 1
0x55555555dbdc <help+221> cmp dword ptr [rbp - 0x14], 0
0x55555555dbe0 <help+225> jg help+116 <help+116>
0x55555555dbe2 <help+227> mov eax, 0
0x55555555dbe7 <help+232> add rsp, 0x10
0x55555555dbeb <help+236> pop rbx
0x55555555dbec <help+237> pop r12
0x55555555dbee <help+239> pop rbp
──────────────────────────────────────────[
SOURCE (CODE)
]───────────────────────────────────────────
In file: /root/disk2/fuzzing/inetutils/inetutils/telnet/commands.c
3089 if (Ambiguous (c))
3090 printf ("?Ambiguous help command %s\n", arg);
3091 else if (c == (Command *) 0)
3092 printf ("?Invalid help command %s\n", arg);
3093 else
► 3094 printf ("%s\n", c->help);
3095 }
3096 return 0;
3097 }
3098
3099 static char *rcname = 0;
──────────────────────────────────────────────[
STACK
]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe040 —▸ 0x55555557c130 (margv+48) —▸
0x55555557befd (line+29) ◂— 0xffff090909090068 /* 'h' */
01:0008│ 0x7fffffffe048 ◂— 0x85557bee1
02:0010│ 0x7fffffffe050 —▸ 0x55555557b440 (cmdtab+480) —▸
0x55555557121b ◂— 0x616c70736944003f /* '?' */
03:0018│ 0x7fffffffe058 —▸ 0x555555559d20 (_start) ◂— endbr64
04:0020│ rbp 0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120
◂— 0x0
05:0028│ 0x7fffffffe068 —▸ 0x55555555dab9 (command+550) ◂— test
eax, eax
06:0030│ 0x7fffffffe070 ◂— 0x0
07:0038│ 0x7fffffffe078 ◂— 0x100000000
────────────────────────────────────────────[
BACKTRACE
]─────────────────────────────────────────────
► f 0 0x55555555dbd3 help+212
f 1 0x55555555dab9 command+550
f 2 0x55555555e3c8 main+776
f 3 0x7ffff7db50b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x000055555555dbd3 in help (argc=8, argv=0x55555557c130 <margv+48>) at
commands.c:3094
#1 0x000055555555dab9 in command (top=1, tbuf=0x0, cnt=0) at commands.c:3044
#2 0x000055555555e3c8 in main (argc=0, argv=0x7fffffffe220) at main.c:423
#3 0x00007ffff7db50b3 in __libc_start_main (main=0x55555555e0c0 <main>,
argc=1, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at
../csu/libc-start.c:308
#4 0x0000555555559d4e in _start ()
```
crash
```
Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65 ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[
REGISTERS
]─────────────────────────────────────────────
RAX 0x0
RBX 0x55555557b480 (cmdtab2) —▸ 0x555555571232 ◂— 0x6f6400706c6568
/* 'help' */
RCX 0x0
*RDX 0x0
RDI 0x0
RSI 0x5555555719cc ◂— 0x646f6d7263 /* 'crmod' */
R8 0x0
R9 0x18
R10 0x555555572ee2 ◂— 0x2500454d4f48000a /* '\n' */
R11 0x246
*R12 0x0
R13 0x7fffffffe210 ◂— 0x1
R14 0x0
R15 0x0
RBP 0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120 ◂— 0x0
*RSP 0x7fffffffe008 —▸ 0x7ffff7e155b4 (puts+20) ◂— mov r13, qword
ptr [rip + 0x16398d]
*RIP 0x7ffff7f19675 (__strlen_avx2+21) ◂— vpcmpeqb ymm1, ymm0, ymmword
ptr [rdi]
──────────────────────────────────────────────[
DISASM
]──────────────────────────────────────────────
► 0x7ffff7f19675 <__strlen_avx2+21> vpcmpeqb ymm1, ymm0, ymmword ptr
[rdi]
0x7ffff7f19679 <__strlen_avx2+25> vpmovmskb eax, ymm1
0x7ffff7f1967d <__strlen_avx2+29> test eax, eax
0x7ffff7f1967f <__strlen_avx2+31> jne __strlen_avx2+272
<__strlen_avx2+272>
↓
0x7ffff7f19770 <__strlen_avx2+272> tzcnt eax, eax
0x7ffff7f19774 <__strlen_avx2+276> add rax, rdi
0x7ffff7f19777 <__strlen_avx2+279> sub rax, rdx
0x7ffff7f1977a <__strlen_avx2+282> vzeroupper
0x7ffff7f1977d <__strlen_avx2+285> ret
0x7ffff7f1977e <__strlen_avx2+286> nop
0x7ffff7f19780 <__strlen_avx2+288> tzcnt eax, eax
──────────────────────────────────────────────[
STACK
]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe008 —▸ 0x7ffff7e155b4 (puts+20) ◂— mov
r13, qword ptr [rip + 0x16398d]
01:0008│ 0x7fffffffe010 —▸ 0x55555557b480 (cmdtab2) —▸
0x555555571232 ◂— 0x6f6400706c6568 /* 'help' */
02:0010│ 0x7fffffffe018 —▸ 0x7fffffffe060 —▸ 0x7fffffffe090
—▸ 0x7fffffffe120 ◂— 0x0
03:0018│ 0x7fffffffe020 —▸ 0x55555557befd (line+29) ◂—
0xffff090909090068 /* 'h' */
04:0020│ 0x7fffffffe028 —▸ 0x7fffffffe210 ◂— 0x1
05:0028│ 0x7fffffffe030 ◂— 0x0
06:0030│ 0x7fffffffe038 —▸ 0x55555555dbd8 (help+217) ◂— sub
dword ptr [rbp - 0x14], 1
07:0038│ 0x7fffffffe040 —▸ 0x55555557c130 (margv+48) —▸
0x55555557befd (line+29) ◂— 0xffff090909090068 /* 'h' */
────────────────────────────────────────────[
BACKTRACE
]─────────────────────────────────────────────
► f 0 0x7ffff7f19675 __strlen_avx2+21
f 1 0x7ffff7e155b4 puts+20
f 2 0x55555555dbd8 help+217
f 3 0x55555555dab9 command+550
f 4 0x55555555e3c8 main+776
f 5 0x7ffff7db50b3 __libc_start_main+243
```
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?61725>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug #61725] NULL Pointer Dereference in help() at inetutils/telnet/commands.c:3094,
AiDai <=