Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer derefence in CmdExec::FeedCmd (versions <= 4.9.1) #593

Open
kmsecurity opened this issue Jun 21, 2020 · 0 comments
Open

Null pointer derefence in CmdExec::FeedCmd (versions <= 4.9.1) #593

kmsecurity opened this issue Jun 21, 2020 · 0 comments

Comments

@kmsecurity
Copy link

Hi folks I noticed that lftp crashes on certain command file input, I'm pretty sure this is a null pointer deref, which is a memory corruption but I doubt its super exploitable.

Details:

(gdb) r -f lftp_cmdfile_fuzz/crashes/id:000000,sig:11,src:000000,op:havoc,rep:4 
...
Breakpoint 5, 0x0000000000461b61 in CmdExec::FeedCmd(char const*) ()
(gdb) x/5ig $rip
=> 0x461b61 <_ZN7CmdExec7FeedCmdEPKc+97>:	callq  0x43a3a0 <strlen@plt>
   0x461b66 <_ZN7CmdExec7FeedCmdEPKc+102>:	mov    %rbx,%rdi
   0x461b69 <_ZN7CmdExec7FeedCmdEPKc+105>:	mov    %r14,%rsi
   0x461b6c <_ZN7CmdExec7FeedCmdEPKc+108>:	mov    %eax,%edx
   0x461b6e <_ZN7CmdExec7FeedCmdEPKc+110>:	add    $0x8,%rsp
(gdb) x/1xg $rsi
0x0:	Cannot access memory at address 0x0 <--- argument passed to strlen is a null pointer
(gdb) ni

Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65	../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
(gdb) i s
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1  0x0000000000461b66 in CmdExec::FeedCmd(char const*) ()
#2  0x00000000004726f7 in cmd_subsh(CmdExec*) ()
#3  0x0000000000462fa1 in CmdExec::exec_parsed_command() ()
#4  0x0000000000468d60 in CmdExec::Do() ()
#5  0x0000000000563a76 in SMTask::ScheduleThis() ()
#6  0x000000000056325d in SMTask::Schedule() ()
#7  0x00000000004604ce in Job::WaitDone() ()
#8  0x000000000043edfd in main ()

Testing this on the latest package from the Ubuntu repo:

>$ lftp -v
LFTP | Version 4.8.4 | Copyright (c) 1996-2017 Alexander V. Lukyanov

LFTP is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
...
>$ lftp -f ../lftp_cmdfile_fuzz/crashes/id\:000000\,sig\:11\,src\:000000\,op\:havoc\,rep\:4 
Segmentation fault

Checking out the code for CmdExec::FeedCmd:

 109 void CmdExec::FeedCmd(const char *c)
 110 {
 111    partial_cmd=false;
 112    start_time=now;
 113    cmd_buf.Put(c);
 114 };

cmd_buf.Put, I believe calls IOBuffer::Put, which in turn calls the strlen that crashes on a null pointer

472 void IOBuffer::Put(const char *buf)
473 {
474    Put(buf,strlen(buf));
475 }
476

Recommendation:

Fix is easy, add a null check to IOBuffer::Put

Poc command file:

poc.tar.gz
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kmsecurity