[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NULL Pointer Dereference in setcmd () at commands.c:1152

From: ZFeiXQ
Subject: NULL Pointer Dereference in setcmd () at commands.c:1152
Date: Sat, 25 Dec 2021 12:19:28 +0800 (CST)

## Description

A NULL Pointer Dereference was discovered in setcmd () at commands.c:1152. The vulnerability causes a segmentation fault and application crash.


./telnet --version

telnet (GNU inetutils) 2.2

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.


**System information**
Ubuntu 20.04.1 LTS, clang version 10.0.0-4ubuntu1

## Proof of Concept


./telnet < POC1


./telnet < POC1
[1]    728662 segmentation fault  ./telnet < ./poc

Program received signal SIGSEGV, Segmentation fault.
RAX: 0x10 
RBX: 0x3 
RCX: 0x3 
RDX: 0x0 
RSI: 0x55555556d0c5 --> 0x6572207325006666 ('ff')
RDI: 0x555555577068 --> 0xa001c23 
RBP: 0x555555576ea0 --> 0x555555577060 --> 0x100b002000746553 
RSP: 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553 
RIP: 0x55555555b7cd (<setcmd+701>: mov    BYTE PTR [rdx],al)
R8 : 0x555555577067 --> 0xa001c2310 
R9 : 0x0 
R10: 0x55555556d439 --> 0x69626d413f00203e ('> ')
R11: 0x7fffffffe65c --> 0x550074656e6c6574 ('telnet')
R12: 0x555555575b60 --> 0x55555556f7fb --> 0x4341492073250020 (' ')
R13: 0x7fffffffe380 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
   0x55555555b7bf <setcmd+687>: cmove  eax,edx
   0x55555555b7c2 <setcmd+690>: nop    WORD PTR [rax+rax*1+0x0]
   0x55555555b7c8 <setcmd+696>: mov    rdx,QWORD PTR [r12+0x18]
=> 0x55555555b7cd <setcmd+701>: mov    BYTE PTR [rdx],al
   0x55555555b7cf <setcmd+703>: mov    rax,QWORD PTR [r12+0x18]
   0x55555555b7d4 <setcmd+708>: movzx  edi,BYTE PTR [rax]
   0x55555555b7d7 <setcmd+711>: call   0x55555555aed0 <control>
   0x55555555b7dc <setcmd+716>: mov    rdx,QWORD PTR [r12]
0000| 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553 
0008| 0x7fffffffe1b8 --> 0x5555555754e0 --> 0x55555556d48c --> 0x67676f7400746573 ('set')
0016| 0x7fffffffe1c0 --> 0x0 
0024| 0x7fffffffe1c8 --> 0x1 
0032| 0x7fffffffe1d0 --> 0x7fffffffe380 --> 0x1 
0040| 0x7fffffffe1d8 --> 0x55555555dadb (<command+411>: test   eax,eax)
0048| 0x7fffffffe1e0 --> 0x0 
0056| 0x7fffffffe1e8 --> 0x7fffffffe390 --> 0x0 
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152
1152       *(ct->charp) = (cc_t) value;
gdb-peda$ bt
#0  0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152
#1  0x000055555555dadb in command (top=0x1, tbuf=0x0, cnt=<optimized out>) at commands.c:3047
#2  0x0000555555559fe4 in main (argc=0x0, argc@entry=0x1, argv=0x7fffffffe390, argv@entry=0x7fffffffe388) at main.c:426
#3  0x00007ffff7db60b3 in __libc_start_main (main=0x555555559d60 <main>, argc=0x1, argv=0x7fffffffe388, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe378) at ../csu/libc-start.c:308
#4  0x000055555555a01e in _start () at main.c:426



Attachment: POC1
Description: Binary data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]