- Date: 06-21-20
- Vendor Homepage: https://lftp.yar.ru/
- Software Link: http://lftp.yar.ru/ftp/lftp-4.9.1.tar.gz
- Version: <= 4.9.1
- Bug link: https://github.com/lavv17/lftp/issues/593
I've discovered a null pointer deference bug in LFTP version 4.9.1 which probably affects previous versions. The bug occurs in CmdExec::FeedCmd and triggers in strlen due to a null pointer argument. The following gdb trace demonstrates
this:
(gdb) r -f lftp_cmdfile_fuzz/crashes/id:000000,sig:11,src:000000,op:havoc,rep:4
The program being debugged has been started already.
...
Breakpoint 5, 0x0000000000461b61 in CmdExec::FeedCmd(char const*) ()
(gdb) x/5ig $rip
=> 0x461b61 <_ZN7CmdExec7FeedCmdEPKc+97>: callq 0x43a3a0 <strlen@plt>
0x461b66 <_ZN7CmdExec7FeedCmdEPKc+102>: mov %rbx,%rdi
0x461b69 <_ZN7CmdExec7FeedCmdEPKc+105>: mov %r14,%rsi
0x461b6c <_ZN7CmdExec7FeedCmdEPKc+108>: mov %eax,%edx
0x461b6e <_ZN7CmdExec7FeedCmdEPKc+110>: add $0x8,%rsp
The program being debugged has been started already.
...
Breakpoint 5, 0x0000000000461b61 in CmdExec::FeedCmd(char const*) ()
(gdb) x/5ig $rip
=> 0x461b61 <_ZN7CmdExec7FeedCmdEPKc+97>: callq 0x43a3a0 <strlen@plt>
0x461b66 <_ZN7CmdExec7FeedCmdEPKc+102>: mov %rbx,%rdi
0x461b69 <_ZN7CmdExec7FeedCmdEPKc+105>: mov %r14,%rsi
0x461b6c <_ZN7CmdExec7FeedCmdEPKc+108>: mov %eax,%edx
0x461b6e <_ZN7CmdExec7FeedCmdEPKc+110>: add $0x8,%rsp
(gdb) x/1xg $rsi
0x0: Cannot access memory at address 0x0 <--- argument passed to strlen is a null pointer
(gdb) ni
Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65 ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
(gdb) i s
#0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1 0x0000000000461b66 in CmdExec::FeedCmd(char const*) ()
#2 0x00000000004726f7 in cmd_subsh(CmdExec*) ()
#3 0x0000000000462fa1 in CmdExec::exec_parsed_command() ()
#4 0x0000000000468d60 in CmdExec::Do() ()
#5 0x0000000000563a76 in SMTask::ScheduleThis() ()
#6 0x000000000056325d in SMTask::Schedule() ()
#7 0x00000000004604ce in Job::WaitDone() ()
#8 0x000000000043edfd in main ()
0x0: Cannot access memory at address 0x0 <--- argument passed to strlen is a null pointer
(gdb) ni
Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65 ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
(gdb) i s
#0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1 0x0000000000461b66 in CmdExec::FeedCmd(char const*) ()
#2 0x00000000004726f7 in cmd_subsh(CmdExec*) ()
#3 0x0000000000462fa1 in CmdExec::exec_parsed_command() ()
#4 0x0000000000468d60 in CmdExec::Do() ()
#5 0x0000000000563a76 in SMTask::ScheduleThis() ()
#6 0x000000000056325d in SMTask::Schedule() ()
#7 0x00000000004604ce in Job::WaitDone() ()
#8 0x000000000043edfd in main ()
Testing this on the latest binaries from the Ubuntu repository
>$ lftp -v
LFTP | Version 4.8.4 | Copyright (c) 1996-2017 Alexander V. Lukyanov
LFTP is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
...
>$ lftp -f ../lftp_cmdfile_fuzz/crashes/id\:000000\,sig\:11\,src\:000000\,op\:havoc\,rep\:4
Segmentation fault
LFTP | Version 4.8.4 | Copyright (c) 1996-2017 Alexander V. Lukyanov
LFTP is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
...
>$ lftp -f ../lftp_cmdfile_fuzz/crashes/id\:000000\,sig\:11\,src\:000000\,op\:havoc\,rep\:4
Segmentation fault
Some closing remarks: I've reported the bug to the Debian folks so they are aware, it didn't make the bar for a vulnerability but I think this may constitute a problem on some platforms and speak towards bigger problems in the lftpd code base. I don't know of any public ways to exploit this but I'm posting it so there is public record and awareness.
Comments
Post a Comment