[Memory Corruption Bugs] Lftp Null pointer dereference (<= 4.9.1) in CmdExec::FeedCmd


I've discovered a null pointer deference bug in LFTP version 4.9.1 which probably affects previous versions. The bug occurs in CmdExec::FeedCmd and triggers in strlen due to a null pointer argument. The following gdb trace demonstrates
this:


(gdb) r -f lftp_cmdfile_fuzz/crashes/id:000000,sig:11,src:000000,op:havoc,rep:4
The program being debugged has been started already.
...
Breakpoint 5, 0x0000000000461b61 in CmdExec::FeedCmd(char const*) ()
(gdb) x/5ig $rip
=> 0x461b61 <_ZN7CmdExec7FeedCmdEPKc+97>:    callq  0x43a3a0 <strlen@plt>
   0x461b66 <_ZN7CmdExec7FeedCmdEPKc+102>:    mov    %rbx,%rdi
   0x461b69 <_ZN7CmdExec7FeedCmdEPKc+105>:    mov    %r14,%rsi
   0x461b6c <_ZN7CmdExec7FeedCmdEPKc+108>:    mov    %eax,%edx
   0x461b6e <_ZN7CmdExec7FeedCmdEPKc+110>:    add    $0x8,%rsp
(gdb) x/1xg $rsi
0x0:    Cannot access memory at address 0x0
<--- argument passed to strlen is a null pointer
(gdb) ni

Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65    ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
(gdb) i s
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1  0x0000000000461b66 in CmdExec::FeedCmd(char const*) ()
#2  0x00000000004726f7 in cmd_subsh(CmdExec*) ()
#3  0x0000000000462fa1 in CmdExec::exec_parsed_command() ()
#4  0x0000000000468d60 in CmdExec::Do() ()
#5  0x0000000000563a76 in SMTask::ScheduleThis() ()
#6  0x000000000056325d in SMTask::Schedule() ()
#7  0x00000000004604ce in Job::WaitDone() ()
#8  0x000000000043edfd in main ()


Testing this on the latest binaries from the Ubuntu repository

>$ lftp -v
LFTP | Version 4.8.4 | Copyright (c) 1996-2017 Alexander V. Lukyanov

LFTP is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
...
>$ lftp -f ../lftp_cmdfile_fuzz/crashes/id\:000000\,sig\:11\,src\:000000\,op\:havoc\,rep\:4
Segmentation fault


Some closing remarks: I've reported the bug to the Debian folks so they are aware, it didn't make the bar for a vulnerability but I think this may constitute a problem on some platforms and speak towards bigger problems in the lftpd code base. I don't know of any public ways to exploit this but I'm posting it so there is public record and awareness.

Comments