HTCPCP icon indicating copy to clipboard operation
HTCPCP copied to clipboard

Published 20 hours ago verified publisher icon madmaze

Null pointer dereference leading to crash of the server (splitVarVal)

Open cve-reporting opened this issue 5 years ago • 0 comments

HTCPCP server incorrectly handles incoming network messages leading to a NULL pointer dereference, resulting in crash of the server.

Proposed CVSS 3.0 score:

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Error message WITHOUT Address Sanitizer:

Welcome to the potLogic CoffeeTr0n!
    Ready to brew.. there are 5 Pots available
Created thread 0
Thread 0

Request:
D�����g�rd
Segmentation fault

Error message WITH Address Sanitizer:

./matrixssl-ASAN/apps/dtls/dtlsServer -p 44444
DTLS server running on port 44444
sslBuf = 0x61b00001e380 recvfromBuf = 0x61b00001f180 recvLen = 67
sslBuf = 0x61b00001ea80 recvfromBuf = 0x61b00001f180 recvLen = 1047
=================================================================
Created thread 0
Thread 0

Request:
D�����g�rd
ASAN:SIGSEGV
=================================================================
    ==21766==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2af2a2f746 bp 0x7f2aefbfbd10 sp 0x7f2aefbfb498 T1)
        #0 0x7f2af2a2f745 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x8b745)
        #1 0x7f2af2ffb1a5 in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x701a5)
        #2 0x40347b in splitVarVal (htcpcp_server_ASAN+0x40347b)
        #3 0x40392b in CoffeeRequestHandler (htcpcp_server_ASAN+0x40392b)
        #4 0x403e47 in thread (htcpcp_server_ASAN+0x403e47)
        #5 0x7f2af2d756b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
        #6 0x7f2af2aab41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ??:0 strlen
    Thread T1 created by T0 here:
        #0 0x7f2af2fc1253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
        #1 0x404b09 in main (htcpcp_server_ASAN+0x404b09)
        #2 0x7f2af29c482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

    ==21766==ABORTING

Reproduction:

  1. Download and compile HTCPCP server.

  2. Run HTCPCP server: ./htcpcp_server 44444

(using defork from Preeny package: https://github.com/zardus/preeny) LD_PRELOAD=~/tools/preeny/defork.so ./htcpcp_server 44444

  1. Unzip and send attached crafted message e.g. using netcat: netcat $IP 44444 < payload_madmaze-htcpcp_000.raw where $IP is IP of test server

payload_madmaze-htcpcp_000.raw.zip

cve-reporting avatar Jul 23 '19 17:07 cve-reporting