Bug 221483

Summary: CVE-2006-6719 Wget attempts to dereference NULL pointer upon response from malicious FTP server
Product: Red Hat Enterprise Linux 5 Reporter: Lubomir Kundrak <lkundrak>
Component: wgetAssignee: Karsten Hopp <karsten>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: low Docs Contact:
Priority: low    
Version: 5.0CC: jlaska, psplicha
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/bid/21650
Whiteboard: source=cve,impact=low,public=20061218,reported=20070102
Fixed In Version: 5.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-15 15:08:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Simplified reproducer for CVE-2006-6719 wget issue none

Description Lubomir Kundrak 2007-01-04 19:35:21 UTC 
+++ This bug was initially created as a clone of Bug #221459 +++

Description of problem:

NULL pointer dereference occurs in case a numerical FTP repsonse code
is present, but response text is missing while wget is expecting a reply
to SYST command in ftp-basic.c:ftp_syst().

Version-Release number of selected component (if applicable):

Wget in all supported releases seems to contain the flawed code.

How reproducible:

Allways.

Steps to Reproduce:
1. Run the attached perl script, it listens to localhost:21 by default
2. Attempt to wget ftp://localhost/
  
Actual results:

Wget receives a SIGSEGV.

Expected results:

Wget should save us from the time of trial and deliver us from evil.

Additional info:

Upstream didn't fix the issue yet and for it's fairly simple I doubt
they know about it.

-- Additional comment from lkundrak on 2007-01-04 13:24 EST --
Created an attachment (id=144827)
Reproducer for CVE-2006-6719 wget flaw


-- Additional comment from lkundrak on 2007-01-04 13:29 EST --
Here's the stack trace:

#0  *__GI___strcasecmp (s1=0x0, s2=0x428a79 "VMS") at strcasecmp.c:65
#1  0x000000000040b6bb in ftp_syst (csock=<value optimized out>,
server_type=0x7fff685d6988) at ftp-basic.c:1041
#2  0x0000000000408a88 in getftp (u=0x83a050, len=0x7fff685d6748, restval=0,
con=0x7fff685d6970) at ftp.c:351
#3  0x0000000000409b58 in ftp_loop_internal (u=0x83a050, f=0x0,
con=0x7fff685d6970) at ftp.c:1173
#4  0x000000000040a01c in ftp_get_listing (u=0x83a050, con=0x7fff685d6970,
f=0x7fff685d69a8) at ftp.c:1317
#5  0x000000000040a553 in ftp_loop (u=0x83a050, dt=0x7fff685d6bb0, proxy=<value
optimized out>, recursive=false, glob=false) at ftp.c:1798
#6  0x000000000041eab7 in retrieve_url (origurl=0x83a0c0 "ftp://localhost/",
file=0x7fff685d6ba8, newloc=0x7fff685d6ba0, refurl=0x0, dt=0x7fff685d6bb0,
    recursive=false) at retr.c:691
#7  0x000000000041a740 in main (argc=2, argv=0x7fff685d6cd8) at main.c:961
#8  0x0000003def81da44 in __libc_start_main (main=0x41a050 <main>, argc=2,
ubp_av=0x7fff685d6cd8, init=<value optimized out>, fini=<value optimized out>,
    rtld_fini=<value optimized out>, stack_end=0x7fff685d6cc8) at libc-start.c:231
#9  0x00000000004039b9 in _start ()

And the relevand faulty code:

1033
1034      /* Skip the number (215, but 200 (!!!) in case of VMS) */
1035      strtok (respline, " ");
1036
1037      /* Which system type has been reported (we are interested just in the
1038         first word of the server response)?  */
1039      request = strtok (NULL, " ");

Here request gets set to NULL, as there are no more tokens in the reponse

1040
1041      if (!strcasecmp (request, "VMS"))

And here we compare the NULL string

1042        *server_type = ST_VMS;
1043      else if (!strcasecmp (request, "UNIX"))
1044        *server_type = ST_UNIX;

-- Additional comment from lkundrak on 2007-01-04 13:44 EST --
Created an attachment (id=144828)
Patch for CVE-2006-6719 wget flaw

And, because it's Christmas, here's the patch for you.
And please report upstream.
Comment 1 Karsten Hopp 2007-01-09 16:10:59 UTC 
fixed in wget-1.10.2-7.el5
Comment 6 Mark J. Cox 2007-01-14 10:13:44 UTC 
verified in 20070111 tree