Red Hat Bugzilla – Bug 221469
CVE-2006-6719 Wget attempts to dereference NULL pointer upon response from malicious FTP server
Last modified: 2007-11-30 17:11:52 EST
+++ This bug was initially created as a clone of Bug #221459 +++
Description of problem:
NULL pointer dereference occurs in case a numerical FTP repsonse code
is present, but response text is missing while wget is expecting a reply
to SYST command in ftp-basic.c:ftp_syst().
Version-Release number of selected component (if applicable):
Wget in all supported releases seems to contain the flawed code.
Steps to Reproduce:
1. Run the attached perl script, it listens to localhost:21 by default
2. Attempt to wget ftp://localhost/
Wget receives a SIGSEGV.
Wget should save us from the time of trial and deliver us from evil.
Upstream didn't fix the issue yet and for it's fairly simple I doubt
they know about it.
-- Additional comment from firstname.lastname@example.org on 2007-01-04 13:24 EST --
Created an attachment (id=144827)
Reproducer for CVE-2006-6719 wget flaw
-- Additional comment from email@example.com on 2007-01-04 13:29 EST --
Here's the stack trace:
#0 *__GI___strcasecmp (s1=0x0, s2=0x428a79 "VMS") at strcasecmp.c:65
#1 0x000000000040b6bb in ftp_syst (csock=<value optimized out>,
server_type=0x7fff685d6988) at ftp-basic.c:1041
#2 0x0000000000408a88 in getftp (u=0x83a050, len=0x7fff685d6748, restval=0,
con=0x7fff685d6970) at ftp.c:351
#3 0x0000000000409b58 in ftp_loop_internal (u=0x83a050, f=0x0,
con=0x7fff685d6970) at ftp.c:1173
#4 0x000000000040a01c in ftp_get_listing (u=0x83a050, con=0x7fff685d6970,
f=0x7fff685d69a8) at ftp.c:1317
#5 0x000000000040a553 in ftp_loop (u=0x83a050, dt=0x7fff685d6bb0, proxy=<value
optimized out>, recursive=false, glob=false) at ftp.c:1798
#6 0x000000000041eab7 in retrieve_url (origurl=0x83a0c0 "ftp://localhost/",
file=0x7fff685d6ba8, newloc=0x7fff685d6ba0, refurl=0x0, dt=0x7fff685d6bb0,
recursive=false) at retr.c:691
#7 0x000000000041a740 in main (argc=2, argv=0x7fff685d6cd8) at main.c:961
#8 0x0000003def81da44 in __libc_start_main (main=0x41a050 <main>, argc=2,
ubp_av=0x7fff685d6cd8, init=<value optimized out>, fini=<value optimized out>,
rtld_fini=<value optimized out>, stack_end=0x7fff685d6cc8) at libc-start.c:231
#9 0x00000000004039b9 in _start ()
And the relevand faulty code:
1034 /* Skip the number (215, but 200 (!!!) in case of VMS) */
1035 strtok (respline, " ");
1037 /* Which system type has been reported (we are interested just in the
1038 first word of the server response)? */
1039 request = strtok (NULL, " ");
Here request gets set to NULL, as there are no more tokens in the reponse
1041 if (!strcasecmp (request, "VMS"))
And here we compare the NULL string
1042 *server_type = ST_VMS;
1043 else if (!strcasecmp (request, "UNIX"))
1044 *server_type = ST_UNIX;
-- Additional comment from firstname.lastname@example.org on 2007-01-04 13:44 EST --
Created an attachment (id=144828)
Patch for CVE-2006-6719 wget flaw
And, because it's Christmas, here's the patch for you.
And please report upstream.
Update with a fix is on its way: wget-1.10.2-8.fc6.1
wget-1.10.2-8.fc6.1 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.