Bug 221483 - CVE-2006-6719 Wget attempts to dereference NULL pointer upon response from malicious FTP server
Summary: CVE-2006-6719 Wget attempts to dereference NULL pointer upon response from ma...
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: wget   
(Show other bugs)
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Karsten Hopp
QA Contact: David Lawrence
URL: http://www.securityfocus.com/bid/21650
Whiteboard: source=cve,impact=low,public=20061218...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2007-01-04 19:35 UTC by Lubomir Kundrak
Modified: 2009-06-24 13:03 UTC (History)
2 users (show)

Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-01-15 15:08:55 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Simplified reproducer for CVE-2006-6719 wget issue (342 bytes, application/x-shellscript)
2007-01-10 15:07 UTC, Lubomir Kundrak
no flags Details

Description Lubomir Kundrak 2007-01-04 19:35:21 UTC
+++ This bug was initially created as a clone of Bug #221459 +++

Description of problem:

NULL pointer dereference occurs in case a numerical FTP repsonse code
is present, but response text is missing while wget is expecting a reply
to SYST command in ftp-basic.c:ftp_syst().

Version-Release number of selected component (if applicable):

Wget in all supported releases seems to contain the flawed code.

How reproducible:


Steps to Reproduce:
1. Run the attached perl script, it listens to localhost:21 by default
2. Attempt to wget ftp://localhost/
Actual results:

Wget receives a SIGSEGV.

Expected results:

Wget should save us from the time of trial and deliver us from evil.

Additional info:

Upstream didn't fix the issue yet and for it's fairly simple I doubt
they know about it.

-- Additional comment from lkundrak@redhat.com on 2007-01-04 13:24 EST --
Created an attachment (id=144827)
Reproducer for CVE-2006-6719 wget flaw

-- Additional comment from lkundrak@redhat.com on 2007-01-04 13:29 EST --
Here's the stack trace:

#0  *__GI___strcasecmp (s1=0x0, s2=0x428a79 "VMS") at strcasecmp.c:65
#1  0x000000000040b6bb in ftp_syst (csock=<value optimized out>,
server_type=0x7fff685d6988) at ftp-basic.c:1041
#2  0x0000000000408a88 in getftp (u=0x83a050, len=0x7fff685d6748, restval=0,
con=0x7fff685d6970) at ftp.c:351
#3  0x0000000000409b58 in ftp_loop_internal (u=0x83a050, f=0x0,
con=0x7fff685d6970) at ftp.c:1173
#4  0x000000000040a01c in ftp_get_listing (u=0x83a050, con=0x7fff685d6970,
f=0x7fff685d69a8) at ftp.c:1317
#5  0x000000000040a553 in ftp_loop (u=0x83a050, dt=0x7fff685d6bb0, proxy=<value
optimized out>, recursive=false, glob=false) at ftp.c:1798
#6  0x000000000041eab7 in retrieve_url (origurl=0x83a0c0 "ftp://localhost/",
file=0x7fff685d6ba8, newloc=0x7fff685d6ba0, refurl=0x0, dt=0x7fff685d6bb0,
    recursive=false) at retr.c:691
#7  0x000000000041a740 in main (argc=2, argv=0x7fff685d6cd8) at main.c:961
#8  0x0000003def81da44 in __libc_start_main (main=0x41a050 <main>, argc=2,
ubp_av=0x7fff685d6cd8, init=<value optimized out>, fini=<value optimized out>,
    rtld_fini=<value optimized out>, stack_end=0x7fff685d6cc8) at libc-start.c:231
#9  0x00000000004039b9 in _start ()

And the relevand faulty code:

1034      /* Skip the number (215, but 200 (!!!) in case of VMS) */
1035      strtok (respline, " ");
1037      /* Which system type has been reported (we are interested just in the
1038         first word of the server response)?  */
1039      request = strtok (NULL, " ");

Here request gets set to NULL, as there are no more tokens in the reponse

1041      if (!strcasecmp (request, "VMS"))

And here we compare the NULL string

1042        *server_type = ST_VMS;
1043      else if (!strcasecmp (request, "UNIX"))
1044        *server_type = ST_UNIX;

-- Additional comment from lkundrak@redhat.com on 2007-01-04 13:44 EST --
Created an attachment (id=144828)
Patch for CVE-2006-6719 wget flaw

And, because it's Christmas, here's the patch for you.
And please report upstream.

Comment 1 Karsten Hopp 2007-01-09 16:10:59 UTC
fixed in wget-1.10.2-7.el5

Comment 6 Mark J. Cox 2007-01-14 10:13:44 UTC
verified in 20070111 tree

Note You need to log in before you can comment on or make changes to this bug.