NULL pointer dereference vulnerability exists in the rarp tool of net-tools

[tantelinirinatsioriharimanana-lang]

Description:

A NULL pointer dereference vulnerability exists in the rarp tool of net-tools.
It is caused by the lack of validation after calling the gethostbyname() function in the rarp_file() function.

If the hostname provided in the file passed with the -f option is invalid, gethostbyname() returns NULL.
However, the program continues its execution and still calls rarp_set() with a NULL pointer (hp == NULL).
This results in a NULL pointer dereference in rarp_set(), causing an immediate crash of the program.

Vulnerable code:

In rarp_file():
if ((hp = gethostbyname(host)) == NULL) {
fprintf(stderr, _("rarp: %s: unknown host\n"), host);
}
if (rarp_set(fd, hp, addr) != 0) {
fprintf(stderr, _("rarp: cannot set entry from %s:%u\n"), name, linenr);
}

Here, even if hp == NULL, the function rarp_set() is still called.

In rarp_set():

si->sin_family = hp->h_addrtype;
memcpy((char *) &si->sin_addr, hp->h_addr_list[0], hp->h_length);

These accesses cause a crash when hp is NULL.
Impact:

A local user can crash the rarp program by providing a malformed file containing an invalid hostname.
This leads to a local denial of service.

Proof of Concept :

Create a file containing a non-existent hostname:

echo "01:02:03:04:05:06:07:08 host_inexistant" > /tmp/poc_rarp
./rarp -f /tmp/poc_rarp

Result:

rarp: host_inexistant: unknown host
AddressSanitizer:DEADLYSIGNAL

==10934==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x6063c219003f bp 0x7ffd3cc86270 sp 0x7ffd3cc860c0 T0)
==10934==The signal is caused by a READ memory access.
==10934==Hint: address points to the zero page.
#0 0x6063c219003f in rarp_set /home/tsoa/Desktop/net-tools-master/rarp.c:102
#1 0x6063c21906d5 in rarp_file /home/tsoa/Desktop/net-tools-master/rarp.c:146
#2 0x6063c219132e in main /home/tsoa/Desktop/net-tools-master/rarp.c:308
#3 0x771e4e229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#4 0x771e4e229e3f in __libc_start_main_impl ../csu/libc-start.c:392
#5 0x6063c218f964 in _start (/home/tsoa/Desktop/net-tools-master/rarp+0x8964)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/tsoa/Desktop/net-tools-master/rarp.c:102 in rarp_set
==10934==ABORTING

Recommended Fix:

Modify rarp_file() to avoid calling rarp_set() when hp == NULL:

if ((hp = gethostbyname(host)) == NULL) {
fprintf(stderr, _("rarp: %s: unknown host\n"), host);
continue;
}

And secure rarp_set():

static int rarp_set(int fd, struct hostent *hp, char *hw_addr)
{
if (!hp) {
fprintf(stderr, "rarp_set: NULL host pointer\n");
return 1;
}

}

[ecki]

Thanks, do you have a patch?
I'd guess a null id is reasonable trivial so I can also do it myself otherwise.

I would not call this a vulnerability (of somebody can modify systems files you have more thing to worry than an outdated system utility terminating - which happens if we fix it also) but of course it should be fixed.

[tantelinirinatsioriharimanana-lang]

@ecki Thanks for your feedback.
I agree this is more a robustness issue than a security vulnerability, but fixing it avoids a NULL pointer dereference and makes the code more defensive against malformed input.

Here is a small patch that skips rarp_set() when gethostbyname() fails and also adds a safety check inside rarp_set().

diff --git a/rarp.c b/rarp.c
index 3c1b5ab..9f4a2d1 100644
--- a/rarp.c
+++ b/rarp.c
@@ -96,6 +96,12 @@ static int rarp_set(int fd, struct hostent *hp, char *hw_addr)
struct sockaddr_in *si;
struct sockaddr_storage sas;
struct sockaddr *sap = (struct sockaddr *)&sas;
+

• /* Safety check: avoid NULL pointer dereference */

• if (hp == NULL) {

•    fprintf(stderr, "rarp_set: NULL host pointer\n");
  

•    return 1;
  

• }

  if (hardware->input(hw_addr, &sas)) {
  fprintf(stderr, _("%s: bad hardware address\n"), hw_addr);
  @@ -170,6 +176,7 @@ static int rarp_file(int fd, const char *name)
  if ((hp = gethostbyname(host)) == NULL) {
  fprintf(stderr, _("rarp: %s: unknown host\n"), host);

•        continue;
     }
     if (rarp_set(fd, hp, addr) != 0) {
         fprintf(stderr, _("rarp: cannot set entry from %s:%u\n"), name, linenr);