Skip to content

Null Pointer Dereference in function VerifyCommandLine () at src/DumpTS.cpp:388 #22

New issue
New issue
Open
Open
Null Pointer Dereference in function VerifyCommandLine () at src/DumpTS.cpp:388#22
@zhuvensi

Description

@zhuvensi
zhuvensi
opened on Jun 21, 2024

Describe:

A Null Pointer Dereference was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function VerifyCommandLine () at src/DumpTS.cpp:388.Attackers may exploit this vulnerability to execute and cause a DOS attack.

Reproduce:

Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:

image

Then the poc is inputed as the input of DumpTS,here is the command:
gdb --args ./DumpTS /home/DumpTS/fuzz_out3/default/crashes/id\:000000\,sig\:06\,src\:000011\,time\:52513\,execs\:23035\,op\:havoc\,rep\:16 --output=test1.mp4 --pid=0x1011 --showpts --destpid=0x1011
(gdb) break main
(gdb) run
(gdb) continue
(gdb) backtrace

GDB Reports:

(gdb) break main
Breakpoint 1 at 0x38e399: file ../../src/DumpTS.cpp, line 1126.
(gdb) run
Starting program: /home/DumpTS/bin/linux/DumpTS /home/DumpTS/fuzz_out3/default/crashes/id:000000,sig:06,src:000011,time:52513,execs:23035,op:havoc,rep:16 --output=test1.mp4 --pid=0x1011 --showpts --destpid=0x1011
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, main (argc=6, argv=0x7ffd185a24c8) at ../../src/DumpTS.cpp:1126
1126            int nDumpRet = 0;
(gdb) continue 
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007f85f9b7781e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) backtrace 
#0  0x00007f85f9b7781e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f85f9e47bce in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(char const*) const ()
   from /lib/x86_64-linux-gnu/libstdc++.so.6
#2  0x000055c2e077c235 in VerifyCommandLine () at ../../src/DumpTS.cpp:388
#3  0x000055c2e0781433 in main (argc=6, argv=0x7ffd185a24c8) at ../../src/DumpTS.cpp:1157

and this is the code at the bug address:
image

Poc

Poc file is here

Fuzzer
Fuzzer is AFL.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions