Internet Bug Bounty: CVE-2017-10965: Null pointer dereference in Irssi <1.0.4

2017-07-0718:43:37

geeknik

hackerone.com

EPSS

0.003

Percentile

70.5%

JSON

34 days after reading https://irssi.org/2017/05/12/fuzzing-irssi/, I was finally able to trigger a null pointer dereference in irssi 1.0.2.

Timeline:
Report to vendor: 15 June 2017
Acknowledge by vendor: 15 June 2017
Fixed by vendor: 7 July 2017

Advisory:
http://seclists.org/oss-sec/2017/q3/80

Patch:
https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206

./irssi &lt; test000
CAP LS
NICK root
USER root root /dev/stdin :root
ASAN:DEADLYSIGNAL
=================================================================
==23308==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4505521e56 bp 0x7fff0bf30d90 sp 0x7fff0bf30518 T0)
==23308==The signal is caused by a READ memory access.
==23308==Hint: address points to the zero page.
    #0 0x7f4505521e55 in strlen /build/glibc-cxyGtm/glibc-2.24/string/../sysdeps/x86_64/strlen.S:76
    #1 0x4536dc in __interceptor_strlen.part.31 (/root/irssi-1.0.2/src/fe-text/irssi+0x4536dc)
    #2 0x6bf3c9 in my_asctime /root/irssi-1.0.2/src/core/misc.c:565:8
    #3 0x594d51 in event_topic_info /root/irssi-1.0.2/src/fe-common/irc/fe-events-numeric.c:275:19
    #4 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3
    #5 0x6f4207 in signal_emit /root/irssi-1.0.2/src/core/signals.c:286:3
    #6 0x62cd3d in irc_server_event /root/irssi-1.0.2/src/irc/core/irc.c:308:7
    #7 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3
    #8 0x6f59b6 in signal_emit_id /root/irssi-1.0.2/src/core/signals.c:304:3
    #9 0x62d33a in irc_parse_incoming_line /root/irssi-1.0.2/src/irc/core/irc.c:362:3
    #10 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3
    #11 0x6f59b6 in signal_emit_id /root/irssi-1.0.2/src/core/signals.c:304:3
    #12 0x62d6ba in irc_parse_incoming /root/irssi-1.0.2/src/irc/core/irc.c:383:3
    #13 0x6bb9b2 in irssi_io_invoke /root/irssi-1.0.2/src/core/misc.c:55:3
    #14 0x7f4506cc6229 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a229)
    #15 0x7f4506cc65df  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a5df)
    #16 0x7f4506cc668b in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a68b)
    #17 0x57e4a7 in main /root/irssi-1.0.2/src/fe-text/irssi.c:326:3
    #18 0x7f45054b53f0 in __libc_start_main /build/glibc-cxyGtm/glibc-2.24/csu/../csu/libc-start.c:291
    #19 0x42e979 in _start (/root/irssi-1.0.2/src/fe-text/irssi+0x42e979)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-cxyGtm/glibc-2.24/string/../sysdeps/x86_64/strlen.S:76 in strlen
==23308==ABORTING