Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrKhoanguyenxuanB2989095-88F3-413A-9A39-C1C58A6E6815
HistoryFeb 09, 2023 - 12:58 p.m.

NULL Pointer Dereference in function utfc_ptr2len

2023-02-0912:58:25
khoanguyenxuan
www.huntr.dev
14

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:N/I:N/A:P

0.0004 Low

EPSS

Percentile

8.5%

JSON

Description

NULL Pointer Dereference in function utfc_ptr2len at mbyte.c.c:2145 allows attackers to cause a denial of service (application crash) via a crafted input.

vim version

commit 0caaf1e46511f7a92e036f05e6aa9d5992540117 (HEAD -> master, tag: v9.0.1293, origin/master, origin/HEAD)
Author: Yegappan Lakshmanan <yegappan@yahoo.com>
Date:   Thu Feb 9 12:23:17 2023 +0000

    patch 9.0.1293: the set_num_option() is too long

    Problem:    The set_num_option() is too long.
    Solution:   Move code to separate functions. (Yegappan Lakshmanan,
                closes #11954)

Proof of Concept

āžœ  src git:(master) ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa!
[1]    29650 segmentation fault  ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa!

Debug info

pwndbg> r -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa!
Starting program: /root/test/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa!
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000555555699519 in utfc_ptr2len (p=0x0) at mbyte.c:2145
2145	    int		b0 = *p;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€[ REGISTERS / show-flags off / show-compact-regs off ]ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€
 RAX  0x0
*RBX  0x55555595ad70 ā—‚ā€” 0x5
 RCX  0x0
 RDX  0x0
 RDI  0x0
*RSI  0x1
*R8   0x20f5d46a556c2
*R9   0x7fffffffb314 ā—‚ā€” 0x5587847b00007fff
*R10  0x7fffffffb340 ā—‚ā€” 0x63e4e959
 R11  0x0
*R12  0x7fffffffe3f8 ā€”ā–ø 0x7fffffffe6ea ā—‚ā€” '/root/test/vim/src/vim'
*R13  0x5555558878e6 (main) ā—‚ā€” endbr64
*R14  0x555555902038 (__do_global_dtors_aux_fini_array_entry) ā€”ā–ø 0x55555558aac0 (__do_global_dtors_aux) ā—‚ā€” endbr64
*R15  0x7ffff7ffd040 (_rtld_global) ā€”ā–ø 0x7ffff7ffe2e0 ā€”ā–ø 0x555555554000 ā—‚ā€” 0x10102464c457f
*RBP  0x7fffffffb470 ā€”ā–ø 0x7fffffffb480 ā€”ā–ø 0x7fffffffb540 ā€”ā–ø 0x7fffffffb5a0 ā€”ā–ø 0x7fffffffb5c0 ā—‚ā€” ...
*RSP  0x7fffffffb450 ā€”ā–ø 0x7fffffffb460 ā€”ā–ø 0x7fffffffb480 ā€”ā–ø 0x7fffffffb540 ā€”ā–ø 0x7fffffffb5a0 ā—‚ā€” ...
*RIP  0x555555699519 (utfc_ptr2len+20) ā—‚ā€” movzx eax, byte ptr [rax]
ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€[ DISASM / x86-64 / set emulate on ]ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€
 ā–ŗ 0x555555699519 <utfc_ptr2len+20>    movzx  eax, byte ptr [rax]
   0x55555569951c <utfc_ptr2len+23>    movzx  eax, al
   0x55555569951f <utfc_ptr2len+26>    mov    dword ptr [rbp - 4], eax
   0x555555699522 <utfc_ptr2len+29>    cmp    dword ptr [rbp - 4], 0
   0x555555699526 <utfc_ptr2len+33>    jne    utfc_ptr2len+45                <utfc_ptr2len+45>
    ā†“
   0x555555699532 <utfc_ptr2len+45>    cmp    dword ptr [rbp - 4], 0x7f
   0x555555699536 <utfc_ptr2len+49>    jg     utfc_ptr2len+76                <utfc_ptr2len+76>
    ā†“
   0x555555699551 <utfc_ptr2len+76>    mov    rax, qword ptr [rbp - 0x18]
   0x555555699555 <utfc_ptr2len+80>    mov    rdi, rax
   0x555555699558 <utfc_ptr2len+83>    call   utf_ptr2len                <utf_ptr2len>

   0x55555569955d <utfc_ptr2len+88>    mov    dword ptr [rbp - 0xc], eax
ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€[ SOURCE (CODE) ]ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€
In file: /root/test/vim/src/mbyte.c
   2140  */
   2141     int
   2142 utfc_ptr2len(char_u *p)
   2143 {
   2144     int                len;
 ā–ŗ 2145     int                b0 = *p;
   2146 #ifdef FEAT_ARABIC
   2147     int                prevlen;
   2148 #endif
   2149
   2150     if (b0 == NUL)
ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€[ STACK ]ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€
00:0000ā”‚ rsp 0x7fffffffb450 ā€”ā–ø 0x7fffffffb460 ā€”ā–ø 0x7fffffffb480 ā€”ā–ø 0x7fffffffb540 ā€”ā–ø 0x7fffffffb5a0 ā—‚ā€” ...
01:0008ā”‚     0x7fffffffb458 ā—‚ā€” 0x0
02:0010ā”‚     0x7fffffffb460 ā€”ā–ø 0x7fffffffb480 ā€”ā–ø 0x7fffffffb540 ā€”ā–ø 0x7fffffffb5a0 ā€”ā–ø 0x7fffffffb5c0 ā—‚ā€” ...
03:0018ā”‚     0x7fffffffb468 ā€”ā–ø 0x555555638c90 (putcmdline+100) ā—‚ā€” mov eax, dword ptr [rbp - 4]
04:0020ā”‚ rbp 0x7fffffffb470 ā€”ā–ø 0x7fffffffb480 ā€”ā–ø 0x7fffffffb540 ā€”ā–ø 0x7fffffffb5a0 ā€”ā–ø 0x7fffffffb5c0 ā—‚ā€” ...
05:0028ā”‚     0x7fffffffb478 ā€”ā–ø 0x555555638d0c (unputcmdline+101) ā—‚ā€” mov edx, eax
06:0030ā”‚     0x7fffffffb480 ā€”ā–ø 0x7fffffffb540 ā€”ā–ø 0x7fffffffb5a0 ā€”ā–ø 0x7fffffffb5c0 ā€”ā–ø 0x7fffffffb5f0 ā—‚ā€” ...
07:0038ā”‚     0x7fffffffb488 ā€”ā–ø 0x55555565e74b (vgetorpeek+3187) ā—‚ā€” jmp 0x55555565e752
ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€[ BACKTRACE ]ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€
 ā–ŗ f 0   0x555555699519 utfc_ptr2len+20
   f 1   0x555555638d0c unputcmdline+101
   f 2   0x55555565e74b vgetorpeek+3187
   f 3   0x55555565b8a6 vgetc+250
   f 4   0x55555565bf9e safe_vgetc+17
   f 5   0x5555556aec0f get_number+126
   f 6   0x5555556aedd7 prompt_for_number+115
   f 7   0x55555578f2b8 spell_suggest+2101

Poc

https://raw.githubusercontent.com/khoanguyenxuan/testing/main/poc.dat

Related

cnvd 1
prion 1
alpinelinux 1
wolfi 1
nessus 25
veracode 1
cvelist 1
redhatcve 1
debiancve 1
cgr 1
osv 2
ubuntucve 1
cve 1
cbl_mariner 2
openvas 18
fedora 3
slackware 1
amazon 2
cloudfoundry 1
ubuntu 1
rosalinux 1
photon 3
cnvd
cnvd
Vim Denial of Service Vulnerability (CNVD-2023-72256)
2023-03-13 00:00:00
prion
prion
Null pointer dereference
2023-03-07 22:15:00
alpinelinux
alpinelinux
CVE-2023-1264
2023-03-07 22:15:10
wolfi
wolfi
CVE-2023-1264 vulnerabilities
2024-05-21 15:40:57
nessus
nessus
CBL Mariner 2.0 Security Update: vim (CVE-2023-1264)
2023-03-28 00:00:00
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : vim (SUSE-SU-2023:2103-1)
2023-05-05 00:00:00
EulerOS 2.0 SP10 : vim (EulerOS-SA-2023-1833)
2023-05-09 00:00:00
veracode
veracode
Denial Of Service (DoS)
2023-03-24 15:37:58
cvelist
cvelist
CVE-2023-1264 NULL Pointer Dereference in vim/vim
2023-03-07 00:00:00
redhatcve
redhatcve
CVE-2023-1264
2023-03-09 00:15:21
debiancve
debiancve
CVE-2023-1264
2023-03-07 22:15:10
cgr
cgr
CVE-2023-1264 vulnerabilities
2024-05-19 03:07:16
osv
osv
CVE-2023-1264
2023-03-07 22:15:00
vim vulnerabilities
2023-03-20 11:59:48
ubuntucve
ubuntucve
CVE-2023-1264
2023-03-07 00:00:00
cve
cve
CVE-2023-1264
2023-03-07 22:15:10
cbl_mariner
cbl_mariner
CVE-2023-1264 affecting package vim 9.0.1247-1
2023-04-07 04:59:55
CVE-2023-1264 affecting package vim for versions less than 9.0.1402-1
2023-03-24 23:57:10
openvas
openvas
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2023-1833)
2023-05-09 00:00:00
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2023-1815)
2023-05-09 00:00:00
Fedora: Security Advisory for vim (FEDORA-2023-d4ebe53978)
2023-03-20 00:00:00
fedora
fedora
[SECURITY] Fedora 37 Update: vim-9.0.1407-1.fc37
2023-03-20 01:39:05
[SECURITY] Fedora 38 Update: vim-9.0.1407-1.fc38
2023-03-20 00:20:16
[SECURITY] Fedora 36 Update: vim-9.0.1407-1.fc36
2023-04-02 01:34:22
slackware
slackware
[slackware-security] vim
2023-03-20 19:36:04
amazon
amazon
Medium: vim
2023-03-30 18:56:00
Important: vim
2023-03-30 22:50:00
cloudfoundry
cloudfoundry
USN-5963-1: Vim vulnerabilities | Cloud Foundry
2023-04-29 00:00:00
ubuntu
ubuntu
Vim vulnerabilities
2023-03-20 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2023-2268
2023-10-22 06:02:22
photon
photon
Critical Photon OS Security Update - PHSA-2023-5.0-0009
2023-05-22 00:00:00
Critical Photon OS Security Update - PHSA-2023-4.0-0380
2023-04-25 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0568
2023-04-19 00:00:00

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:N/I:N/A:P

0.0004 Low

EPSS

Percentile

8.5%

JSON
Related for B2989095-88F3-413A-9A39-C1C58A6E6815
cnvd1prion1alpinelinux1wolfi1nessus25veracode1cvelist1redhatcve1debiancve1cgr1osv2ubuntucve1cve1cbl_mariner2openvas18fedora3slackware1amazon2cloudfoundry1ubuntu1rosalinux1photon3