Lucene search
KhoanguyenxuanB2989095-88F3-413A-9A39-C1C58A6E6815HistoryFeb 09, 2023 - 12:58 p.m.
NULL Pointer Dereference in function utfc_ptr2len
2023-02-0912:58:25
khoanguyenxuan
www.huntr.dev
23
null pointer dereference
utfc_ptr2len
denial of service
crafted input
segmentation fault
vim
mbyte.c
EPSS
0.001
Percentile
33.6%
Description
NULL Pointer Dereference in function utfc_ptr2len at mbyte.c.c:2145 allows attackers to cause a denial of service (application crash) via a crafted input.
vim version
commit 0caaf1e46511f7a92e036f05e6aa9d5992540117 (HEAD -> master, tag: v9.0.1293, origin/master, origin/HEAD)
Author: Yegappan Lakshmanan <yegappan@yahoo.com>
Date: Thu Feb 9 12:23:17 2023 +0000
patch 9.0.1293: the set_num_option() is too long
Problem: The set_num_option() is too long.
Solution: Move code to separate functions. (Yegappan Lakshmanan,
closes #11954)
Proof of Concept
➜ src git:(master) ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa!
[1] 29650 segmentation fault ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc.dat -c :qa!
Debug info
pwndbg> r -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa!
Starting program: /root/test/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ../../poc -c :qa!
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000555555699519 in utfc_ptr2len (p=0x0) at mbyte.c:2145
2145 int b0 = *p;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x0
*RBX 0x55555595ad70 ◂— 0x5
RCX 0x0
RDX 0x0
RDI 0x0
*RSI 0x1
*R8 0x20f5d46a556c2
*R9 0x7fffffffb314 ◂— 0x5587847b00007fff
*R10 0x7fffffffb340 ◂— 0x63e4e959
R11 0x0
*R12 0x7fffffffe3f8 —▸ 0x7fffffffe6ea ◂— '/root/test/vim/src/vim'
*R13 0x5555558878e6 (main) ◂— endbr64
*R14 0x555555902038 (__do_global_dtors_aux_fini_array_entry) —▸ 0x55555558aac0 (__do_global_dtors_aux) ◂— endbr64
*R15 0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
*RBP 0x7fffffffb470 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ...
*RSP 0x7fffffffb450 —▸ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 ◂— ...
*RIP 0x555555699519 (utfc_ptr2len+20) ◂— movzx eax, byte ptr [rax]
───────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────────────────────────────────────────
► 0x555555699519 <utfc_ptr2len+20> movzx eax, byte ptr [rax]
0x55555569951c <utfc_ptr2len+23> movzx eax, al
0x55555569951f <utfc_ptr2len+26> mov dword ptr [rbp - 4], eax
0x555555699522 <utfc_ptr2len+29> cmp dword ptr [rbp - 4], 0
0x555555699526 <utfc_ptr2len+33> jne utfc_ptr2len+45 <utfc_ptr2len+45>
↓
0x555555699532 <utfc_ptr2len+45> cmp dword ptr [rbp - 4], 0x7f
0x555555699536 <utfc_ptr2len+49> jg utfc_ptr2len+76 <utfc_ptr2len+76>
↓
0x555555699551 <utfc_ptr2len+76> mov rax, qword ptr [rbp - 0x18]
0x555555699555 <utfc_ptr2len+80> mov rdi, rax
0x555555699558 <utfc_ptr2len+83> call utf_ptr2len <utf_ptr2len>
0x55555569955d <utfc_ptr2len+88> mov dword ptr [rbp - 0xc], eax
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────
In file: /root/test/vim/src/mbyte.c
2140 */
2141 int
2142 utfc_ptr2len(char_u *p)
2143 {
2144 int len;
► 2145 int b0 = *p;
2146 #ifdef FEAT_ARABIC
2147 int prevlen;
2148 #endif
2149
2150 if (b0 == NUL)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffb450 —▸ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 ◂— ...
01:0008│ 0x7fffffffb458 ◂— 0x0
02:0010│ 0x7fffffffb460 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ...
03:0018│ 0x7fffffffb468 —▸ 0x555555638c90 (putcmdline+100) ◂— mov eax, dword ptr [rbp - 4]
04:0020│ rbp 0x7fffffffb470 —▸ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 ◂— ...
05:0028│ 0x7fffffffb478 —▸ 0x555555638d0c (unputcmdline+101) ◂— mov edx, eax
06:0030│ 0x7fffffffb480 —▸ 0x7fffffffb540 —▸ 0x7fffffffb5a0 —▸ 0x7fffffffb5c0 —▸ 0x7fffffffb5f0 ◂— ...
07:0038│ 0x7fffffffb488 —▸ 0x55555565e74b (vgetorpeek+3187) ◂— jmp 0x55555565e752
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
► f 0 0x555555699519 utfc_ptr2len+20
f 1 0x555555638d0c unputcmdline+101
f 2 0x55555565e74b vgetorpeek+3187
f 3 0x55555565b8a6 vgetc+250
f 4 0x55555565bf9e safe_vgetc+17
f 5 0x5555556aec0f get_number+126
f 6 0x5555556aedd7 prompt_for_number+115
f 7 0x55555578f2b8 spell_suggest+2101
Poc
https://raw.githubusercontent.com/khoanguyenxuan/testing/main/poc.dat
Related
debiancve
debiancve
CVE-2023-1264
2023-03-07 22:15:10
cve
cve
CVE-2023-1264
2023-03-07 22:15:10
ubuntucve
ubuntucve
CVE-2023-1264
2023-03-07 00:00:00
osv
osv
CVE-2023-1264
2023-03-07 22:15:00
CGA-8p5r-m725-m3f9
2024-06-06 12:25:16
gvim-9.0.1392-1.1 on GA media
2024-06-15 00:00:00
cgr
cgr
CVE-2023-1264 vulnerabilities
2024-05-19 03:07:16
prion
prion
Null pointer dereference
2023-03-07 22:15:00
cnvd
cnvd
Vim Denial of Service Vulnerability (CNVD-2023-72256)
2023-03-13 00:00:00
alpinelinux
alpinelinux
CVE-2023-1264
2023-03-07 22:15:10
wolfi
wolfi
CVE-2023-1264 vulnerabilities
2024-09-30 03:53:08
redhatcve
redhatcve
CVE-2023-1264
2023-03-09 00:15:21
veracode
veracode
Denial Of Service (DoS)
2023-03-24 15:37:58
nessus
nessus
CBL Mariner 2.0 Security Update: vim (CVE-2023-1264)
2023-03-28 00:00:00
cvelist
cvelist
CVE-2023-1264 NULL Pointer Dereference in vim/vim
2023-03-07 00:00:00
cbl_mariner
cbl_mariner
CVE-2023-1264 affecting package vim 9.0.1247-1
2023-04-07 04:59:55
CVE-2023-1264 affecting package vim for versions less than 9.0.1402-1
2023-03-24 23:57:10
nvd
nvd
CVE-2023-1264
2023-03-07 22:15:10
openvas
openvas
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2023-1833)
2023-05-09 00:00:00
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2023-1815)
2023-05-09 00:00:00
Fedora: Security Advisory for vim (FEDORA-2023-d4ebe53978)
2023-03-20 00:00:00
fedora
fedora
[SECURITY] Fedora 37 Update: vim-9.0.1407-1.fc37
2023-03-20 01:39:05
[SECURITY] Fedora 38 Update: vim-9.0.1407-1.fc38
2023-03-20 00:20:16
[SECURITY] Fedora 36 Update: vim-9.0.1407-1.fc36
2023-04-02 01:34:22
slackware
slackware
[slackware-security] vim
2023-03-20 19:36:04
amazon
amazon
Medium: vim
2023-03-30 18:56:00
Important: vim
2023-03-30 22:50:00
ubuntu
ubuntu
Vim vulnerabilities
2023-03-20 00:00:00
cloudfoundry
cloudfoundry
USN-5963-1: Vim vulnerabilities | Cloud Foundry
2023-04-29 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2023-2268
2023-10-22 06:02:22
photon
photon
Critical Photon OS Security Update - PHSA-2023-5.0-0009
2023-05-22 00:00:00
Critical Photon OS Security Update - PHSA-2023-4.0-0380
2023-04-25 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0568
2023-04-19 00:00:00
