rofl0r/proxychains-ng

cURL 8.4.0 and wget 1.21.4 breaks if the hostname is too long and is used in add-on with proxychains.

u2k24 opened this issue · 0 comments

u2k24 commented

I did this

Out of curiosity I tried the payload that became present and popular thanks to GHSA-7xw9-w465-6x42 and got a coredump in curl 8.4.0.

I haven't used the -x modifier directly, so "socks5h" is nowhere to be found in the command; However, I have used proxychains and got the error.

Poc[0]:

proxychains curl -IL `python -c "print('C'*255).com"`
Illegal process-id: 1.dump.

warning: Can't open file /dev/zero (deleted) during file-backed mapping note processing
[New LWP 433090]
[New LWP 433089]
Downloading separate debug info for /usr/lib/libproxychains4.so
Downloading separate debug info for /usr/lib/libidn2.so.0                                                                                                                 
Downloading separate debug info for /usr/lib/libpsl.so.5                                                                                                                  
Downloading separate debug info for /usr/lib/libgssapi_krb5.so.2                                                                                                          
Downloading separate debug info for /usr/lib/libunistring.so.5                                                                                                            
Downloading separate debug info for /usr/lib/libkrb5.so.3                                                                                                                 
Downloading separate debug info for /usr/lib/libk5crypto.so.3                                                                                                             
Downloading separate debug info for /usr/lib/libkrb5support.so.0                                                                                                          
                                                                                                                                                                          --Type <RET> for more, q to quit, c to continue without paging--c
Downloading separate debug info for system-supplied DSO at 0x675238dbb000
[Thread debugging using libthread_db enabled]                                                                                                                             
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `curl -IL CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC'.
Program terminated with signal SIGABRT, Aborted.
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
44            return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;                                                                                   
[Current thread is 1 (Thread 0x675238d626c0 (LWP 433090))]

(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x0000675238b3a8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x0000675238aea668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x0000675238ad24b8 in __GI_abort () at abort.c:79
#4  0x0000675238ad23dc in __assert_fail_base (fmt=0x675237fe8fb1 "%s%s%s:%u: %s%sLa declaración `%s' no se cumple.\n%n", 
    assertion=assertion@entry=0x675238d6d4e6 "l+1 < MSG_LEN_MAX", file=file@entry=0x675238d6d000 "src/allocator_thread.c", line=line@entry=249, 
    function=function@entry=0x675238d6d978 "threadfunc") at assert.c:92
#5  0x0000675238ae2d26 in __assert_fail (assertion=0x675238d6d4e6 "l+1 < MSG_LEN_MAX", file=0x675238d6d000 "src/allocator_thread.c", line=249, 
    function=0x675238d6d978 "threadfunc") at assert.c:101
#6  0x0000675238d6c995 in ?? ()
#7  0x0000675238b389eb in start_thread (arg=<optimized out>) at pthread_create.c:444
#8  0x0000675238bbc7cc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

PoC[wget]:

warning: Can't open file /dev/zero (deleted) during file-backed mapping note processing
[New LWP 446993]
[New LWP 446994]
Downloading separate debug info for /usr/lib/libproxychains4.so
Downloading separate debug info for /usr/lib/libidn2.so.0                                                                                                                 
Downloading separate debug info for /usr/lib/libpsl.so.5                                                                                                                  
Downloading separate debug info for /usr/lib/libunistring.so.5                                                                                                            
Downloading separate debug info for /usr/lib/libtasn1.so.6                                                                                                                
Downloading separate debug info for system-supplied DSO at 0x6c3af981a000                                                                                                 
[Thread debugging using libthread_db enabled]                                                                                                                             
Using host libthread_db library "/usr/lib/libthread_db.so.1".
--Type <RET> for more, q to quit, c to continue without paging--c
Core was generated by `wget -O- aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal SIGABRT, Aborted.
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
44            return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;                                                                                   
[Current thread is 1 (Thread 0x6c3af961c980 (LWP 446993))]

(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00006c3af92ac8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00006c3af925c668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00006c3af92444b8 in __GI_abort () at abort.c:79
#4  0x00006c3af92443dc in __assert_fail_base (fmt=0x6c3af8b3afb1 "%s%s%s:%u: %s%sLa declaración `%s' no se cumple.\n%n", 
    assertion=assertion@entry=0x6c3af97cc146 "msg.h.msgtype == ATM_GETIP", file=file@entry=0x6c3af97cc000 "src/allocator_thread.c", line=line@entry=281, 
    function=function@entry=0x6c3af97cc960 "at_get_ip_for_host") at assert.c:92
#5  0x00006c3af9254d26 in __assert_fail (assertion=0x6c3af97cc146 "msg.h.msgtype == ATM_GETIP", file=0x6c3af97cc000 "src/allocator_thread.c", line=281, 
    function=0x6c3af97cc960 "at_get_ip_for_host") at assert.c:101
#6  0x00006c3af97c7714 in at_get_ip_for_host () from /usr/lib/libproxychains4.so
#7  0x00006c3af97cb225 in proxy_gethostbyname () from /usr/lib/libproxychains4.so
#8  0x00006c3af97cb432 in proxy_getaddrinfo () from /usr/lib/libproxychains4.so
#9  0x00000033571f92dd in getaddrinfo_with_timeout_callback (arg=arg@entry=0x701770502c40) at /usr/src/debug/wget/wget-1.21.4/src/host.c:391
#10 0x000000335722a6e6 in run_with_timeout.constprop.0 (timeout=timeout@entry=0, fun=fun@entry=0x33571f92c0 <getaddrinfo_with_timeout_callback>, 
    arg=arg@entry=0x701770502c40) at /usr/src/debug/wget/wget-1.21.4/src/utils.c:2153
#11 0x00000033571fa97d in getaddrinfo_with_timeout (service=0x0, timeout=0, res=0x701770502c38, hints=0x701770502c70, node=0x3389a31770 'a' <repeats 200 times>...)
    at /usr/src/debug/wget/wget-1.21.4/src/host.c:409
#12 lookup_host (host=0x3389a31770 'a' <repeats 200 times>..., flags=<optimized out>) at /usr/src/debug/wget/wget-1.21.4/src/host.c:910
#13 0x00000033571ed613 in connect_to_host (host=0x3389a31770 'a' <repeats 200 times>..., port=80) at /usr/src/debug/wget/wget-1.21.4/src/connect.c:394
#14 0x00000033571fdc3d in establish_connection (u=<optimized out>, conn_ref=0x701770502fd8, hs=0x701770503840, proxy=0x0, proxyauth=0x701770502fe0, 
    req_ref=0x701770502ff8, using_ssl=0x701770502fc3, inhibit_keep_alive=false, sock_ref=0x701770502fc8) at /usr/src/debug/wget/wget-1.21.4/src/http.c:2123
#15 0x0000003357206e60 in gethttp (u=u@entry=0x3389a31700, original_url=original_url@entry=0x3389a31700, hs=hs@entry=0x701770503840, dt=dt@entry=0x701770503d78, 
    proxy=proxy@entry=0x0, iri=iri@entry=0x3389a32140, count=<optimized out>) at /usr/src/debug/wget/wget-1.21.4/src/http.c:3324
#16 0x000000335720b12e in http_loop (u=0x3389a31700, original_url=0x3389a31700, newloc=0x701770503b88, local_file=0x701770503b80, referer=<optimized out>, 
    dt=0x701770503d78, proxy=0x0, iri=0x3389a32140) at /usr/src/debug/wget/wget-1.21.4/src/http.c:4421
#17 0x000000335721497b in retrieve_url (orig_parsed=0x3389a31700, origurl=0x3389a31290 "http://", 'a' <repeats 193 times>..., file=0x701770503d88, 
    newloc=0x701770503d80, refurl=<optimized out>, dt=0x701770503d78, recursive=false, iri=0x3389a32140, register_status=true)
    at /usr/src/debug/wget/wget-1.21.4/src/retr.c:969
#18 0x00000033571ea333 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/wget/wget-1.21.4/src/main.c:2171

Tested on:

curl 8.0.4
proxychains 4.16-2

Aclaration:

I was wrongly reported as an bug in Curl