cURL 8.4.0 and wget 1.21.4 breaks if the hostname is too long and is used in add-on with proxychains.
u2k24 opened this issue · 0 comments
u2k24 commented
I did this
Out of curiosity I tried the payload that became present and popular thanks to GHSA-7xw9-w465-6x42 and got a coredump in curl 8.4.0.
I haven't used the -x modifier directly, so "socks5h" is nowhere to be found in the command; However, I have used proxychains and got the error.
Poc[0]:
proxychains curl -IL `python -c "print('C'*255).com"`
Illegal process-id: 1.dump.
warning: Can't open file /dev/zero (deleted) during file-backed mapping note processing
[New LWP 433090]
[New LWP 433089]
Downloading separate debug info for /usr/lib/libproxychains4.so
Downloading separate debug info for /usr/lib/libidn2.so.0
Downloading separate debug info for /usr/lib/libpsl.so.5
Downloading separate debug info for /usr/lib/libgssapi_krb5.so.2
Downloading separate debug info for /usr/lib/libunistring.so.5
Downloading separate debug info for /usr/lib/libkrb5.so.3
Downloading separate debug info for /usr/lib/libk5crypto.so.3
Downloading separate debug info for /usr/lib/libkrb5support.so.0
--Type <RET> for more, q to quit, c to continue without paging--c
Downloading separate debug info for system-supplied DSO at 0x675238dbb000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `curl -IL CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
[Current thread is 1 (Thread 0x675238d626c0 (LWP 433090))]
(gdb) bt
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1 0x0000675238b3a8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x0000675238aea668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x0000675238ad24b8 in __GI_abort () at abort.c:79
#4 0x0000675238ad23dc in __assert_fail_base (fmt=0x675237fe8fb1 "%s%s%s:%u: %s%sLa declaración `%s' no se cumple.\n%n",
assertion=assertion@entry=0x675238d6d4e6 "l+1 < MSG_LEN_MAX", file=file@entry=0x675238d6d000 "src/allocator_thread.c", line=line@entry=249,
function=function@entry=0x675238d6d978 "threadfunc") at assert.c:92
#5 0x0000675238ae2d26 in __assert_fail (assertion=0x675238d6d4e6 "l+1 < MSG_LEN_MAX", file=0x675238d6d000 "src/allocator_thread.c", line=249,
function=0x675238d6d978 "threadfunc") at assert.c:101
#6 0x0000675238d6c995 in ?? ()
#7 0x0000675238b389eb in start_thread (arg=<optimized out>) at pthread_create.c:444
#8 0x0000675238bbc7cc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
PoC[wget]:
warning: Can't open file /dev/zero (deleted) during file-backed mapping note processing
[New LWP 446993]
[New LWP 446994]
Downloading separate debug info for /usr/lib/libproxychains4.so
Downloading separate debug info for /usr/lib/libidn2.so.0
Downloading separate debug info for /usr/lib/libpsl.so.5
Downloading separate debug info for /usr/lib/libunistring.so.5
Downloading separate debug info for /usr/lib/libtasn1.so.6
Downloading separate debug info for system-supplied DSO at 0x6c3af981a000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
--Type <RET> for more, q to quit, c to continue without paging--c
Core was generated by `wget -O- aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
[Current thread is 1 (Thread 0x6c3af961c980 (LWP 446993))]
(gdb) bt
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1 0x00006c3af92ac8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x00006c3af925c668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00006c3af92444b8 in __GI_abort () at abort.c:79
#4 0x00006c3af92443dc in __assert_fail_base (fmt=0x6c3af8b3afb1 "%s%s%s:%u: %s%sLa declaración `%s' no se cumple.\n%n",
assertion=assertion@entry=0x6c3af97cc146 "msg.h.msgtype == ATM_GETIP", file=file@entry=0x6c3af97cc000 "src/allocator_thread.c", line=line@entry=281,
function=function@entry=0x6c3af97cc960 "at_get_ip_for_host") at assert.c:92
#5 0x00006c3af9254d26 in __assert_fail (assertion=0x6c3af97cc146 "msg.h.msgtype == ATM_GETIP", file=0x6c3af97cc000 "src/allocator_thread.c", line=281,
function=0x6c3af97cc960 "at_get_ip_for_host") at assert.c:101
#6 0x00006c3af97c7714 in at_get_ip_for_host () from /usr/lib/libproxychains4.so
#7 0x00006c3af97cb225 in proxy_gethostbyname () from /usr/lib/libproxychains4.so
#8 0x00006c3af97cb432 in proxy_getaddrinfo () from /usr/lib/libproxychains4.so
#9 0x00000033571f92dd in getaddrinfo_with_timeout_callback (arg=arg@entry=0x701770502c40) at /usr/src/debug/wget/wget-1.21.4/src/host.c:391
#10 0x000000335722a6e6 in run_with_timeout.constprop.0 (timeout=timeout@entry=0, fun=fun@entry=0x33571f92c0 <getaddrinfo_with_timeout_callback>,
arg=arg@entry=0x701770502c40) at /usr/src/debug/wget/wget-1.21.4/src/utils.c:2153
#11 0x00000033571fa97d in getaddrinfo_with_timeout (service=0x0, timeout=0, res=0x701770502c38, hints=0x701770502c70, node=0x3389a31770 'a' <repeats 200 times>...)
at /usr/src/debug/wget/wget-1.21.4/src/host.c:409
#12 lookup_host (host=0x3389a31770 'a' <repeats 200 times>..., flags=<optimized out>) at /usr/src/debug/wget/wget-1.21.4/src/host.c:910
#13 0x00000033571ed613 in connect_to_host (host=0x3389a31770 'a' <repeats 200 times>..., port=80) at /usr/src/debug/wget/wget-1.21.4/src/connect.c:394
#14 0x00000033571fdc3d in establish_connection (u=<optimized out>, conn_ref=0x701770502fd8, hs=0x701770503840, proxy=0x0, proxyauth=0x701770502fe0,
req_ref=0x701770502ff8, using_ssl=0x701770502fc3, inhibit_keep_alive=false, sock_ref=0x701770502fc8) at /usr/src/debug/wget/wget-1.21.4/src/http.c:2123
#15 0x0000003357206e60 in gethttp (u=u@entry=0x3389a31700, original_url=original_url@entry=0x3389a31700, hs=hs@entry=0x701770503840, dt=dt@entry=0x701770503d78,
proxy=proxy@entry=0x0, iri=iri@entry=0x3389a32140, count=<optimized out>) at /usr/src/debug/wget/wget-1.21.4/src/http.c:3324
#16 0x000000335720b12e in http_loop (u=0x3389a31700, original_url=0x3389a31700, newloc=0x701770503b88, local_file=0x701770503b80, referer=<optimized out>,
dt=0x701770503d78, proxy=0x0, iri=0x3389a32140) at /usr/src/debug/wget/wget-1.21.4/src/http.c:4421
#17 0x000000335721497b in retrieve_url (orig_parsed=0x3389a31700, origurl=0x3389a31290 "http://", 'a' <repeats 193 times>..., file=0x701770503d88,
newloc=0x701770503d80, refurl=<optimized out>, dt=0x701770503d78, recursive=false, iri=0x3389a32140, register_status=true)
at /usr/src/debug/wget/wget-1.21.4/src/retr.c:969
#18 0x00000033571ea333 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/wget/wget-1.21.4/src/main.c:2171
Tested on:
curl 8.0.4
proxychains 4.16-2
Aclaration:
I was wrongly reported as an bug in Curl