[PATCH] CVE-2024-58251 - ANSI terminal escape sequence potential local denial of service
Valery Ushakov
uwe at NetBSD.org
Fri Aug 22 15:22:03 UTC 2025
On Thu, Aug 21, 2025 at 22:56:20 +0000, Kyle Steere wrote:
> In BusyBox netstat, local users can launch a network application with an
> argv[0] containing ANSI terminal escape sequences, leading to a denial of
> service (terminal locked up) when netstat is used by a victim.
>
> This patch sanitizes the process name before storing it in the cache,
> replacing any non-printable characters (including escape sequences) with
> '?'.
>
> CVE-2024-58251: https://nvd.nist.gov/vuln/detail/CVE-2024-58251
This might, pedantically speaking, tick off the CVE as reported, but
the very same process will trigger the exact same problem with ps(1)
&c that sanitizes C0 controls, but doesn't sanitize C1 controls (and
doesn't sanitize the {comm} part at all, btw, even for C0). I
recently posted about that, but got no feedback:
https://lists.busybox.net/pipermail/busybox/2025-August/091682.html
https://lists.busybox.net/pipermail/busybox/2025-August/091683.html
With ps &c you don't even need the argv[0] trickery that you need with
netstat (as neststat only shows argv[0]), just passing the offending
string as an argument is enough.
The attached patch tries to address that issue too. It's probably
better done with some refactoring, but for now I did it defadvice
style. It's not very thoroughly tested.
As explained in the second patch description, you cannot make this
completely fool-proof, b/c C1 bytes may be part of UTF-8 encoding for
normal characters.
-uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-netstat-CVE-2024-58251-sanitize-argv0-for-p.patch
Type: text/x-diff
Size: 1674 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20250822/f286b11a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-read_cmdline-wrap-in-printable_string.patch
Type: text/x-diff
Size: 4293 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20250822/f286b11a/attachment-0001.bin>
More information about the busybox
mailing list