Zero-Day Research: PicoC Version 3.2.2 Null Pointer Dereference (CVE-2022-34556) Speedrun

PicoC is a miniature code interpreter developed for C scripting. According to their documentation, PicoC was first written as the scripting language for a UAV’s on-board flight system. In this zero-day post we are going to speedrun the discovery of a null pointer dereference (CWE-476) denial of service (DoS) vulnerability in the PicoC interpreter. I discovered the vulnerability using AFL++ and notified the development team immediately. The DoS vulnerability affects PicoC up to version 3.2.2.

Prerequisites

  • C Programming and Compilation 
  • Pointer Dereferencing
  • Basic Understanding of AFL++
  • Denial of Service Vulnerabilities

Disclosure and Disclaimer

The null pointer dereference vulnerability was responsibly disclosed to the PicoC development team. This post was intended for developers who are interested in keeping their applications secure and is for EDUCATIONAL PURPOSES ONLY. I do not condone illegal activity and cannot be held responsible for the misuse of this information.

Speedrun

Let’s get started…

Browse to the PicoC Source Code Directory

Point the Compiler Variable in the Makefile Towards ‘afl-clang-fast

Run the ‘Make’ Command to Build Our Executable

Creating Input/Output Directories and Input Files

Moving Our Input File to the Input Directory and Starting AFL-Fuzz

Scanning the Output For Crashes

Listing the ‘output/default/crashes’ Directory

After opening the crash files we find an interesting crash input:

**4%;

Replicating the Crash With GDB and Verifying the Null Pointer Dereference

Speedrun Complete

Leave a Reply

Your email address will not be published.