what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

libbfd Out Of Bounds

libbfd Out Of Bounds
Posted Oct 27, 2014
Authored by Michal Zalewski

Zalewski has noted that binaries which have dependencies on libbfd may be leveraged for attacks due to libbfd having a large range of possibly exploitable out-of-bounds crashes.

tags | advisory
SHA-256 | 482143b943dd09a0acc6d1703848e32a2c8bccd80bde134ced14a899fc368d68

libbfd Out Of Bounds

Change Mirror Download
Yo,

Many shell users, and certainly a lot of the people working in
computer forensics or other fields of information security, have a
habit of running /usr/bin/strings on binary files originating from the
Internet. Their understanding is that the tool simply scans the file
for runs of printable characters and dumps them to stdout - something
that is very unlikely to put you at any risk.

It is much less known that the Linux version of strings is an integral
part of GNU binutils, a suite of tools that specializes in the
manipulation of several dozen executable formats using a bundled
library called libbfd. Other well-known utilities in that suite
include objdump and readelf.

Perhaps simply by the virtue of being a part of that bundle, the
strings utility tries to leverage the common libbfd infrastructure to
detect supported executable formats and "optimize" the process by
extracting text only from specific sections of the file.
Unfortunately, the underlying library can be hardly described as safe:
a quick pass with afl [1] (and probably with any other competent
fuzzer) quickly reveals a range of troubling and likely exploitable
out-of-bounds crashes due to very limited range checking. In binutils
2.24, you can try:

$ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2
...
$ strings strings-bfd-badptr2
Segmentation fault
...
strings[24479]: segfault at 4141416d ip 0807a4e7 sp bf80ca60 error 4
in strings[8048000+9a000]
...
while (--n_elt != 0)
if ((++idx)->shdr->bfd_section)
elf_sec_group (idx->shdr->bfd_section) = shdr->bfd_section;
...
(gdb) p idx->shdr
$1 = (Elf_Internal_Shdr *) 0x41414141

In other words, this code appears to first read and then write to an
arbitrary pointer (0x41414141) taken from the input file. Many Linux
distributions ship strings without ASLR, making potential attacks
easier and more reliable - a situation reminiscent of one of
CVE-2014-6277 in bash [2].

Interestingly, the problems with the utility aren't exactly new; Tavis
spotted the first signs of trouble in other parts of libbfd some nine
years ago [3].

In any case: the bottom line is that if you are used to running
strings on random files, or depend on any libbfd-based tools for
forensic purposes, you should probably change your habits. For strings
specifically, invoking it with the -a parameter seems to inhibit the
use of libbfd. Distro vendors may want to consider making the -a mode
default, too.

[1] Obligatory plug: http://code.google.com/p/american-fuzzy-lop/
[2] http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
[3] https://bugs.gentoo.org/show_bug.cgi?id=91398
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close