exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

gdbupx-overflow.txt

gdbupx-overflow.txt
Posted Jun 6, 2007
Authored by Lau KaiJern

GDB versions 6.6 and above suffer from a buffer overflow vulnerability.

tags | advisory, overflow
SHA-256 | b27ad2bcdb6a587d53ab34591698395b86c8e5844ea6001722e665e65bb4310d

gdbupx-overflow.txt

Change Mirror Download
Title : GBD UPX File Handling Buffer Overflow Vulnerability

security.net.my Advisory: SNMY200706_01
Release Date : 2007-06-02
Last Update : 2007-06-02
Critical : Low
Impact : System access
Where : From Local
Solution Status : None
Software : GDB 6.6 and above
CVE reference : None
Related Files : http://blog.xwings.net/?p=71

****************************************************
** Description :
****************************************************

A vulnerability has been reported in GDB, which possible exploited by
malicious people
to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in "coffread.c" when
unpacking
executable files compressed with UPX. This can be exploited to cause a buffer
overflow
and potentially allows arbitrary code execution via a specially-crafted UPX
packed file.

The vulnerability has been reported in versions 6.6 till the lastest CVS.


****************************************************
** Provided and/or discovered by :
****************************************************

Discovered by KaiJern, Lau. (xwings<at>security<dot>net<dot>my)

****************************************************
** Changelog:
****************************************************

2007-06-02: Bug being published.

****************************************************
** Crashing GDB :
****************************************************

$ file gdbupx
gdbupx: MS-DOS executable PE for MS Windows (console) Intel 80386 32-bit, UPX
compressed

$ upx -d gdbupx
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006
File size Ratio Format Name
-------------------- ------ ----------- -----------
upx: gdbupx: CantUnpackException: exe header corrupte.e
Unpacked 0 files.

$ gdb -v
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".

$ gdb gdbtest/bin/gdb
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
Really redefine built-in command "frame"? (y or n) [answered Y; input not from
terminal]
Really redefine built-in command "thread"? (y or n) [answered Y; input not
from terminal]
Really redefine built-in command "start"? (y or n) [answered Y; input not from
terminal]

gdb>r gdbupx
GNU gdb 6.6.50.20070531-cvs
Copyright (C) 2007 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...

Program received signal SIGSEGV, Segmentation fault.
_______________________________________________________________________________
eax:08334F70 ebx:00000000 ecx:08337168 edx:082C3240 eflags:00210246
esi:0833D320 edi:0833D34C esp:BF8E54D0 ebp:BF8E54F8 eip:0814CD82
cs:0073 ds:007B es:007B fs:0000 gs:0033 ss:007B o d I t s Z a P c
[007B:BF8E54D0]---------------------------------------------------------[stack]
BF8E5500 : 80 02 00 00 00 00 00 00 - FC 01 00 00 00 00 00
00 ................
BF8E54F0 : 30 00 00 00 F0 55 8E BF - 38 56 8E BF 50 D7 14 08
0....U..8V..P...
BF8E54E0 : 68 71 33 08 F4 BD 2E 08 - F0 55 8E BF 00 00 00 00
hq3......U......
BF8E54D0 : 31 2D 25 08 FF FF FF FF - F8 54 8E BF 7D C0 14 08
1-%......T..}...
[007B:0833D320]---------------------------------------------------------[
data]
0833D320 : 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00
00 ................
0833D330 : 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00
00 ................
[0073:0814CD82]---------------------------------------------------------[
code]
0x814cd82 <process_coff_symbol+130>: movzx eax,BYTE PTR [ebx]
0x814cd85 <process_coff_symbol+133>: cmp al,BYTE PTR [edx+24]
0x814cd88 <process_coff_symbol+136>: mov BYTE PTR [esi+12],0x1
0x814cd8c <process_coff_symbol+140>: mov DWORD PTR [esp+12],ecx
0x814cd90 <process_coff_symbol+144>: sete al
0x814cd93 <process_coff_symbol+147>: movzx eax,al
------------------------------------------------------------------------------
0x0814cd82 in process_coff_symbol (cs=0xbf8e55f0, aux=0x82ebdf4,
objfile=0x8337168) at coffread.c:1482
1482 name = EXTERNAL_NAME (name, objfile->obfd);
gdb>bt
#0 0x0814cd82 in process_coff_symbol (cs=0xbf8e55f0, aux=0x82ebdf4,
objfile=0x8337168) at coffread.c:1482
#1 0x0814d750 in coff_symfile_read (objfile=0x8337168, mainline=0x1) at
coffread.c:1084
#2 0x08108ff3 in syms_from_objfile (objfile=0x8337168, addrs=0x833e280,
offsets=0x0, num_offsets=0x0, mainline=0x1, verbo=0x0) at symfile.c:876
#3 0x081093de in symbol_file_add_with_addrs_or_offsets (abfd=0x8334f70,
from_tty=0x0, addrs=0x0, offsets=0x0, num_offsets=0x0, mainline=0x1,
flags=0x0) at symfile.c:988
#4 0x0810a265 in symbol_file_add_main_1 (args=0x8334f70 "\001",
from_tty=0x82c3240,
flags=<value optimized out>) at symfile.c:1121
#5 0x08121b92 in catch_command_errors (command=0x810a3f0
<symbol_file_add_main>,
arg=0xbf8e72ad "../../gdbupx", from_tty=0x0, mask=0x6) at exceptions.c:530
#6 0x0807eb38 in captured_main (data=0xbf8e58f4) at .././gdb/main.c:728
#7 0x08121c2b in catch_errors (func=0x807e1e0 <captured_main>,
func_args=0xbf8e58f4,
errstring=0x8252d31 "", mask=0x6) at exceptions.c:515
#8 0x0807e193 in gdb_main (args=0xbf8e58f4) at .././gdb/main.c:881
#9 0x0807e155 in main (argc=0x0, argv=0x8332df0) at gdb.c:35

****************************************************
** Thanks To :
****************************************************

i. BSDaemon @ kernelhacking.com
ii. RedDragon @ thc
iii. Committee Members of hackinthebox.org
iv. pulltheplug.org

--
--

Regards,
xWinGs aka KJ, Lau

==

All good things ...
come by grace, and grace come by art, and art does not come easy.

** From : xwings (at) security (dot) net (dot) my

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close