Jump to content
awnly3jhc2g

Binary File Descriptor Library (libbfd) - Out-of-Bounds Crash

Recommended Posts

Posted

Many shell users, and certainly a lot of the people working in computer forensics or other fields of information security, have a habit of running /usr/bin/strings on binary files originating from the Internet. Their understanding is that the tool simply scans the file for runs of printable characters and dumps them to stdout - something that is very unlikely to put you at any risk.

It is much less known that the Linux version of strings is an integral part of GNU binutils, a suite of tools that specializes in the manipulation of several dozen executable formats using a bundled library called libbfd. Other well-known utilities in that suite include objdump and readelf.

Perhaps simply by the virtue of being a part of that bundle, the strings utility tries to leverage the common libbfd infrastructure to detect supported executable formats and "optimize" the process by extracting text only from specific sections of the file. Unfortunately, the underlying library can be hardly described as safe: a quick pass with afl [1] (and probably with any other competent fuzzer) quickly reveals a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking. In binutils 2.24, you can try:

$ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2

EDB Mirror: http://www.exploit-db.com/sploits/35081

...

$ strings strings-bfd-badptr2

Segmentation fault

...

strings[24479]: segfault at 4141416d ip 0807a4e7 sp bf80ca60 error 4

in strings[8048000+9a000]

...

******while (--n_elt != 0)

********if ((++idx)->shdr->bfd_section)

**********elf_sec_group (idx->shdr->bfd_section) = shdr->bfd_section;

...

(gdb) p idx->shdr

$1 = (Elf_Internal_Shdr *) 0x41414141

In other words, this code appears to first read and then write to an arbitrary pointer (0x41414141) taken from the input file. Many Linux distributions ship strings without ASLR, making potential attacks easier and more reliable - a situation reminiscent of one of CVE-2014-6277 in bash [2].

Interestingly, the problems with the utility aren't exactly new; Tavis spotted the first signs of trouble in other parts of libbfd some nine years ago [3].

In any case: the bottom line is that if you are used to running strings on random files, or depend on any libbfd-based tools for forensic purposes, you should probably change your habits. For strings specifically, invoking it with the -a parameter seems to inhibit the use of libbfd. Distro vendors may want to consider making the -a mode default, too.

[1] Obligatory plug: american-fuzzy-lop - A practical, instrumentation-driven fuzzer for binary formats - Google Project Hosting

[2] lcamtuf's blog: Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and '78)

[3] https://bugs.gentoo.org/show_bug.cgi?id=91398

Sursa exploit-db

Am preferat sa pun acest articol, deoarece eu folosesc strings destul de des, prin urmare, sunt de parere ca este un articol folositor si informativ, sper sa va fie si voua.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...