linux GNU Binutils has a 9 year old securityproblem finally getting some attention

"It is much less known that the Linux version of strings is an integral part of GNU binutils, a suite of tools that specializes in the manipulation of several dozen executable formats using a bundled library called libbfd. Other well-known utilities in that suite include objdump and readelf.

Perhaps simply by the virtue of being a part of that bundle, the strings utility tries to leverage the common libbfd infrastructure to detect supported executable formats and "optimize" the process by extracting text only from specific sections of the file. Unfortunately, the underlying library can be hardly described as safe: a quick pass with afl (and probably with any other competent fuzzer) quickly reveals a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking, say:

$ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2
$ strings strings-bfd-badptr2
Segmentation fault
strings[24479]: segfault at 4141416d ip 0807a4e7 sp bf80ca60 error 4 in strings[8048000+9a000]
      while (--n_elt != 0)
        if ((++idx)->shdr->bfd_section)                                ← Read from an attacker-controlled pointer
          elf_sec_group (idx->shdr->bfd_section) = shdr->bfd_section;  ← Write to an attacker-controlled pointer
(gdb) p idx->shdr
$1 = (Elf_Internal_Shdr *) 0x41414141

The 0x41414141 pointer being read and written by the code comes directly from that proof-of-concept file and can be freely modified by the attacker to try overwriting program control structures. Many Linux distributions ship strings without ASLR, making potential attacks easier and more reliable - a situation reminiscent of one of the recent bugs in bash. Interestingly, the problems with the utility aren't exactly new; Tavis spotted the first signs of trouble some nine years ago.

it looks like when you start really looking under the cap of the car in the motor of linux that there are some problems hidden that nobody found serious enough to fix

meanwhile the propaganda that open source is more secure because the source is available and many people use it is just propaganda because it is not important how many people have looked at it or use it, it is important how many securitypeople had how many resources and how much time to investigate the code and correct it and retest it

Permalink | |  Print |  Facebook | | | | Pin it! |

The comments are closed.