bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/23963] New: objdump unsafely prints control characters fro


From: pajexali at gmail dot com
Subject: [Bug binutils/23963] New: objdump unsafely prints control characters from string table
Date: Sat, 08 Dec 2018 11:29:48 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=23963

            Bug ID: 23963
           Summary: objdump unsafely prints control characters from string
                    table
           Product: binutils
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: pajexali at gmail dot com
  Target Milestone: ---

Created attachment 11440
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11440&action=edit
Example solution for objdump.c

objdump unsafely prints control characters from a binary's string table.

A binary's string table can be modified to include control characters that are
executed by a terminal emulator when the binary is dumped with objdump -d.

Depending on the terminal emulator, I found this could allow an attacker to:

 * precisely change the objdump disassembly to mask the existence of functions
and instructions
 * generally clobber the objdump disassembly making its output useless for
analysing the binary
 * show intimidating messages as part of a psychological warfare tactic
 * exploit vulnerabilities in the terminal emulator to attack the objdump user

The heavy dependence on objdump for reverse engineering, malware and binary
analysis means this behaviour opens an interesting avenue for anti-reverse
engineering techniques as well as direct attacks against the objdump user.

More generally, we've seen since the most commonly referenced write up on the
topic (https://marc.info/?l=bugtraq&m=104612710031920&q=p3), that terminal
emulators quite often contain escape sequence vulnerabilities with serious
impacts to their users.

---

To reproduce this bug:

 1. Take any binary and replace the main function's symbol in the string table
with a control sequence:

objcopy --redefine-sym "main=^[[31m" test test2

 2. Run the modified binary and observe that the latter half is printed in red:

objdump -d test2

 3. The same works for section symbols:

objcopy --rename-section '.text=^[[31m' test test2
objdump -d test2

---

The solution:

>From my investigation it looks like the printing of symbols from the string
table occurs in numerous locations in both objdump.c and various bfd related
functions.

Generally my suggestion would be to encode the control character 0x1b as the
hat symbol '^'; the same way readelf does.

I've attached a patch that shows how this approach can fix control characters
included in function name symbols (caused by objdump_print_symname()) but this
does not address the problem for sections and possibly other kinds of symbols.

For example, in objdump_print_addr_with_sym the section name is printed with
printf in this kind of construction:

printf("<%s", bfd_get_section_name(adfb, sec));

Please let me know what you think of the proposed patch and if you would like
further help investigating a holistic solution.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]