https://sourceware.org/bugzilla/show_bug.cgi?id=23963
Bug ID: 23963
Summary: objdump unsafely prints control characters from string
table
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: pajexali at gmail dot com
Target Milestone: ---
Created attachment 11440
--> https://sourceware.org/bugzilla/attachment.cgi?id=11440&action=edit
Example solution for objdump.c
objdump unsafely prints control characters from a binary's string table.
A binary's string table can be modified to include control characters that are
executed by a terminal emulator when the binary is dumped with objdump -d.
Depending on the terminal emulator, I found this could allow an attacker to:
* precisely change the objdump disassembly to mask the existence of functions
and instructions
* generally clobber the objdump disassembly making its output useless for
analysing the binary
* show intimidating messages as part of a psychological warfare tactic
* exploit vulnerabilities in the terminal emulator to attack the objdump user
The heavy dependence on objdump for reverse engineering, malware and binary
analysis means this behaviour opens an interesting avenue for anti-reverse
engineering techniques as well as direct attacks against the objdump user.
More generally, we've seen since the most commonly referenced write up on the
topic (https://marc.info/?l=bugtraq&m=104612710031920&q=p3), that terminal
emulators quite often contain escape sequence vulnerabilities with serious
impacts to their users.
---
To reproduce this bug:
1. Take any binary and replace the main function's symbol in the string table
with a control sequence:
objcopy --redefine-sym "main=^[[31m" test test2
2. Run the modified binary and observe that the latter half is printed in red:
objdump -d test2
3. The same works for section symbols:
objcopy --rename-section '.text=^[[31m' test test2
objdump -d test2
---
The solution:
>From my investigation it looks like the printing of symbols from the string
table occurs in numerous locations in both objdump.c and various bfd related
functions.
Generally my suggestion would be to encode the control character 0x1b as the
hat symbol '^'; the same way readelf does.
I've attached a patch that shows how this approach can fix control characters
included in function name symbols (caused by objdump_print_symname()) but this
does not address the problem for sections and possibly other kinds of symbols.
For example, in objdump_print_addr_with_sym the section name is printed with
printf in this kind of construction:
printf("<%s", bfd_get_section_name(adfb, sec));
Please let me know what you think of the proposed patch and if you would like
further help investigating a holistic solution.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
