[Bug tools/22863] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.

ks8171235 at naver dot com Tue, 20 Feb 2018 01:02:52 -0800

https://sourceware.org/bugzilla/show_bug.cgi?id=22863


            Bug ID: 22863
           Summary: [objdump] Arbitrary memory write in
                    default_syscall_abi of eblopenbackend.c.
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: tools
          Assignee: unassigned at sourceware dot org
          Reporter: ks8171235 at naver dot com
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 10838
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10838&action=edit
poc binary file.

We can trigger arbitrary write in default_syscall_abi function. This is
reproducible in elfutils 0.170. I attached a PoC binaray, so you can reproduce
by the following command:

$ ./objdump -d [poc_binary]

gdb stack trace:
===========================================================================
RAX: 0x7ffff7bd7780 (<default_elf_getsym>:    mov    rax,QWORD PTR [r9])
RBX: 0x7fffffffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
RCX: 0xaaaaaaaa
RDX: 0x7ffff7ff657d --> 0x20001000000
RSI: 0x7fffffffe248 --> 0x7ffff7ff6574 --> 0x8c4834808ec8348
RDI: 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
RBP: 0x60acf0 --> 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
RSP: 0x7fffffffe048 --> 0x7ffff7bd79d4 (<disasm_cb+516>:        mov   
rcx,QWORD PTR [rsp+0x138])
RIP: 0x403820 (<default_syscall_abi>:   mov    DWORD PTR [rcx],0xffffffff)
R8 : 0x4042f8 ("%7m %.1o,%.2o,%.3o%34a %l")
R9 : 0x401e80 (<disasm_output>: push   r14)
R10: 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
R11: 0x7ffff79cb080 (<gelf_getsymshndx>:        sub    rsp,0x8)
R12: 0x7fffffffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
R13: 0x60a7e8 --> 0x7ffff7ff7168 --> 0x0
R14: 0x7fffffffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x403810 <default_return_value_location>:      mov    eax,0xfffffffe
   0x403815 <default_return_value_location+5>:   ret
   0x403816:        nop    WORD PTR cs:[rax+rax*1+0x0]
=> 0x403820 <default_syscall_abi>:       mov    DWORD PTR [rcx],0xffffffff
   0x403826 <default_syscall_abi+6>:  mov    eax,0xffffffff
   0x40382b <default_syscall_abi+11>: mov    DWORD PTR [rdx],0xffffffff
   0x403831 <default_syscall_abi+17>: mov    DWORD PTR [rsi],0xffffffff
   0x403837 <default_syscall_abi+23>: mov    DWORD PTR [r8],0xffffffff
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe048 --> 0x7ffff7bd79d4 (<disasm_cb+516>:     mov    rcx,QWORD
PTR [rsp+0x138])
0008| 0x7fffffffe050 --> 0x7ffff7bd7780 (<default_elf_getsym>:        mov   
rax,QWORD PTR [r9])
0016| 0x7fffffffe058 --> 0x7fffffffe240 --> 0xaaaaaaaa
0024| 0x7fffffffe060 --> 0x7fffffffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee
--> 0x650034365f363878 ('x86_64')
0032| 0x7fffffffe068 ("%%%%%%%%H\342\377\377\377\177")
0040| 0x7fffffffe070 --> 0x7fffffffe248 --> 0x7ffff7ff6574 -->
0x8c4834808ec8348
0048| 0x7fffffffe078 --> 0x7ffff7ff657d --> 0x20001000000
0056| 0x7fffffffe080 --> 0xaaaaaaaa
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
default_syscall_abi (ebl=0x60a9c0, sp=0x7fffffffe248, pc=0x7ffff7ff657d,
callno=0xaaaaaaaa, args=0x4042f8)
    at eblopenbackend.c:724
724       *sp = *pc = *callno = -1;
gdb-peda$ bt
#0  default_syscall_abi (ebl=0x60a9c0, sp=0x7fffffffe248, pc=0x7ffff7ff657d,
callno=0xaaaaaaaa, args=0x4042f8)
    at eblopenbackend.c:724
#1  0x00007ffff7bd79d4 in disasm_cb () from /lib64/libasm.so.1
#2  0x0000000000402bc0 in show_disasm (shstrndx=<optimized out>,
fname=<optimized out>, ebl=0x60a9c0)
    at objdump.c:736
#3  handle_elf (elf=elf@entry=0x609050, prefix=prefix@entry=0x0,
fname=fname@entry=0x7fffffffe70d "test/b",
    suffix=suffix@entry=0x0) at objdump.c:782
#4  0x00000000004032e3 in process_file (fname=0x7fffffffe70d "test/b",
more_than_one=more_than_one@entry=0x0)
    at objdump.c:252
#5  0x0000000000401c07 in main (argc=0x3, argv=0x7fffffffe448) at objdump.c:165
#6  0x00007ffff7415c05 in __libc_start_main () from /lib64/libc.so.6
#7  0x0000000000401c5e in _start ()
===========================================================================

Found by Choongwoo Han and Kyeongseok Yang, Naver Security Team

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tools/22863] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.

Reply via email to