date:20180220

[Bug tools/22863] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.

2018-02-20 Thread ks8171235 at naver dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=22863

Bug ID: 22863
   Summary: [objdump] Arbitrary memory write in
default_syscall_abi of eblopenbackend.c.
   Product: elfutils
   Version: unspecified
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: tools
  Assignee: unassigned at sourceware dot org
  Reporter: ks8171235 at naver dot com
CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 10838
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10838&action=edit
poc binary file.

We can trigger arbitrary write in default_syscall_abi function. This is
reproducible in elfutils 0.170. I attached a PoC binaray, so you can reproduce
by the following command:

$ ./objdump -d [poc_binary]

gdb stack trace:
===
RAX: 0x77bd7780 (:movrax,QWORD PTR [r9])
RBX: 0x7fffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
RCX: 0x
RDX: 0x77ff657d --> 0x2000100
RSI: 0x7fffe248 --> 0x77ff6574 --> 0x8c4834808ec8348
RDI: 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
RBP: 0x60acf0 --> 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
RSP: 0x7fffe048 --> 0x77bd79d4 (:mov   
rcx,QWORD PTR [rsp+0x138])
RIP: 0x403820 (:   movDWORD PTR [rcx],0x)
R8 : 0x4042f8 ("%7m %.1o,%.2o,%.3o%34a %l")
R9 : 0x401e80 (: push   r14)
R10: 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
R11: 0x779cb080 (:subrsp,0x8)
R12: 0x7fffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
R13: 0x60a7e8 --> 0x77ff7168 --> 0x0
R14: 0x7fffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction
overflow)
[-code-]
   0x403810 :  moveax,0xfffe
   0x403815 :   ret
   0x403816:nopWORD PTR cs:[rax+rax*1+0x0]
=> 0x403820 :   movDWORD PTR [rcx],0x
   0x403826 :  moveax,0x
   0x40382b : movDWORD PTR [rdx],0x
   0x403831 : movDWORD PTR [rsi],0x
   0x403837 : movDWORD PTR [r8],0x
[stack-]
| 0x7fffe048 --> 0x77bd79d4 (: movrcx,QWORD
PTR [rsp+0x138])
0008| 0x7fffe050 --> 0x77bd7780 (:mov   
rax,QWORD PTR [r9])
0016| 0x7fffe058 --> 0x7fffe240 --> 0x
0024| 0x7fffe060 --> 0x7fffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee
--> 0x650034365f363878 ('x86_64')
0032| 0x7fffe068 ("H\342\377\377\377\177")
0040| 0x7fffe070 --> 0x7fffe248 --> 0x77ff6574 -->
0x8c4834808ec8348
0048| 0x7fffe078 --> 0x77ff657d --> 0x2000100
0056| 0x7fffe080 --> 0x
[--]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
default_syscall_abi (ebl=0x60a9c0, sp=0x7fffe248, pc=0x77ff657d,
callno=0x, args=0x4042f8)
at eblopenbackend.c:724
724   *sp = *pc = *callno = -1;
gdb-peda$ bt
#0  default_syscall_abi (ebl=0x60a9c0, sp=0x7fffe248, pc=0x77ff657d,
callno=0x, args=0x4042f8)
at eblopenbackend.c:724
#1  0x77bd79d4 in disasm_cb () from /lib64/libasm.so.1
#2  0x00402bc0 in show_disasm (shstrndx=,
fname=, ebl=0x60a9c0)
at objdump.c:736
#3  handle_elf (elf=elf@entry=0x609050, prefix=prefix@entry=0x0,
fname=fname@entry=0x7fffe70d "test/b",
suffix=suffix@entry=0x0) at objdump.c:782
#4  0x004032e3 in process_file (fname=0x7fffe70d "test/b",
more_than_one=more_than_one@entry=0x0)
at objdump.c:252
#5  0x00401c07 in main (argc=0x3, argv=0x7fffe448) at objdump.c:165
#6  0x77415c05 in __libc_start_main () from /lib64/libc.so.6
#7  0x00401c5e in _start ()
===

Found by Choongwoo Han and Kyeongseok Yang, Naver Security Team

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tools/22864] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.

2018-02-20 Thread ks8171235 at naver dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=22864

Bug ID: 22864
   Summary: [objdump] Arbitrary memory write in
default_syscall_abi of eblopenbackend.c.
   Product: elfutils
   Version: unspecified
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: tools
  Assignee: unassigned at sourceware dot org
  Reporter: ks8171235 at naver dot com
CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

We can trigger arbitrary write in default_syscall_abi function. This is
reproducible in elfutils 0.170. I attached a PoC binaray, so you can reproduce
by the following command:

$ ./objdump -d [poc_binary]

gdb stack trace:
===
RAX: 0x77bd7780 (:movrax,QWORD PTR [r9])
RBX: 0x7fffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
RCX: 0x
RDX: 0x77ff657d --> 0x2000100
RSI: 0x7fffe248 --> 0x77ff6574 --> 0x8c4834808ec8348
RDI: 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
RBP: 0x60acf0 --> 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
RSP: 0x7fffe048 --> 0x77bd79d4 (:mov   
rcx,QWORD PTR [rsp+0x138])
RIP: 0x403820 (:   movDWORD PTR [rcx],0x)
R8 : 0x4042f8 ("%7m %.1o,%.2o,%.3o%34a %l")
R9 : 0x401e80 (: push   r14)
R10: 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
R11: 0x779cb080 (:subrsp,0x8)
R12: 0x7fffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
R13: 0x60a7e8 --> 0x77ff7168 --> 0x0
R14: 0x7fffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction
overflow)
[-code-]
   0x403810 :  moveax,0xfffe
   0x403815 :   ret
   0x403816:nopWORD PTR cs:[rax+rax*1+0x0]
=> 0x403820 :   movDWORD PTR [rcx],0x
   0x403826 :  moveax,0x
   0x40382b : movDWORD PTR [rdx],0x
   0x403831 : movDWORD PTR [rsi],0x
   0x403837 : movDWORD PTR [r8],0x
[stack-]
| 0x7fffe048 --> 0x77bd79d4 (: movrcx,QWORD
PTR [rsp+0x138])
0008| 0x7fffe050 --> 0x77bd7780 (:mov   
rax,QWORD PTR [r9])
0016| 0x7fffe058 --> 0x7fffe240 --> 0x
0024| 0x7fffe060 --> 0x7fffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee
--> 0x650034365f363878 ('x86_64')
0032| 0x7fffe068 ("H\342\377\377\377\177")
0040| 0x7fffe070 --> 0x7fffe248 --> 0x77ff6574 -->
0x8c4834808ec8348
0048| 0x7fffe078 --> 0x77ff657d --> 0x2000100
0056| 0x7fffe080 --> 0x
[--]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
default_syscall_abi (ebl=0x60a9c0, sp=0x7fffe248, pc=0x77ff657d,
callno=0x, args=0x4042f8)
at eblopenbackend.c:724
724   *sp = *pc = *callno = -1;
gdb-peda$ bt
#0  default_syscall_abi (ebl=0x60a9c0, sp=0x7fffe248, pc=0x77ff657d,
callno=0x, args=0x4042f8)
at eblopenbackend.c:724
#1  0x77bd79d4 in disasm_cb () from /lib64/libasm.so.1
#2  0x00402bc0 in show_disasm (shstrndx=,
fname=, ebl=0x60a9c0)
at objdump.c:736
#3  handle_elf (elf=elf@entry=0x609050, prefix=prefix@entry=0x0,
fname=fname@entry=0x7fffe70d "test/b",
suffix=suffix@entry=0x0) at objdump.c:782
#4  0x004032e3 in process_file (fname=0x7fffe70d "test/b",
more_than_one=more_than_one@entry=0x0)
at objdump.c:252
#5  0x00401c07 in main (argc=0x3, argv=0x7fffe448) at objdump.c:165
#6  0x77415c05 in __libc_start_main () from /lib64/libc.so.6
#7  0x00401c5e in _start ()
===

Found by Choongwoo Han and Kyeongseok Yang, Naver Security Team

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tools/22865] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.

2018-02-20 Thread ks8171235 at naver dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=22865

Bug ID: 22865
   Summary: [objdump] Arbitrary memory write in
default_syscall_abi of eblopenbackend.c.
   Product: elfutils
   Version: unspecified
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: tools
  Assignee: unassigned at sourceware dot org
  Reporter: ks8171235 at naver dot com
CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 10839
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10839&action=edit
poc binary file

We can trigger arbitrary write in default_syscall_abi function. This is
reproducible in elfutils 0.170. I attached a PoC binaray, so you can reproduce
by the following command:

$ ./objdump -d [poc_binary]

gdb stack trace:
===
RAX: 0x77bd7780 (:movrax,QWORD PTR [r9])
RBX: 0x7fffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
RCX: 0x
RDX: 0x77ff657d --> 0x2000100
RSI: 0x7fffe248 --> 0x77ff6574 --> 0x8c4834808ec8348
RDI: 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
RBP: 0x60acf0 --> 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
RSP: 0x7fffe048 --> 0x77bd79d4 (:mov   
rcx,QWORD PTR [rsp+0x138])
RIP: 0x403820 (:   movDWORD PTR [rcx],0x)
R8 : 0x4042f8 ("%7m %.1o,%.2o,%.3o%34a %l")
R9 : 0x401e80 (: push   r14)
R10: 0x60a9c0 --> 0x4049ee --> 0x650034365f363878 ('x86_64')
R11: 0x779cb080 (:subrsp,0x8)
R12: 0x7fffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
R13: 0x60a7e8 --> 0x77ff7168 --> 0x0
R14: 0x7fffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee -->
0x650034365f363878 ('x86_64')
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction
overflow)
[-code-]
   0x403810 :  moveax,0xfffe
   0x403815 :   ret
   0x403816:nopWORD PTR cs:[rax+rax*1+0x0]
=> 0x403820 :   movDWORD PTR [rcx],0x
   0x403826 :  moveax,0x
   0x40382b : movDWORD PTR [rdx],0x
   0x403831 : movDWORD PTR [rsi],0x
   0x403837 : movDWORD PTR [r8],0x
[stack-]
| 0x7fffe048 --> 0x77bd79d4 (: movrcx,QWORD
PTR [rsp+0x138])
0008| 0x7fffe050 --> 0x77bd7780 (:mov   
rax,QWORD PTR [r9])
0016| 0x7fffe058 --> 0x7fffe240 --> 0x
0024| 0x7fffe060 --> 0x7fffe140 --> 0x60acf0 --> 0x60a9c0 --> 0x4049ee
--> 0x650034365f363878 ('x86_64')
0032| 0x7fffe068 ("H\342\377\377\377\177")
0040| 0x7fffe070 --> 0x7fffe248 --> 0x77ff6574 -->
0x8c4834808ec8348
0048| 0x7fffe078 --> 0x77ff657d --> 0x2000100
0056| 0x7fffe080 --> 0x
[--]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
default_syscall_abi (ebl=0x60a9c0, sp=0x7fffe248, pc=0x77ff657d,
callno=0x, args=0x4042f8)
at eblopenbackend.c:724
724   *sp = *pc = *callno = -1;
gdb-peda$ bt
#0  default_syscall_abi (ebl=0x60a9c0, sp=0x7fffe248, pc=0x77ff657d,
callno=0x, args=0x4042f8)
at eblopenbackend.c:724
#1  0x77bd79d4 in disasm_cb () from /lib64/libasm.so.1
#2  0x00402bc0 in show_disasm (shstrndx=,
fname=, ebl=0x60a9c0)
at objdump.c:736
#3  handle_elf (elf=elf@entry=0x609050, prefix=prefix@entry=0x0,
fname=fname@entry=0x7fffe70d "test/b",
suffix=suffix@entry=0x0) at objdump.c:782
#4  0x004032e3 in process_file (fname=0x7fffe70d "test/b",
more_than_one=more_than_one@entry=0x0)
at objdump.c:252
#5  0x00401c07 in main (argc=0x3, argv=0x7fffe448) at objdump.c:165
#6  0x77415c05 in __libc_start_main () from /lib64/libc.so.6
#7  0x00401c5e in _start ()
===

Found by Choongwoo Han and Kyeongseok Yang, Naver Security Team

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tools/22863] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.

[Bug tools/22864] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.

[Bug tools/22865] New: [objdump] Arbitrary memory write in default_syscall_abi of eblopenbackend.c.

3 matches

Site Navigation

Mail list logo

Footer information