Bug 1157276 (CVE-2014-8485) - CVE-2014-8485 binutils: lack of range checking leading to controlled write in _bfd_elf_setup_sections()
Summary: CVE-2014-8485 binutils: lack of range checking leading to controlled write in...
Status: NEW
Alias: CVE-2014-8485
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20141024,repor...
Keywords: Security
Depends On: 1157277 1168281 1168302 1172710
Blocks: 1156276 1210268
TreeView+ depends on / blocked
 
Reported: 2014-10-26 22:19 UTC by Murray McAllister
Modified: 2019-01-01 03:30 UTC (History)
16 users (show)

(edit)
A buffer overflow flaw was found in the way various binutils utilities processed certain files. If a user were tricked into processing a specially crafted file, it could cause the utility used to process that file to crash or, potentially, execute arbitrary code with the privileges of the user running that utility.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)
Fixes for buffer overruns etc in BFD library (32.17 KB, patch)
2014-10-31 12:39 UTC, Nick Clifton
no flags Details | Diff
Default strings to -a (10.81 KB, patch)
2014-10-31 12:40 UTC, Nick Clifton
no flags Details | Diff
Corrupt file that used to trigger a bug in the BFD library (324 bytes, application/octet-stream)
2015-06-29 12:06 UTC, Nick Clifton
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2079 normal SHIPPED_LIVE Moderate: binutils security, bug fix, and enhancement update 2015-11-19 07:41:11 UTC

Description Murray McAllister 2014-10-26 22:19:52 UTC
Michal Zalewski reported a lack of range checking in libbfd could be used to write to an arbitrary location in memory:

http://lcamtuf.blogspot.co.uk/2014/10/psa-dont-run-strings-on-untrusted-files.html

Running "strings" on a malicious file could cause "strings" to crash or, potentially, execute arbitrary code.

Upstream bug (no patch attached yet):

https://sourceware.org/bugzilla/show_bug.cgi?id=17510

References:

http://www.openwall.com/lists/oss-security/2014/10/24/10

Comment 1 Murray McAllister 2014-10-26 22:20:26 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1157277]

Comment 2 Murray McAllister 2014-10-27 00:26:01 UTC
As noted in <http://seclists.org/oss-sec/2014/q4/444>, other utilities which are commonly run on untrusted binaries are also affected, such as objdump and nm

Comment 3 Murray McAllister 2014-10-27 02:59:24 UTC
MITRE assigned CVE-2014-8485 to this issue:

http://www.openwall.com/lists/oss-security/2014/10/26/2

Comment 4 Nick Clifton 2014-10-27 14:00:10 UTC
Fixed in:

 binutils-2.24-25.fc22
 binutils-2.24-24.fc21
 binutils-2.23.88.0.1-20.fc20

Cheers
  Nick

Comment 5 masanari iida 2014-10-31 02:25:10 UTC
On RHEL6 (binutils-2.20.51.0.2-5.42.el6) with sample file from upstream,
the strings generate core file.

# strings ./strings-bfd-badptr
Segmentation fault (core dumped)
#

Core was generated by `strings ./strings-bfd-badptr'.
Program terminated with signal 11, Segmentation fault.
#0  0x0098d882 in bfd_section_from_shdr (abfd=0x9da7038, shindex=2)
    at elf.c:1868
1868                  if (idx->shdr != NULL
(gdb) bt
#0  0x0098d882 in bfd_section_from_shdr (abfd=0x9da7038, shindex=2)
    at elf.c:1868
#1  0x0097b75c in bfd_elf32_object_p (abfd=0x9da7038) at elfcode.h:898
#2  0x00957a2a in bfd_check_format_matches (abfd=0x9da7038, format=bfd_object,
    matching=0x0) at format.c:211
#3  0x00957d0d in bfd_check_format (abfd=0x9da7038, format=bfd_object)
    at format.c:95
#4  0x08049bae in strings_object_file (argc=2, argv=0xbfecace4)
    at strings.c:392
#5  strings_file (argc=2, argv=0xbfecace4) at strings.c:433
#6  main (argc=2, argv=0xbfecace4) at strings.c:302


Test on RHEL5 (binutils-2.17.50.0.6-5.el5), it did not generate core.

[root@burton05 tmp]# strings ./strings-bfd-badptr
hello world
.shstrtab
.text
.data
AAAA
[root@burton05 tmp]# strings ./strings-bfd-badptr2
hellAAAArld
.shstrtab
.text
.data

Test on RHEL7 (binutils-2.23.52.0.1-16.el7.x86_64),
it generated core dump.

So I guess both RHEL6 and RHEL7 seemed to be affected this issue.

Comment 6 Nick Clifton 2014-10-31 12:39:06 UTC
Created attachment 952477 [details]
Fixes for buffer overruns etc in BFD library

Comment 7 Nick Clifton 2014-10-31 12:40:20 UTC
Created attachment 952478 [details]
Default strings to -a

Comment 8 Nick Clifton 2014-10-31 12:48:43 UTC
The strings-bfd-badptr and other malformed binaries that cause crashes in the BFD library can be found in this upstream PR:

  https://sourceware.org/bugzilla/show_bug.cgi?id=17512

I have uploaded two patches to this BZ.  The first - binutils-2.24-corrupt-binaries.patch - fixes all of the bugs exposed by the test cases in that PR.  This patch has been applied to the Fedora binutils, and I would recommend that it be applied to the RHEL binutils.

The second patch - binutils-2.24-strings-default-all.patch - is a result of discussions on the binutils mailing list.  It changes the default behaviour of the strings program to be the "-a" command line option.  This makes strings scan the entire binary for text, not just loadable data sections.  This means that the BFD library is not used (to find those data sections) and so strings is less likely to trigger a memory fault.  On the other hand it also makes the output from strings more likely to contain garbage, from all of the code sections and headers.

I am not sure whether this second patch should be applied to RHEL.  It does change the default behaviour of a program and this might not be acceptable.  The second patch has been applied to Fedora rawhide and F21, although not F20.

Comment 9 Vasyl Kaigorodov 2014-11-26 14:32:02 UTC
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 14 Nick Clifton 2015-06-29 11:59:27 UTC
Suggested entry in the release notes:

  The default behaviour of the strings program has changed.  
  Previously it would only display text found in loadable data 
  sections unless a command line option was used to specify 
  otherwise.  Now it will default to displaying text found 
  anywhere in the input file, unless a command line option is 
  used to restrict to data sections.

  The change has been made because of security concerns.  
  In order to determine where the data sections are in a file,
  it first has to be analysed.  If there are bugs in this 
  analysis code then they could be exploited by a specially 
  crafted input file and potentially used to gain access to 
  the system.  Scanning for strings anywhere in the input
  file does not need any analysis, so it is the safer 
  default option.

Comment 15 Nick Clifton 2015-06-29 12:06:36 UTC
Created attachment 1044338 [details]
Corrupt file that used to trigger a bug in the BFD library

Note for QA:

  This is the testcase for this BZ.

  Running "strings string-bfd-badfree" used to crash the strings program, but this should no longer happen.  This includes running strings with the "-d" command line option as well.

Comment 17 errata-xmlrpc 2015-11-19 03:32:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2079 https://rhn.redhat.com/errata/RHSA-2015-2079.html


Note You need to log in before you can comment on or make changes to this bug.