Michal Zalewski reported a lack of range checking in libbfd could be used to write to an arbitrary location in memory: http://lcamtuf.blogspot.co.uk/2014/10/psa-dont-run-strings-on-untrusted-files.html Running "strings" on a malicious file could cause "strings" to crash or, potentially, execute arbitrary code. Upstream bug (no patch attached yet): https://sourceware.org/bugzilla/show_bug.cgi?id=17510 References: http://www.openwall.com/lists/oss-security/2014/10/24/10
Created binutils tracking bugs for this issue: Affects: fedora-all [bug 1157277]
As noted in <http://seclists.org/oss-sec/2014/q4/444>, other utilities which are commonly run on untrusted binaries are also affected, such as objdump and nm
MITRE assigned CVE-2014-8485 to this issue: http://www.openwall.com/lists/oss-security/2014/10/26/2
Fixed in: binutils-2.24-25.fc22 binutils-2.24-24.fc21 binutils-2.23.88.0.1-20.fc20 Cheers Nick
On RHEL6 (binutils-2.20.51.0.2-5.42.el6) with sample file from upstream, the strings generate core file. # strings ./strings-bfd-badptr Segmentation fault (core dumped) # Core was generated by `strings ./strings-bfd-badptr'. Program terminated with signal 11, Segmentation fault. #0 0x0098d882 in bfd_section_from_shdr (abfd=0x9da7038, shindex=2) at elf.c:1868 1868 if (idx->shdr != NULL (gdb) bt #0 0x0098d882 in bfd_section_from_shdr (abfd=0x9da7038, shindex=2) at elf.c:1868 #1 0x0097b75c in bfd_elf32_object_p (abfd=0x9da7038) at elfcode.h:898 #2 0x00957a2a in bfd_check_format_matches (abfd=0x9da7038, format=bfd_object, matching=0x0) at format.c:211 #3 0x00957d0d in bfd_check_format (abfd=0x9da7038, format=bfd_object) at format.c:95 #4 0x08049bae in strings_object_file (argc=2, argv=0xbfecace4) at strings.c:392 #5 strings_file (argc=2, argv=0xbfecace4) at strings.c:433 #6 main (argc=2, argv=0xbfecace4) at strings.c:302 Test on RHEL5 (binutils-2.17.50.0.6-5.el5), it did not generate core. [root@burton05 tmp]# strings ./strings-bfd-badptr hello world .shstrtab .text .data AAAA [root@burton05 tmp]# strings ./strings-bfd-badptr2 hellAAAArld .shstrtab .text .data Test on RHEL7 (binutils-2.23.52.0.1-16.el7.x86_64), it generated core dump. So I guess both RHEL6 and RHEL7 seemed to be affected this issue.
Created attachment 952477 [details] Fixes for buffer overruns etc in BFD library
Created attachment 952478 [details] Default strings to -a
The strings-bfd-badptr and other malformed binaries that cause crashes in the BFD library can be found in this upstream PR: https://sourceware.org/bugzilla/show_bug.cgi?id=17512 I have uploaded two patches to this BZ. The first - binutils-2.24-corrupt-binaries.patch - fixes all of the bugs exposed by the test cases in that PR. This patch has been applied to the Fedora binutils, and I would recommend that it be applied to the RHEL binutils. The second patch - binutils-2.24-strings-default-all.patch - is a result of discussions on the binutils mailing list. It changes the default behaviour of the strings program to be the "-a" command line option. This makes strings scan the entire binary for text, not just loadable data sections. This means that the BFD library is not used (to find those data sections) and so strings is less likely to trigger a memory fault. On the other hand it also makes the output from strings more likely to contain garbage, from all of the code sections and headers. I am not sure whether this second patch should be applied to RHEL. It does change the default behaviour of a program and this might not be acceptable. The second patch has been applied to Fedora rawhide and F21, although not F20.
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Suggested entry in the release notes: The default behaviour of the strings program has changed. Previously it would only display text found in loadable data sections unless a command line option was used to specify otherwise. Now it will default to displaying text found anywhere in the input file, unless a command line option is used to restrict to data sections. The change has been made because of security concerns. In order to determine where the data sections are in a file, it first has to be analysed. If there are bugs in this analysis code then they could be exploited by a specially crafted input file and potentially used to gain access to the system. Scanning for strings anywhere in the input file does not need any analysis, so it is the safer default option.
Created attachment 1044338 [details] Corrupt file that used to trigger a bug in the BFD library Note for QA: This is the testcase for this BZ. Running "strings string-bfd-badfree" used to crash the strings program, but this should no longer happen. This includes running strings with the "-d" command line option as well.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2079 https://rhn.redhat.com/errata/RHSA-2015-2079.html