Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Oct 2014 22:18:50 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: strings / libbfd crasher

I've checked the upstream patch they pointed me to:
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd25671c6f202c4a5108883caa2adb24ff6f361f

Unfortunately this mixes in another change that is a revert, so it
doesn't apply cleanly to the current release (2.24), if anyone needs it
I've re-diffed it:
https://files.hboeck.de/binutils-2.24-fix-crash.diff

This fixes the original stringme and strinmetoo from mancha, but not
the latest sample von Michal:

Am Fri, 24 Oct 2014 12:10:31 -0700
schrieb Michal Zalewski <lcamtuf@...edump.cx>:

> I do have a bunch more that seem exploitable, though - for example:
> 
> http://lcamtuf.coredump.cx/strings-bfd-badfree - does this repro for
> people (I tried with binutils 2.24)?

I checked with the upstream patch and this seems still vulnerable.

> I don't understand the user benefit of extracting strings only from
> certain sections of executables, and I almost feel like it's a side
> effect of strings being a part of binutils more than anything else.

I fully agree. I wasn't aware strings does any kind of executable
parsing and I was very surprised that there is any attack vector at all
against it at all.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.