Sign in or Sign up

binutils 2.29.51.20170921 - 'read_1_byte' Heap-Based Buffer Overflow 10/11/17
Started by D1G174L


Rate this topic
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5


0 posts in this topic
[NS]D1G174L Offline
Pentester
***


NulledSystems
Posts: 95
Threads: 19
Joined: Fri Mar 2017
Reputation: 8

CZPoints: 14 CZP
ContributorDiamondBomb ContentDonator
10-11-2017, 03:40 PM -
#1
EDB-ID: 42970
AuthorAgostino Sarubbo
Published2017-10-10
CVECVE-2017-14939 
TypeDos
PlatformLinux 
Aliases: N/A
Advisory/SourceLink
Tags: N/A
Vulnerable App: N/A 




Description:

binutils is a set of tools necessary to build programs.

 

The complete ASan output of the issue:

 

# nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $FILE

==3235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x613000000512 at pc 0x7f7c93ae3c88 bp 0x7ffe38d7a970 sp 0x7ffe38d7a968

READ of size 1 at 0x613000000512 thread T0

    #0 0x7f7c93ae3c87 in read_1_byte /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:616:10

    #1 0x7f7c93ae3c87 in decode_line_info /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:2311

    #2 0x7f7c93aee92b in comp_unit_maybe_decode_line_info /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:3608:26

    #3 0x7f7c93aee92b in comp_unit_find_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:3643

    #4 0x7f7c93aeb94f in _bfd_dwarf2_find_nearest_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:4755:11

    #5 0x7f7c93a2920b in _bfd_elf_find_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/elf.c:8694:10

    #6 0x517c83 in print_symbol /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1003:9

    #7 0x51542d in print_symbols /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1084:7

    #8 0x51542d in display_rel_file /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1200

    #9 0x510f56 in display_file /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1318:7

    #10 0x50faae in main /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1792:12

    #11 0x7f7c9296e680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289

    #12 0x41ac18 in _init (/usr/x86_64-pc-linux-gnu/binutils-bin/git/nm+0x41ac18)

 

0x613000000512 is located 0 bytes to the right of 338-byte region [0x6130000003c0,0x613000000512)

allocated by thread T0 here:

    #0 0x4d8e08 in malloc /var/tmp/portage/sys-libs/compiler-rt-sanitizers-5.0.0/work/compiler-rt-5.0.0.src/lib/asan/asan_malloc_linux.cc:67

    #1 0x7f7c9393a37c in bfd_malloc /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/libbfd.c:193:9

    #2 0x7f7c9392fb2f in bfd_get_full_section_contents /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/compress.c:248:21

    #3 0x7f7c939696d3 in bfd_simple_get_relocated_section_contents /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/simple.c:193:12

    #4 0x7f7c93ade26e in read_section /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:556:8

    #5 0x7f7c93adef3c in decode_line_info /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:2047:9

    #6 0x7f7c93aee92b in comp_unit_maybe_decode_line_info /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:3608:26

    #7 0x7f7c93aee92b in comp_unit_find_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:3643

    #8 0x7f7c93aeb94f in _bfd_dwarf2_find_nearest_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:4755:11

    #9 0x7f7c93a2920b in _bfd_elf_find_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/elf.c:8694:10

    #10 0x517c83 in print_symbol /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1003:9

    #11 0x51542d in print_symbols /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1084:7

    #12 0x51542d in display_rel_file /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1200

    #13 0x510f56 in display_file /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1318:7

    #14 0x50faae in main /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1792:12

    #15 0x7f7c9296e680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289

 

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:616:10 in read_1_byte

Shadow bytes around the buggy address:

  0x0c267fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c267fff8060: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa

  0x0c267fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00

  0x0c267fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c267fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c267fff80a0: 00 00[02]fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c267fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c267fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c267fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c267fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c267fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07  

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==3235==ABORTING

Affected version:

2.29.51.20170921 and maybe past releases

 

Fixed version:

N/A

 

Commit fix:

https://sourceware.org/git/gitweb.cgi?p=...0c6281a724

 

Credit:

This bug was discovered by Agostino Sarubbo of Gentoo.

 

CVE:

CVE-2017-14939

 

Reproducer:

https://github.com/asarubbo/poc/blob/mas...ead_1_byte

https://github.com/offensive-security/ex.../42970.zip

 

Timeline:

2017-09-21: bug discovered and reported to upstream

2017-09-24: upstream released a patch

2017-09-26: blog post about the issue

2017-09-29: CVE assigned

 

Note:

This bug was found with American Fuzzy Lop.

This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

 

Permalink:

 

https://blogs.gentoo.org/ago/2017/09/26/...-dwarf2-c/

 

 

Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42970.zip






Users browsing this thread: 1 Guest(s)