[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
found vuln in bfd lib Coff code
|
From: |
ICBM |
|
Subject: |
found vuln in bfd lib Coff code |
|
Date: |
Mon, 15 Aug 2005 17:01:35 +0800 |
|
User-agent: |
Mozilla Thunderbird 1.0 (Windows/20041206) |
Hi:
Found a new vuln in bfd lib coff code and similar with the last
one...the ditails in the attachment.
Thanks
zhaowei
[AD_LAB-05003]Integer Buffer Overflow in Binary File Descriptor (BFD) library
Venustech AD-Lab
www.venustech.com.cn
[Security Advisory]
Advisory: [AD_LAB-05003]Integer Buffer Overflow in Binary File Descriptor (BFD)
library
Class: Boundary Condition Error
DATE:08/11/2005
Remote: Local
Vulnerable:
BFD
Vendor:
GNU
I.DESCRIPTION:
-------------
There is a integer overflow in the Binary File Descriptor (BFD) library
for gdb, binutils, elfutils, and possibly other packages, when process the
archive (library) file, allows attackers to execute arbitrary code via a crafted
library file that specifies a large number of symbols, leading to a heap-based
buffer overflow.
II.DETAILS:
----------
1.The structure of library file:
Signature :¡±!<arch>\n¡±
Header
1st Linker Member
Header
2nd Linker Member
Header
Longnames Member
Header
Contents of OBJ File 1
(COFF format)
Header
Contents of OBJ File 2
(COFF format)
.
.
.
Header
Contents of OBJ File N
(COFF format)
The structure of first section:
typedef struct {
unsigned long SymbolNum; // Number of Symbols
unsigned long SymbolOffset[n]; // Offsets
char StrTable[m]; // String Table
}FirstSec;
2. BFD analysis:
In the do_slurp_coff_armap() funciton:
static bfd_boolean
do_slurp_coff_armap (bfd *abfd){
¡
carsym_size = (nsymz * sizeof (carsym)); //uses the nsymz from file
ptrsize = (4 * nsymz); //integer overflow here
¡
/* Allocate and read in the raw offsets. */
raw_armap = bfd_alloc (abfd, ptrsize); // allocate wrong memory size
here
if (raw_armap == NULL)
goto release_symdefs;
¡
}
Obviously, when nsymz is set to enough big num will lead int overflow.
III.CREDIT:
----------
Vulnerability discovery, analysis and advisory by icbm.
Thank to all Venustech AD-Lab guys:P.
V.DISCLAIMS:
-----------
The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including
direct,
indirect, incidental, consequential, loss of business profits or special
damages.
Copyright 1996-2004 VENUSTECH. All Rights Reserved. Terms of use.
VENUSTECH Security Lab
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)
Security
Trusted {Solution} Provider
Service
- found vuln in bfd lib Coff code,
ICBM <=