GNU Binutils CVE-2018-10372 Remote Buffer Overflow

Authors:Thuan                Risk:High

CVE:CVE-2018-10372          0day:Buffer Overflow

0day -id:0DAY-176109         Date:2018-04-27

Summary

GNU Binutils is prone to a remote buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to crash the affected application, resulting in denial-of-service conditions. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.

To reproduce

Compile binutils with ASAN enabled

CC=gcc-6 CXX=g++-6 CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -g -Wno-error" CXXFLAGS="$CFLAGS" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim

Download the attached file - bug3
readelf -w bug3
ASAN says
readelf: Warning: Section 0 has an out of range sh_link value of 4160749568
readelf: Warning: Section 1 has an out of range sh_link value of 16769792
readelf: Warning: Section 2 has an out of range sh_link value of 33554432
readelf: Warning: Section 6 has an out of range sh_link value of 247
readelf: Warning: Section 7 has an out of range sh_link value of 2130706432
readelf: Warning: Section 11 has an out of range sh_link value of 774778414
readelf: Warning: Section 12 has an out of range sh_link value of 774778414
readelf: Warning: possibly corrupt ELF header - it has a non-zero program header offset, but no program headers
readelf: Warning: could not find separate debug file ''
readelf: Warning: tried: /lib/debug/
readelf: Warning: tried: /usr/lib/debug/usr/
readelf: Warning: tried: /usr/lib/debug/
readelf: Warning: tried: /home/thuan/experiments/binutils-gdb-asan-newest/binutils/.debug/
readelf: Warning: tried: /home/thuan/experiments/binutils-gdb-asan-newest/binutils/
readelf: Warning: tried: .debug/
readelf: Warning: tried: 
=================================================================
==24671==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000dd58 at pc 0x0000004c0942 bp 0x7ffe992edb10 sp 0x7ffe992edb00
READ of size 8 at 0x60700000dd58 thread T0
    #0 0x4c0941 in process_cu_tu_index /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9290
    #1 0x4c189f in load_cu_tu_indexes /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9411
    #2 0x4c1926 in find_cu_tu_set /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9429
    #3 0x461fe2 in display_debug_section /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13703
    #4 0x4628ab in process_section_contents /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13796
    #5 0x47c7ba in process_object /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:18684
    #6 0x47e9d0 in process_file /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19104
    #7 0x47ed55 in main /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19163
    #8 0x7f863ba9c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x4025d8 in _start (/home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf+0x4025d8)

0x60700000dd5f is located 0 bytes to the right of 79-byte region [0x60700000dd10,0x60700000dd5f)
allocated by thread T0 here:
    #0 0x7f863cc2bf70 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6f70)
    #1 0x40b573 in get_data /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:421
    #2 0x4600d1 in load_specific_debug_section /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13477
    #3 0x461605 in load_debug_section /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13630
    #4 0x48e235 in load_debug_section_with_follow /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:2705
    #5 0x4c188c in load_cu_tu_indexes /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9410
    #6 0x4c1926 in find_cu_tu_set /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9429
    #7 0x461fe2 in display_debug_section /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13703
    #8 0x4628ab in process_section_contents /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:13796
    #9 0x47c7ba in process_object /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:18684
    #10 0x47e9d0 in process_file /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19104
    #11 0x47ed55 in main /home/thuan/experiments/binutils-gdb-asan-newest/binutils/readelf.c:19163
    #12 0x7f863ba9c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/thuan/experiments/binutils-gdb-asan-newest/binutils/dwarf.c:9290 in process_cu_tu_index
Shadow bytes around the buggy address:
  0x0c0e7fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0e7fff9ba0: fa fa 00 00 00 00 00 00 00 00 00[07]fa fa fa fa
  0x0c0e7fff9bb0: 00 00 00 00 00 00 00 00 05 fa fa fa fa fa 00 00
  0x0c0e7fff9bc0: 00 00 00 00 00 00 00 07 fa fa fa fa 00 00 00 00
  0x0c0e7fff9bd0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff9be0: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff9bf0: fd fd fa fa fa fa 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb


Thanks,

Thuan

Vulnerable

GNU Binutils 2.30 is vulnerable; other versions may also be affected.

Leave a Reply