Links for 2014-10-27

  • PSA: don’t run ‘strings’ on untrusted files (CVE-2014-8485)


    Perhaps simply by the virtue of being a part of that bundle, the strings utility tries to leverage the common libbfd infrastructure to detect supported executable formats and “optimize” the process by extracting text only from specific sections of the file. Unfortunately, the underlying library can be hardly described as safe: a quick pass with afl (and probably with any other competent fuzzer) quickly reveals a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking

    (tags: strings libbfd gnu security fuzzing buffer-overflows)

This entry was posted in Uncategorized. Bookmark the permalink. Both comments and trackbacks are currently closed.

One Comment

  1. Nix
    Posted October 28, 2014 at 14:13 | Permalink

    Not remotely surprising. bfd was never remotely intended to be run on arbitrary hostile executables: it was designed to be used by the linker, assembler, and debugger, after all. (Also, it was started long ago, in a more peaceful time.)