Hi,
On Tue, Jan 17, 2017 at 08:41:10AM -0500, Marshall Whittaker wrote:
> The /usr/bin/readelf binary on OpenBSD 6.0 does not seem to properly
> validate input.
> You can for example cat a binary and take the first few "lines" of the file
> and throw them at readelf,
> which will cause a sig abort, as shown in the test case. This could
> possibly be exploited,
> but I havn't tried to manipulate memory any more than in the test case so
> far.
>
> [...]
>
> bash-4.3# readelf ./c4 -a
>
> [...]
>
> readelf: Error: Section headers are not available!
> Abort trap (core dumped)
>From the error message, you could easily locate the error code path in
readelf.c:
4310 if (section_headers == NULL)
4311 {
4312 error (_("Section headers are not available!\n"));
4313 abort ();
4314 }
The "Abort trap" doesn't mean it could be exploited: it means the
program itself known it could do nothing more (and it is unexpected),
and it prefers to kill himself.
To do that it call abort(3) function: http://man.openbsd.org/3/abort
The abort() function causes abnormal program termination to occur, unless
the signal SIGABRT is being caught and the signal handler does not
return.
So readelf(1) behave correctly: you provide it a crafted binary, it
tries to do it work, but when it saw the binary is crafted enought it
call abort(3) function.
Thanks.
--
Sebastien Marie
