Ticket #53 (assigned enhancement)

Opened 2 years ago

Last modified 20 months ago

ELFsh cannot save binaries with corrupted headers

Reported by: anonymous Owned by: thorkill
Priority: trivial Milestone: v1.0
Component: libelfsh Version:
Severity: Very low Keywords:
Cc:

Description (last modified by may) (diff)

ELFsh will fail to save binaries with incorrect headers. Some fields are specially vulnerable to this because they are used in elfsh_store_obj().

e_shstrndx e_ehsize e_phentsize e_phnum e_phoff e_shoff e_shentsize e_shnum

In section header:

sh_size sh_offset

An alternative saving function should be coded for saving intentionally corrupted binaries. For example elfsh_store_corrupted_obj(). It remains quite a challenge to be able to save a binary without relying on those fields. Basically anyone changing the size field of a section would get the program unstable.

While it seems interesting to fix that bug for generating ELF fuzzers in the future, the fixing cost seems pretty expensive as a new saving full-of-checks function has to be implemented, and a check needs to be performed each time one of those fields is used.

Change History

Changed 2 years ago by thorkill

  • status changed from new to assigned
  • severity changed from Medium to Very low
  • component changed from elfsh to ERESI
  • priority changed from major to trivial
  • owner set to thorkill
  • type changed from defect to enhancement

Thank you for this info, could you patch it for us (it should be done in no time)?

Happy Coding, /me

Changed 20 months ago by may

  • component changed from ERESI to libelfsh

Changed 20 months ago by may

  • reporter nitr0us@… deleted
  • summary changed from segmentation fault when save with an invalid hdr.shstrndx value to ELFsh cannot save binaries with corrupted headers
  • description modified (diff)
  • milestone changed from v0.81 to v1.0
Note: See TracTickets for help on using tickets.