Ticket #53 (assigned enhancement)

Opened 5 months ago

Last modified 2 months ago

ELFsh cannot save binaries with corrupted headers

Reported by: Assigned to: thorkill (accepted)
Priority: trivial Milestone: v1.0
Component: libelfsh Version:
Severity: Very low Keywords:
Cc:

Description (Last modified by may)

ELFsh will fail to save binaries with incorrect headers. Some fields are specially vulnerable to this because they are used in elfsh_store_obj().

e_shstrndx e_ehsize e_phentsize e_phnum e_phoff e_shoff e_shentsize e_shnum

In section header:

sh_size sh_offset

An alternative saving function should be coded for saving intentionally corrupted binaries. For example elfsh_store_corrupted_obj(). It remains quite a challenge to be able to save a binary without relying on those fields. Basically anyone changing the size field of a section would get the program unstable.

While it seems interesting to fix that bug for generating ELF fuzzers in the future, the fixing cost seems pretty expensive as a new saving full-of-checks function has to be implemented, and a check needs to be performed each time one of those fields is used.

Change History

04/03/08 09:12:00 changed by thorkill

  • status changed from new to assigned.
  • severity changed from Medium to Very low.
  • component changed from elfsh to ERESI.
  • priority changed from major to trivial.
  • owner set to thorkill.
  • type changed from defect to enhancement.

Thank you for this info, could you patch it for us (it should be done in no time)?

Happy Coding, /me

07/06/08 03:33:52 changed by may

  • component changed from ERESI to libelfsh.

07/06/08 03:55:35 changed by may

  • reporter deleted.
  • summary changed from segmentation fault when save with an invalid hdr.shstrndx value to ELFsh cannot save binaries with corrupted headers.
  • description changed.
  • milestone changed from v0.81 to v1.0.