from:"kshah at fortinet dot com"

[Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification

2016-03-18 Thread kshah at fortinet dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=19323

--- Comment #7 from Kushal Shah  ---
Hi Alan, 

I wanted to request you, if you could add the following information in the
Changelog to credit us for the discovery.

---
The vulnerability was discovered by Kushal Arvind Shah of Fortinet’s FortiGuard
Labs.
---

Eagerly awaiting your reply.

Thanking You,

Yours Sincerely,
Kushal Arvind Shah.
Fortinet's FortiGuard Labs.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification

2015-12-03 Thread kshah at fortinet dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=19323

Kushal Shah  changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|INVALID |---

--- Comment #2 from Kushal Shah  ---
Hi Alan, 

I re-ran the PoC using both readelf and objdump and I saw that the "readelf"
tool returns an out-of-memory error and "objdump" crashes with a Segmentation
Fault and using Valgrind we can see that there is a Heap Overflow caused by
Objdump.

I am attaching both the "out-of-memory" error obtained using readelf and also
the gdb and valgrind output confirming the heap overflow vulnerability in
objdump.

I would also like to request you if you could share the out-of-memory error
output returned by objdump using the PoC and reproduction steps provided
previously?

Vulnerability Confirmation using GDB & Valgrind: -

##--Valgrind Output--##

# valgrind --tool=memcheck --leak-check=full --track-origins=yes
--show-reachable=yes --keep-stacktraces=alloc-and-free --num-callers=40
--track-fds=yes -v binutils-gdb/binutils/objdump -s /root/Desktop/file1
/dev/null
==13429== Invalid write of size 4
==13429==at 0x82499B7: bfd_elf32_swap_phdr_in (elfcode.h:367)
==13429==by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==by 0x8053ECA: display_file (objdump.c:3530)
==13429==by 0x8053ECA: main (objdump.c:3813)
==13429==  Address 0x420bdf0 is 0 bytes after a block of size 4,064 alloc'd
==13429==at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==by 0x851B130: objalloc_create (objalloc.c:95)
==13429==by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==by 0x81F049B: bfd_openr (opncls.c:287)
==13429==by 0x8053E83: display_file (objdump.c:3523)
==13429==by 0x8053E83: main (objdump.c:3813)
==13429== 
==13429== Invalid write of size 4
==13429==at 0x82499FF: bfd_elf32_swap_phdr_in (elfcode.h:369)
==13429==by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==by 0x8053ECA: display_file (objdump.c:3530)
==13429==by 0x8053ECA: main (objdump.c:3813)
==13429==  Address 0x420bdf4 is 4 bytes after a block of size 4,064 alloc'd
==13429==at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==by 0x851B130: objalloc_create (objalloc.c:95)
==13429==by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==by 0x81F049B: bfd_openr (opncls.c:287)
==13429==by 0x8053E83: display_file (objdump.c:3523)
==13429==by 0x8053E83: main (objdump.c:3813)
==13429== 
==13429== Invalid write of size 4
==13429==at 0x8249A0E: bfd_elf32_swap_phdr_in (elfcode.h:370)
==13429==by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==by 0x8053ECA: display_file (objdump.c:3530)
==13429==by 0x8053ECA: main (objdump.c:3813)
==13429==  Address 0x420bdf8 is 8 bytes after a block of size 4,064 alloc'd
==13429==at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==by 0x851B130: objalloc_create (objalloc.c:95)
==13429==by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==by 0x81F049B: bfd_openr (opncls.c:287)
==13429==by 0x8053E83: display_file (objdump.c:3523)
==13429==by 0x8053E83: main (objdump.c:3813)
==13429== 
==13429== Invalid write of size 4
==13429==at 0x8249A1A: bfd_elf32_swap_phdr_in (elfcode.h:371)
==13429==by 0x824D0B4: bfd_elf32_object_p (elfcode.h:782)
==13429==by 0x81E00F6: bfd_check_format_matches.part.1 (format.c:305)
==13429==by 0x806734F: display_object_bfd (objdump.c:3418)
==13429==by 0x806734F: display_any_bfd (objdump.c:3509)
==13429==by 0x8053ECA: display_file (objdump.c:3530)
==13429==by 0x8053ECA: main (objdump.c:3813)
==13429==  Address 0x420bdfc is 12 bytes after a block of size 4,064 alloc'd
==13429==at 0x40291CC: malloc (vg_replace_malloc.c:296)
==13429==by 0x851B130: objalloc_create (objalloc.c:95)
==13429==by 0x81F049B: _bfd_new_bfd (opncls.c:73)
==13429==by 0x81F049B: bfd_fopen (opncls.c:199)
==13429==by 0x81F049B: bfd_openr (opncls.c:287)
==13429==by 0x8053E83: display_file (objdump.c:3523)
==13429==by 0x8053E83: main (objdump.c:3813)

[Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification

2015-12-01 Thread kshah at fortinet dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=19323

Kushal Shah  changed:

   What|Removed |Added

Summary|BinUtils-2.25 Objdump Heap  |[FG-VD-15-113]
   |Overflow Vulnerability  |BinUtils-2.25 Objdump Heap
   |Notification|Overflow Vulnerability
   ||Notification

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/19323] New: BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification

2015-12-01 Thread kshah at fortinet dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=19323

Bug ID: 19323
   Summary: BinUtils-2.25 Objdump Heap Overflow Vulnerability
Notification
   Product: binutils
   Version: 2.25
Status: NEW
  Severity: critical
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: kshah at fortinet dot com
  Target Milestone: ---

Created attachment 8825
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8825=edit
PoC File.

The PoC file is attached with this post.

Use the Objdump tool with -s parameter to open the PoC file and with output
destination set as /dev/null in order to reproduce this vulnerability.

I have tested it on the Kali 2.0 platform.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/19323] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification

2015-12-01 Thread kshah at fortinet dot com

https://sourceware.org/bugzilla/show_bug.cgi?id=19323

Kushal Shah  changed:

   What|Removed |Added

 CC||kshah at fortinet dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification

[Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification

[Bug binutils/19323] [FG-VD-15-113] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification

[Bug binutils/19323] New: BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification

[Bug binutils/19323] BinUtils-2.25 Objdump Heap Overflow Vulnerability Notification

5 matches

Site Navigation

Mail list logo

Footer information