Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Possible GNU Strings Denial Of Service Vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Possible GNU Strings Denial Of Service Vulnerability
SecurityFocus has a vulnerability advisory about an issue with the GNU strings command and a potential Denial of Service attack.  If a file contains certain character strings, the string command will crash due to a failure to properly handle unexpected user-supplied input.

The bugzilla entry 2584 authored by Jesus Olmos Gonzales, who discovered the issue, contains more information. It indicates the the issue actually lies within the bfd_hack_lookup() routine in the BFD library.

The results of initial testing done by several ISC Handlers made it appear that this was only affecting some Linux/Unix distributions and not others.  Further testing indicated that the "exploit" seems sensitive to the content of the triggering file.

If the file contained only the following line:

        %253Cc%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc

then running strings on the file would result in a segmentation fault.

If the file contained additional content, such as:

        This file will not crash
        %253Cc%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc

then running strings on the file did not result in a segmentation fault.

The potential security impact of this is an attacker might be able to include this character sequence in their executable thereby making it harder to do binary analysis with the strings command.

To test if you system is vulnerable to this issue, you can run the following commands:

       echo "%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc" > evil-file
       strings evil-file

If you get a segmentation fault, you are vulnerable.

Results for some tested operating systems [1]:

        CentOS 4.3 - vulnerable
        Fedora Core 4 - vulnerable
        Mac OS X 10.4.5 - NOT vulnerable
        OpenBSD 3.5 - vulnerable
        OpenBSD 3.9 - vulnerable

       Cygwin - vulnerable

[1] - "vulnerable" meaning that the included version of the "strings" command will segment fault.
David

78 Posts

Sign Up for Free or Log In to start participating in the conversation!