Search This Blog

Sunday, June 03, 2007

[UNIX] GBD UPX File Handling Buffer Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

GBD UPX File Handling Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

A vulnerability has been reported in GDB, which possible exploited by
malicious people to compromise a vulnerable system.

DETAILS

Vulnerable Systems:
* gdb version 6.6

The vulnerability is caused due to a boundary error in coffread.c when
unpacking executable files compressed with UPX. This can be exploited to
cause a buffer overflow and potentially allows arbitrary code execution
via a specially-crafted UPX packed file.

The vulnerability has been reported in versions 6.6 till the lastest CVS.

Crashing GDB:
$ file gdbupx
gdbupx: MS-DOS executable PE for MS Windows (console) Intel 80386 32-bit,
UPX compressed

$ upx -d gdbupx
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006
File size Ratio Format Name

upx: gdbupx: CantUnpackException: exe header corrupte.e
Unpacked 0 files.

$ gdb -v
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i686-pc-linux-gnu .

$ gdb gdbtest/bin/gdb
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i686-pc-linux-gnu
Using host libthread_db library /lib/libthread_db.so.1 .
Really redefine built-in command frame ? (y or n) [answered Y; input not
from terminal]
Really redefine built-in command thread ? (y or n) [answered Y; input not
from terminal]
Really redefine built-in command start ? (y or n) [answered Y; input not
from terminal]

gdb>r gdbupx
GNU gdb 6.6.50.20070531-cvs
Copyright (C) 2007 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i686-pc-linux-gnu

Program received signal SIGSEGV, Segmentation fault.
_______________________________________________________________________________
eax:08334F70 ebx:00000000 ecx:08337168 edx:082C3240 eflags:00210246
esi:0833D320 edi:0833D34C esp:BF8E54D0 ebp:BF8E54F8 eip:0814CD82
cs:0073 ds:007B es:007B fs:0000 gs:0033 ss:007B o d I t s Z a P c
[007B:BF8E54D0] [stack]
BF8E5500 : 80 02 00 00 00 00 00 00 - FC 01 00 00 00 00 00 00 .
BF8E54F0 : 30 00 00 00 F0 55 8E BF - 38 56 8E BF 50 D7 14 08 0 .U..8V..P
BF8E54E0 : 68 71 33 08 F4 BD 2E 08 - F0 55 8E BF 00 00 00 00 hq3 U
BF8E54D0 : 31 2D 25 08 FF FF FF FF - F8 54 8E BF 7D C0 14 08 1-% T..}
[007B:0833D320] [ data]
0833D320 : 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 .
0833D330 : 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 .
[0073:0814CD82] [ code]
0 814cd82 : movzx eax,BYTE PTR [ebx]
0 814cd85 : cmp al,BYTE PTR [edx+24]
0 814cd88 : mov BYTE PTR [esi+12],0 1
0 814cd8c : mov DWORD PTR [esp+12],ecx
0 814cd90 : sete al
0 814cd93 : movzx eax,al

0 0814cd82 in process_coff_symbol (cs=0xbf8e55f0, aux=0 82ebdf4, objfile=0
8337168) at coffread.c:1482
1482 name = EXTERNAL_NAME (name, objfile->obfd);
gdb>bt
#0 0 0814cd82 in process_coff_symbol (cs=0xbf8e55f0, aux=0 82ebdf4,
objfile=0 8337168) at coffread.c:1482
#1 0 0814d750 in coff_symfile_read (objfile=0 8337168, mainline=0 1) at
coffread.c:1084
#2 0 08108ff3 in syms_from_objfile (objfile=0 8337168, addrs=0 833e280,
offsets=0 0, num_offsets=0 0, mainline=0 1, verbo=0 0) at symfile.c:876
#3 0 081093de in symbol_file_add_with_addrs_or_offsets (abfd=0 8334f70,
from_tty=0 0, addrs=0 0, offsets=0 0, num_offsets=0 0, mainline=0 1,
flags=0 0) at symfile.c:988
#4 0 0810a265 in symbol_file_add_main_1 (args=0 8334f70 \001 , from_tty=0
82c3240,
flags=) at symfile.c:1121
#5 0 08121b92 in catch_command_errors (command=0 810a3f0 ,
arg=0xbf8e72ad ../../gdbupx , from_tty=0 0, mask=0 6) at exceptions.c:530
#6 0 0807eb38 in captured_main (data=0xbf8e58f4) at .././gdb/main.c:728
#7 0 08121c2b in catch_errors (func=0 807e1e0 , func_args=0xbf8e58f4,
errstring=0 8252d31 , mask=0 6) at exceptions.c:515
#8 0 0807e193 in gdb_main (args=0xbf8e58f4) at .././gdb/main.c:881
#9 0 0807e155 in main (argc=0 0, argv=0 8332df0) at gdb.c:35


ADDITIONAL INFORMATION

The information has been provided by KaiJern, Lau. (xwingssecuritynetmy).
The original article can be found at: <http://blog.xwings.net/?p=71>

http://blog.xwings.net/?p=71

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: