This evil file cannot be scanned with strings command: root@jolmos:/research# strings evil Violación de segmento root@jolmos:/research# cat evil %253Cc%253Cc%253Cc%253Cc%253Cc%253Cc%253Cc root@jolmos:/research# (gdb) r evil Starting program: /usr/bin/strings evil (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Program received signal SIGSEGV, Segmentation fault. 0xb7e9ecbd in bfd_hash_lookup () from /usr/lib/libbfd-2.16.1.so (gdb) The problem is in bfd_hack_lookup from libbfd-2.16.1.so library, at this snippet of code: 1fcb1: c1 ef 02 shr $0x2,%edi 1fcb4: 31 c7 xor %eax,%edi 1fcb6: 89 f8 mov %edi,%eax 1fcb8: 8b 4d 08 mov 0x8(%ebp),%ecx 1fcbb: 31 d2 xor %edx,%edx 1fcbd: f7 71 04 divl 0x4(%ecx) <--SIGSEGV with %253Cc%AAAAA%AAAAA%AAAAA%AAAAA%AAAAA%AAAAA 1fcc0: 01 d2 add %edx,%edx 1fcc2: 01 d2 add %edx,%edx 1fcc4: 89 55 e0 mov %edx,0xffffffe0(%ebp) with %253Cc ecx gets 0x54 value, and it cannot access to this address. It seems there is not exploitable. Ubuntu: Linux jolmos 2.6.12-9-386 #1 Mon Oct 10 13:14:36 BST 2005 i686 GNU/Linux i have tested on other kernels and the result is the same. Jesús Olmos Gonzalez Internet Security Auditors www.isecauditors.com
Can you try the current binutils in CVS?
Created attachment 978 [details] a patch I can reproduce this on CVS too. bfd/tekhex.c:getsym() doesn't check if the length character is a valid hexadecimal character. hex_value() returns 99 for non hexadecimal characters and getsym uses it as the length to be read. Then it causes a buffer overrun because getsym is called with only 17 bytes buffer. The patch attached seems to fix the given test case anyway, though it'd be better to add more checks.
This is CVE-2006-2362.
Fixed by http://sourceware.org/ml/binutils/2006-04/msg00393.html