pyelftools
pyelftools copied to clipboard
Bug: DOS when iterating over sections
Applications using pyelftools are susceptible to DOS when parsing an ELF file whose
-
e_shentsize
is zero -
e_shnum
is larger than the actual number of entries in the section header table
The function ELFFile.iter_sections
iterates over i in range(self['e_shnum'])
and yields sections
at file offset self['e_shoff'] + i * self['e_shentsize']
.
If e_shentsize
is zero this will return the first section over and over again.
Thus a malicious ELF file can make pyelftools return the first section 9223372036854775808 times
and cause a DOS.
My question here is: Can you make pyelftools throw an exception if e_shentsize
is zero because that would get rid of the DOS?
An e_shentsize
of zero doesn't make sense anyway.
An exemplary ELF file that can trigger this can be found here: timeout-3561f873d79b09ce755b0981d3df30b9ac0ca0d3
Thanks for the report. PRs to fix this are welcome.
To be clear, pyelftools
was never designed to be used in security-critical settings. For example, it's not particularly fast (being pure Python and all), and it can be trivially "DOS"-ed by passing a file with large DWARF data.
I'll gladly accept a PR that fixes this specific issue, but this isn't a high priority for me in any way.
It's not a DoS if the only computer you've sabotaged is yours.
pyelftools doesn't listen on a network - the DoS can't be triggered by a remote attacker. If the attacker already has the ability to execute arbitrary Python on your machine - you've got bigger problems.
If a third party piece accepts binaries from untrusted callers and passes them to pyelftools uncritically - that's on the said piece.
For an extended version of the same argument, see this: https://devblogs.microsoft.com/oldnewthing/20220627-00/?p=106792
@pd-fkie Addressed in #522. Also the same for e_phentsize
.