toaruos
toaruos copied to clipboard
Published
20 hours ago •
klange
klange
Buffer overflow causing RCE in readelf
Hi,
readelf in ToaruOS 2.0.1 has a global overflow allowing RCE when parsing a crafted ELF file. Through elaborately constructed elf files, remote code execution can be realized.
PoC
./readelf -d poc_elf_overflow
Dynamic section at offset 0x2df8 contains (up to) 30 entries:
Tag Type Name/Value
zsh: segmentation fault ./readelf -d poc_elf_overflow
Patch
$ git diff
diff --git a/apps/readelf.c b/apps/readelf.c
index ce25d5e1..91f5e722 100644
--- a/apps/readelf.c
+++ b/apps/readelf.c
@@ -168,7 +168,7 @@ static char * dynamicTagToStr(Elf64_Dyn * dynEntry, char * dynstr) {
break;
case DT_NEEDED:
name = "(NEEDED)";
- sprintf(extra, "[shared lib = %s]", dynstr + dynEntry->d_un.d_val);
+ snprintf(extra, 500, "[shared lib = %s]", dynstr + dynEntry->d_un.d_val);
break;
case DT_PLTRELSZ:
name = "(PLTRELSZ)";
@@ -286,7 +286,7 @@ static char * dynamicTagToStr(Elf64_Dyn * dynEntry, char * dynstr) {
break;
}
- sprintf(buf,"%-15s %s", name, extra);
+ snprintf(buf, 1024, "%-15s %s", name, extra);
return buf;
}
