oss-sec mailing list archives
Re: Just a reminder to never run ldd or strings on untrusted binaries
From: Matthew Fernandez <matthew.fernandez () gmail com>
Date: Fri, 5 Apr 2024 02:09:31 +1100
On 4/4/24 12:16, Markus Klyver wrote:
I'm not sure if people are aware of the fact that ldd can run the executable under certain circumstances. Also running strings on a malicious file can be a bad idea: https://jmmv.dev/2023/07/ldd-untrusted-binaries.html https://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html This advice would extend to other common tools as well, like objdump and readelf.
Thankfully the strings behaviour seems to have been altered, https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=7fac9594c41ab180979bdf5927ff7f7e1d13a9e9:
commit 7fac9594c41ab180979bdf5927ff7f7e1d13a9e9 Author: Nick Clifton <nickc () redhat com> Date: Fri Oct 31 10:10:37 2014 +0000 In response to a public outcry the strings program now defaults to using the --all option which displays text from anywhere in the input file(s). The default used to be --data, which only displays text from loadable data sections, but this requires the use of the BFD library. Since the BFD library almost certainly still contains buffer overrun and/or memory corruption bugs, and since the strings program is often used to examine malicious code, it was decided that the --data option option represents a possible security risk.* strings.c: Add new command line option --data to only scan theinitialized, loadable data secions of binaries. Choose the default behaviour of --all or --data based upon a configure option. * doc/binutils.texi (strings): Update documentation. Include description of why the --data option might be unsafe. * configure.ac: Add new option --disable-default-strings-all which restores the old behaviour of strings using --data by default. If the option is not used make strings use --all by default. * NEWS: Mention the new behaviour of strings. * configure: Regenerate. * config.in: Regenerate.
Current thread:
- Just a reminder to never run ldd or strings on untrusted binaries Markus Klyver (Apr 04)
- Re: Just a reminder to never run ldd or strings on untrusted binaries Matthew Fernandez (Apr 04)