oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Just a reminder to never run ldd or strings on untrusted binaries

From: Matthew Fernandez <matthew.fernandez () gmail com>
Date: Fri, 5 Apr 2024 02:09:31 +1100


On 4/4/24 12:16, Markus Klyver wrote:

I'm not sure if people are aware of the fact that ldd can run the executable under certain circumstances. Also running 
strings on a malicious file can be a bad idea:

https://jmmv.dev/2023/07/ldd-untrusted-binaries.html

https://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html

This advice would extend to other common tools as well, like objdump and readelf.


Thankfully the strings behaviour seems to have been altered,
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=7fac9594c41ab180979bdf5927ff7f7e1d13a9e9:


commit 7fac9594c41ab180979bdf5927ff7f7e1d13a9e9
Author: Nick Clifton <nickc () redhat com>
Date:   Fri Oct 31 10:10:37 2014 +0000

    In response to a public outcry the strings program now defaults to using the
    --all option which displays text from anywhere in the input file(s).  The
    default used to be --data, which only displays text from loadable data sections,
    but this requires the use of the BFD library.  Since the BFD library almost
    certainly still contains buffer overrun and/or memory corruption bugs, and
    since the strings program is often used to examine malicious code, it was
    decided that the --data option option represents a possible security risk.
* strings.c: Add new command line option --data to only scan the 
            initialized, loadable data secions of binaries.  Choose the
            default behaviour of --all or --data based upon a configure
            option.
            * doc/binutils.texi (strings): Update documentation.  Include
            description  of why the --data option might be unsafe.
            * configure.ac: Add new option --disable-default-strings-all which
            restores the old behaviour of strings using --data by default.  If
            the option is not used make strings use --all by default.
            * NEWS: Mention the new behaviour of strings.
            * configure: Regenerate.
            * config.in: Regenerate.
Previous By Date Next
Previous By Thread Next

Current thread: