Day 38: Understanding Core Unix Components and their Historical Security Issues (binutils)

*More usage examples to be added soon!

Binutils

http://ftp.gnu.org/gnu/binutils/binutils-2.31.1.tar.xz

The Binutils package contains a linker, an assembler, and other tools for handling object files.

Installed Binaries

addr2line

Translates program addresses to file names and line numbers; given an address and the name of an executable, it uses the debugging information in the executable to determine which source file and line number are associated with the address

root@aflone:~# cat hello.c 
#include <stdio.h>
int main()
{
    printf("hello\n");
    return 0;
}
root@aflone:~# gcc -g hello.c
root@aflone:~# objdump -d a.out | grep -a4 "<main>:"
  40051e: ff d0                 callq  *%rax
  400520: 5d                    pop    %rbp
  400521: e9 7a ff ff ff        jmpq   4004a0 <register_tm_clones>
0000000000400526 <main>:
  400526: 55                    push   %rbp
  400527: 48 89 e5              mov    %rsp,%rbp
  40052a: bf c4 05 40 00        mov    $0x4005c4,%edi
  40052f: e8 cc fe ff ff        callq  400400 <puts@plt>
root@aflone:~# addr2line a.out 400526
??:0
/root/hello.c:3

ar

Creates, modifies, and extracts from archives

as

An assembler that assembles the output of gcc into object files

c++filt

Used by the linker to de-mangle C++ and Java symbols and to keep overloaded functions from clashing

elfedit

Updates the ELF header of ELF files

gprof

Displays call graph profile data

ld

A linker that combines a number of object and archive files into a single file, relocating their data and tying up symbol references

ld.gold

A cut down version of ld that only supports the elf object file format

ld.bfd

Hard link to ld

nm

Lists the symbols occurring in a given object file

objcopy

Translates one type of object file into another

objdump

Displays information about the given object file, with options controlling the particular information to display; the information shown is useful to programmers who are working on the compilation tools

ranlib

Generates an index of the contents of an archive and stores it in the archive; the index lists all of the symbols defined by archive members that are relocatable object files

readelf

Displays information about ELF type binaries

size

Lists the section sizes and the total size for the given object files

strings

Outputs, for each given file, the sequences of printable characters that are of at least the specified length (defaulting to four); for object files, it prints, by default, only the strings from the initializing and loading sections while for other types of files, it scans the entire file

strip

Discards symbols from object files

Installed Libraries

libbfd

The Binary File Descriptor library

libopcodes

A library for dealing with opcodes — the “readable text” versions of instructions for the processor; it is used for building utilities like objdump

Directories

/usr/lib/ldscripts

Vulnerabilities

GNU Binutils : List of security vulnerabilities

Top 10 Critical

• CVE-2005–4808
  Buffer overflow in reset_vars in config/tc-crx.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050714 allows user-assisted attackers to have an unknown impact via a crafted .s file.
• CVE-2005–4807
  Stack-based buffer overflow in the as_bad function in messages.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050721 allows attackers to execute arbitrary code via a .c file with crafted inline assembly code.
• CVE-2006–2362
  Buffer overflow in getsym in tekhex.c in libbfd in Free Software Foundation GNU Binutils before 20060423, as used by GNU strings, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a file with a crafted Tektronix Hex Format (TekHex) record in which the length character is not a valid hexadecimal character.
• CVE-2014–8485
  The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.
• CVE-2014–8501
  The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.
• CVE-2014–8502
  Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.
• CVE-2014–8503
  Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.
• CVE-2014–8504
  Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file.
• CVE-2014–9939
  ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.
• CVE-2017–7614
  elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a “member access within null pointer” undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an “int main() {return 0;}” program.