Don’t run “strings” against files…

2014.10.27

From http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html:

Many shell users, and certainly most of the people working in computer forensics or other fields of information security, have a habit of running/usr/bin/strings on binary files originating from the Internet. Their understanding is that the tool simply scans the file for runs of printable characters and dumps them to stdout – something that is very unlikely to put you at any risk.

It is much less known that the Linux version of strings is an integral part of GNU binutils, a suite of tools that specializes in the manipulation of several dozen executable formats using a bundled library called libbfd.

Other well-known utilities in that suite include objdump and readelf.Perhaps simply by the virtue of being a part of that bundle, the strings utility tries to leverage the common libbfd infrastructure to detect supported executable formats and “optimize” the process by extracting text only from specific sections of the file. Unfortunately, the underlying library can be hardly described as safe: a quick pass with afl (and probably with any other competent fuzzer) quickly reveals a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking

Check the site for POC code. It’s old and it’s nasty.

Categories : Security