CVE-2022-44840 - Heap Buffer Overflow Vulnerability in binutils readelf (Before 2.40) – Details, Exploit Example, and Mitigation

In late 2022, a serious heap buffer overflow vulnerability was discovered in binutils, commonly used on Linux and other Unix systems. Specifically, the issue occurred in the readelf tool, before version 2.40, within the function find_section_in_set in readelf.c. This long read will walk you through how the vulnerability happens, how it can be exploited, and what you should do to stay safe. We’ll include code snippets, sample exploits, and references for deeper research.

What is binutils and readelf?

binutils is a collection of binary tools used to inspect, manipulate, and transform binary files for Unix-like systems. One of these tools is readelf, which inspects ELF (Executable and Linkable Format) files, commonly used for Linux executables, libraries, and core dumps.

Where’s the Problem? (Short Technical Description)

Vulnerability detail on Mitre
Reported by Zejun Wu, this vulnerability exists in how readelf handles certain Section Header Table entries when parsing malformed ELF files. If an attacker feeds a specially crafted ELF file to readelf, the code in find_section_in_set can write data outside the boundaries of a memory buffer allocated on the heap. This can cause a crash (denial of service) or, in some cases, arbitrary code execution.

From the GNU Binutils source tree

- Vulnerable file: binutils/readelf.c

How the Vulnerability Happens

Let’s break down the section of code (find_section_in_set) that caused the overflow.

Vulnerable C Code Snippet

static void
find_section_in_set (Filedata * filedata,
                     Elf_Internal_Shdr ** set,
                     unsigned int * count,
                     unsigned int * set_size,
                     unsigned int section)
{
  if (*count == *set_size)
    {
      *set_size += 10;
      *set = xrealloc (*set,
                       *set_size * sizeof (Elf_Internal_Shdr *));
    }
  (*set)[(*count)++] = filedata->sections + section;
}

The function adds section header pointers to a dynamically allocated array.

- If the section value is higher than the number of available sections (filedata->section_count), filedata->sections + section points outside the buffer.
- This pointer is then placed into the array, breaking ASAN (AddressSanitizer) and potentially allowing further memory corruption — especially if an attacker controls the contents of the .sections array or the section argument via the input ELF file.

Creating a Malicious ELF File (Exploit Overview)

A bad actor can craft an ELF file that purposely specifies section headers with out-of-bounds indices. Suppose someone sends you a “suspicious_file.elf,” and you run readelf -a suspicious_file.elf, your system could crash or, if coupled with other vulnerabilities, execute malicious code.

Sample Exploit Steps

1. Craft Malformed ELF: Use a hex editor or a Python script to set the ELF section header count to a low number, but set a section index elsewhere in the file to a very high value.

Run readelf: The readelf tool will process the out-of-bounds section and trigger the bug.

3. Potential Result: A crash, abort, or, in guided exploitation scenarios, possibly running payload code.

Simple Python Snippet to Break ELF Section Index

with open('benign.elf', 'rb') as fin:
    elf_bytes = bytearray(fin.read())

# Offset for e_shnum (Section header count) in ELF64: x3C (60)
# Set low section count
elf_bytes[x3C] = 1

# Offset for an out-of-bounds section index somewhere (varies with file)
# For demo, change byte at x100 to xFF (likely wrong in real file)
elf_bytes[x100] = xFF

with open('bad.elf', 'wb') as fout:
    fout.write(elf_bytes)

*Note: To perform a real exploit, you’d need to understand the ELF format in depth.* See ELF format docs.

Reference Links

- Official GNU binutils bug report (Bugzilla)
- Patch fixing CVE-2022-44840
- Debian Security Advisory DSA-5331-1
- CVE Record at Mitre
- GNU Binutils Source code

Real World Impact

- Who is affected: Everyone using binutils’ readelf tool before version 2.40, particularly on systems where binutils are called on untrusted ELF files.
- Threat scenario: Local or remote attackers could use this to crash the tool, potentially escalate privileges, or inject code (combined with other issues).

`

apt update && apt upgrade # For Debian/Ubuntu
yum update binutils # For CentOS/RHEL

Conclusion

CVE-2022-44840 is a classic heap buffer overflow flaw in a widely used binary tool. While readelf is not a network client, it often touches untrusted files (think malware researchers or build servers), so this bug is worth taking seriously! Patch your systems and always handle suspicious ELF files with care.

Timeline

Published on: 08/22/2023 19:16:00 UTC
Last modified on: 08/26/2023 02:14:00 UTC