CVE-2022-47695 - How a Vulnerability in Binutils Objdump's Mach-O Parser Led to a Denial-of-Service Attack
*Published: 2024-06-15*
Introduction
In the world of open-source tools, the GNU Binutils package is a cornerstone, with tools like objdump and readelf used every day by developers, security researchers, and reverse engineers. But just like any complex piece of software, Binutils can contain bugs that become security vulnerabilities. CVE-2022-47695 is one such bug, reported in December 2022, that affected objdump and could allow attackers to crash the tool (a Denial-of-Service, or DoS) by crafting a malicious Mach-O file.
In this post, we'll unpack what CVE-2022-47695 is, see how it happens in the code, and explore how it could be triggered. We'll also share references and ways to keep your tools protected.
What is Binutils Objdump?
objdump is part of the Binutils package, used to display information about object files (like ELF, PE, and Mach-O formats). It's widely used for disassembly and reverse engineering — but parsing many formats and supporting legacy features makes it complex and error-prone.
Where Does CVE-2022-47695 Live?
The vulnerability lies in the bfd_mach_o_get_synthetic_symtab function, located in mach-o.c inside Binutils.
Mach-O is the object file format used by macOS. Binutils supports Mach-O to help with cross-platform work, but traditionally, Linux tools don’t scrutinize Mach-O as closely as ELF.
What Went Wrong?
Before version 2.39.3, objdump didn't properly validate certain properties of symbols and sections in Mach-O files. If an attacker created a malicious Mach-O file with specially-crafted section info, objdump could get confused when building a "synthetic symbol table," end up reading from the wrong place in memory, and crash. In rare, speculative cases this might lead to other consequences, but the main effect is DoS: if you run objdump on an untrusted Mach-O, it can crash outright.
Note: While this is not a remote code execution bug, it could matter in cases where you process untrusted binaries with automation (like a web service that analyzes uploads).
Code Snippet: Vulnerable Function
Here’s a code snippet highlighting the problem area in bfd_mach_o_get_synthetic_symtab (*simplified for clarity*):
bool bfd_mach_o_get_synthetic_symtab(bfd *abfd, long *symcount,
asymbol **syms, long *dyncount,
asymbol **dynsyms, long *retcount,
asymbol **retsyms) {
// ...
for (i = ; i < nsects; i++) {
section = sections[i];
// process section to build synthetic symbols
// ...
// Vulnerable: not enough validation here
// If the section fields are malformed, may crash or misbehave
}
// ...
}
The missing verification on the number and structure of Mach-O sections allowed a file to cause objdump to crash.
To exploit this, an attacker would
1. Craft a Mach-O file with corrupted section fields: like, an excessive number of sections, or sections pointing outside the file’s bounds.
PoC (Proof of Concept) Outline
# Suppose crafted.macho is our malicious file (requires hex editor or python script to construct)
objdump -x crafted.macho
# Output: Segmentation fault (core dumped) or some error
See this public report and proof-of-concept for details on a minimal crash file.
How Was It Fixed?
The Binutils maintainers improved bounds checking and validation for Mach-O section processing in v2.39.3 and newer. They now reject files with invalid or dangerous section counts and structure, preventing the crash.
Patch reference
Or allow users to upload arbitrary binary files for processing
Update Binutils to v2.39.3 or later to be protected from CVE-2022-47695.
References
- NVD Entry: CVE-2022-47695
- Binutils source code (mach-o.c)
- GitHub Advisory and POC
- Upstream Patch Commit
Conclusion
CVE-2022-47695 is a reminder that even trusted open-source tools like Binutils can hide vulnerabilities, especially in lesser-used code paths like Mach-O parsing. If you use objdump often—or build systems that parse untrusted binaries—make sure you’re patched and up to date.
Timeline
Published on: 08/22/2023 19:16:00 UTC
Last modified on: 08/26/2023 02:14:00 UTC