One of the first things a malware analyst does when encountering a suspicious executable file is to extract the text strings found inside it, because they can provide immediate clues about its purpose. This operation has long been considered safe, but it can actually lead to a system compromise, a security researcher found.
String extraction is typically done using a Linux command-line tool called strings that's part of GNU Binutils, a collection of tools for binary file analysis and manipulation available by default in most Linux distributions.
Google security engineer Michal Zalewski was recently running a type of vulnerability testing known as fuzzing against a library called libbfd (the Binary File Descriptor library) that sits at the core of GNU Binutils and is used for file format parsing. Fuzzing is the act of providing unexpected input to an application like libbfd in order to trigger potentially exploitable behavior.
What Zelewski found was, in his own words, "a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking." These are the kinds of errors that can lead to arbitrary code execution.
"Many shell users, and certainly most of the people working in computer forensics or other fields of information security, have a habit of running /usr/bin/strings on binary files originating from the Internet," Zalewski said in a blog post in which he documents one such vulnerability. "Their understanding is that the tool simply scans the file for runs of printable characters and dumps them to stdout — something that is very unlikely to put you at any risk."
According to Zalewski, that's not the case because the strings utility relies on libbfd to optimize the analysis process for supported executable formats. This means an attacker could create a binary file that exploits vulnerabilities in libbfd when analyzed by the strings utility in order to execute arbitrary code on the underlying system.
The problem is made worse by the fact that many Linux distributions ship the strings utility without address space layout randomization (ASLR), a protection mechanism that makes exploiting vulnerabilities harder. This makes potential attacks "easier and more reliable — a situation reminiscent of one of the recent bugs in bash," Zalewski said.
The impact is not limited to strings. Other GNU Binutils components like objdump and readelf, or even custom tools that leverage libbfd are likely susceptible to similar attacks.
Executing strings against a binary file downloaded from the Internet is not something a regular user would normally do — at least not without being socially engineered by the attacker. However, the risk is much higher for people whose job it is to analyze hostile files every single day.
Sign up for CIO Asia eNewsletters.