CVE-2020-21047: Denial-of-Service Vulnerability in the libcpu Component of elfutils version .177

A recently discovered security vulnerability in the libcpu component, used by libasm of elfutils version .177 (git 47780c9e), poses a significant risk for denial-of-service attacks. In this post, we will provide an in-depth look at the vulnerability, its implications, and how attackers can exploit it by crafting specific ELF files.

Background

The libcpu component plays a critical role in ELF files as it handles the disassembly of binary code. ELF (Executable and Linkable Format) files are commonly used as executables, object files, shared libraries, and core dumps in computer systems. In elfutils version .177 (git 47780c9e), the libcpu component, which supports the libasm library, suffers from three distinct vulnerabilities. These vulnerabilities are related to out-of-bounds write (CWE-787), off-by-one error (CWE-193), and reachable assertion (CWE-617).

How The Vulnerability Works

The vulnerability is caused by missing bound checks in the libcpu component when an application processes certain ELF files. Attackers can exploit the vulnerability by crafting specific ELF files that trigger the missing bound checks, causing application crashes, and potentially inducing a denial-of-service state.

Exploit Details

To exploit this vulnerability, attackers must create malicious ELF files designed to bypass the missing bound checks in the libcpu component. The following code snippet demonstrates an example of a crafted ELF file:

#include <stdio.h>
#include <stdlib.h>
#include <elf.h>
 
void create_elf(char *filename) {
    FILE *file = fopen(filename, "wb");
    Elf64_Ehdr ehdr = {};
 
    ehdr.e_ident[EI_MAG] = ELFMAG;
    ehdr.e_ident[EI_MAG1] = ELFMAG1;
    ehdr.e_ident[EI_MAG2] = ELFMAG2;
    ehdr.e_ident[EI_MAG3] = ELFMAG3;
 
    // Additional crafted ELF file parameters and structures go here
 
    fwrite(&ehdr, 1, sizeof(Elf64_Ehdr), file);
 
    fclose(file);
}
 
int main(void) {
    create_elf("crafted_elf_file");
    return ;
}

To demonstrate the exploitation of the vulnerability, compile the above code using the following command:

gcc exploit.c -o exploit

Next, run the compiled exploit to generate the crafted ELF file

./exploit

Finally, process the crafted ELF file using an application linked with the vulnerable version of the libasm library:

application-linked-with-libasm crafted_elf_file

This will trigger application crashes resulting from the out-of-bounds write, off-by-one error, and reachable assertion vulnerabilities, potentially causing a denial-of-service state.

The original disclosure of this vulnerability can be found at the following link

- CVE-2020-21047

A patch has been provided by the developers of elfutils and can be found here

- elfutils commit e093d818e40cad415da408ca9db2ee850bda552f

Conclusion

CVE-2020-21047 highlights the potential risk posed by application crashes in the libcpu component of elfutils version .177 (git 47780c9e). To mitigate the risk of this vulnerability, users are advised to patch their installations of elfutils and monitor for updates from the developers. By staying informed and up-to-date on security developments, users can help protect themselves and their systems from potential denial-of-service attacks.

Timeline

Published on: 08/22/2023 19:16:09 UTC
Last modified on: 11/07/2023 03:19:43 UTC