Listen to this Post
How the CVE Works:
The vulnerability occurs in the `xmas-elf` crate when parsing a malformed ELF file. The `HashTable::get_bucket` and `HashTable::get_chain` functions fail to properly validate indices against the ELF section size, relying only on `bucket_count` and `chain_count` for bounds checking. An attacker can craft an ELF file with manipulated `bucket_count` or `chain_count` values, causing the parser to read out-of-bounds memory when accessing hash table entries. This could lead to information disclosure or crashes.
DailyCVE Form:
Platform: xmas-elf
Version: <1.2.0
Vulnerability: OOB Read
Severity: Moderate
Date: 2025-03-26
What Undercode Say:
Exploitation:
- Craft a malicious ELF file with oversized `bucket_count` or
chain_count.
2. Insert invalid indices in hash table entries.
- Trigger parsing via `xmas-elf` to read OOB data.
Protection:
- Update to
xmas-elf >=1.2.0. - Validate indices against section size before access.
Detection:
Check installed version cargo tree | grep xmas-elf
Patch Analysis:
// Fixed bounds check in xmas-elf 1.2.0
if index >= section_size {
return Err("Invalid index");
}
Exploit PoC (Conceptual):
with open("malicious.elf", "wb") as f:
f.write(b"\x7fELF...") Insert manipulated bucket_count
Mitigation Workaround:
Cargo.toml [bash] xmas-elf = ">=1.2.0"
Debugging:
Valgrind check for OOB reads valgrind --tool=memcheck ./elf_parser malicious.elf
References:
References:
Reported By: https://github.com/advisories/GHSA-9cc5-2pq7-hfj8
Extra Source Hub:
Undercode
