GDB UPX vulnerability not a UPX vulnerability at all
I got curious when I saw the post on SecuriTeam regarding the GDB buffer overflow caused by UPX, since I played a bit with files with that format myself lately.
So, I took my keyboard and got myself to download the crafted UPX file, and indeed GDB got a seg fault. So far so good. I wanted to see what UPX property actually causes the GDB to crash, so I decided to take a deeper look into the file.
The first thing I’ve noticed, was that the file didn’t include the UPX magic (“UPX!”), which was a bit suspicious to me – though as far as I remember it is not an actual requirement in UPX files, in practice I think most UPXed files include it. Moreover, the usual compressed “gibberish” (the actual application code, after compression), was obviously missing, which confirmed my assumption that the file was actually cut. This is nothing unusual for sanitized files of course, but in this special case, the UPX file’s headers were also cut. That led me to the conclusion that the problem is not related to an invalid UPX handling in GDB, but to general invalid PE handling.
A simple test confirmed my assumption: I changed all the sections’ names (which were the last actual thing that related the file to UPX) from UPXn to BLAn. Not surprisingly – GBD still crashed.
To make a long story short (too late? ), I kept sanitizing the file (the result is posted below) and after testing it on GDB, I believe that the problem is the Symbol Table Pointer: GDB crashes (allegedly, as I did not spent too much time testing this), because the pointer points out of the file’s boundary. Another confirmation to this can be found in the original bug report dump, which mentions “process_coff_symbol…” in coffread.c.
The sanitized file: