Bug: DOS when iterating over sections

[pd-fkie]

Applications using pyelftools are susceptible to DOS when parsing an ELF file whose

1. e_shentsize is zero
2. e_shnum is larger than the actual number of entries in the section header table

The function ELFFile.iter_sections iterates over i in range(self['e_shnum']) and yields sections
at file offset self['e_shoff'] + i * self['e_shentsize'].
If e_shentsize is zero this will return the first section over and over again.
Thus a malicious ELF file can make pyelftools return the first section 9223372036854775808 times
and cause a DOS.

My question here is: Can you make pyelftools throw an exception if e_shentsize is zero because that would get rid of the DOS?
An e_shentsize of zero doesn't make sense anyway.

An exemplary ELF file that can trigger this can be found here: timeout-3561f873d79b09ce755b0981d3df30b9ac0ca0d3

[eliben]

Thanks for the report. PRs to fix this are welcome.

[eliben]

To be clear, pyelftools was never designed to be used in security-critical settings. For example, it's not particularly fast (being pure Python and all), and it can be trivially "DOS"-ed by passing a file with large DWARF data.

I'll gladly accept a PR that fixes this specific issue, but this isn't a high priority for me in any way.

[sevaa]

It's not a DoS if the only computer you've sabotaged is yours.

pyelftools doesn't listen on a network - the DoS can't be triggered by a remote attacker. If the attacker already has the ability to execute arbitrary Python on your machine - you've got bigger problems.

If a third party piece accepts binaries from untrusted callers and passes them to pyelftools uncritically - that's on the said piece.

For an extended version of the same argument, see this:
https://devblogs.microsoft.com/oldnewthing/20220627-00/?p=106792

[sevaa]

@pd-fkie Addressed in #522. Also the same for e_phentsize.