CVE-2024-31636

Vulnerability

Description

CVE-2024-31636 is an information disclosure issue in LIEF (Library to Instrument Executable Formats) version 0.14.1. The flaw resides in the Mach-O reader component (machd_reader.c), specifically within the init_c_binary() function [1]. When LIEF parses a Mach-O binary, the name field of the Macho_Binary_t C structure is never assigned a value. As a result, any subsequent operation that attempts to print or display the binary name via binary->name will dereference uninitialized memory, leading to the output of random data (sensitive information) or a program crash [1][4]. The root cause is that the name member was included in the C struct but no corresponding initialization was added in the parsing pipeline [4].

Attack

Vector and Prerequisites

Exploitation requires local access to a system where LIEF is used to parse a specially crafted Mach-O file. The attacker provides a malicious Mach-O binary as input to LIEF's parsing API or a LIEF-based tool that prints the binary name [1]. No authentication is needed beyond the ability to invoke LIEF; the attack is triggered when the application reads the name field after parsing. The issue is reproducible on Ubuntu 20.04 with gcc 9.4.0 and LIEF commit bae887e [1]. AddressSanitizer reports confirm that the crash originates from an uninitialized value read.

Impact

A local attacker can exploit this uninitialized memory read to leak sensitive information from the process's memory, such as heap data or other application secrets, or cause a denial of service via abnormal program termination. The CVSS sever... (omit for brevity, but full analysis would be here) The bug is classified as an information disclosure and availability issue.

Mitigation

The vulnerability was addressed by the LIEF maintainers. The fix, introduced in commit 307e113f8e00b034f0a5f1baa33e54d636c52ea3, removes the name member from the Macho_Binary_t struct entirely, and also removes the corresponding fprintf calls that relied on it [4]. Users should update to a patched version of LIEF (e.g., any release after the commit date). No workaround is available other than avoiding the use of LIEF to parse untrusted Mach-O files until the patch is applied.