[svlug] [conspire] (forw) Re: [OCLUG] Pulling text out of a data file

Ivan Sergio Borgonovo mail at webthatworks.it
Sun Jan 22 05:17:09 PST 2017

On 01/22/2017 11:32 AM, Rick Moen wrote:
> ----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----
> Date: Sun, 22 Jan 2017 01:10:11 -0800
> From: Rick Moen <rick at linuxmafia.com>
> To: oclug at mailman.oclug.org
> Subject: Re: [OCLUG] Pulling text out of a data file
> Quoting thomas moore (thomasmoore17 at gmail.com):
>> Hi all,
>> Suppose I have a data file or some such. If you try to less this file you
>> get a bunch of garbage. However sometimes contained in the file are
>> short sequences of text. If you want to read these little scraps all
>> you have to do is scroll down through the file - - - provided the file
>> is short, say a few kBs.
> Unless you are sure where the binary file came from (and can rule out it
> being crafted to attack unwary Linux admins), you should take care to
> include the '-a' switch when you use GNU strings(1) for this purpose,
> because of this surprising security pitfall, the libbfd library::
> https://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.htm
> In fact, an argument can be made for
> 1. aliasing 'strings' to 'strings -a' in your login's ~/.bashrc, and

Or simply fix the bug and change the default:

from man strings

        -   Scan the whole file, regardless of what sections it contains 
or whether those sections are loaded or initialized.  Normally this is 
the default
            behaviour, but strings can be configured so that the -d is 
the default instead.

            The - option is position dependent and forces strings to 
perform full scans of any file that is mentioned after the - on the 
command line, even if the -d
            option has been specified.

ivan at box:~$ wget -q -O- http://lcamtuf.coredump.cx/strings-bfd-badptr2 | 
strings -d

It's time to update to systemd ;)

 > 2. trying to avoid running strings(1) with root privilege.


Ivan Sergio Borgonovo
http://www.webthatworks.it http://www.borgonovo.net

More information about the svlug mailing list