Description
Rtack smashing protection has not been implemented in components included in the application. When an application is
compiled with stack smashing protectionB a known value or XcanaryX is placed on the stack directly before the local variables
to protect the saved base pointerB saved instruction pointerB and function arguments. The value of the canary is verified upon
the function return to see if it has been overwritten. The compiler uses a heuristic to intelligently apply stack protection to a
functionB typically functions using character arrays.
This is a very simple best practice that hardens your app with little to no downside. Memory corruption vulnerabilities can be
very hard to track downB but can be extremely severe.
One thing to note, it is possible that an included binary does not have these protections and it is possible that a third party
would have to correct the problem. In a rare edge caseB Oamarin does include a library called vlMqh#hple)hmmg/t that is not
compiled with RRP but may not be vulnerable because it is an empty file. Ysers should validate that it is in fact empty before
hiding that specific result.
Steps To Reproduce
This test checks if the individual components inside the compiled binary used stack canaries to prevent buffer overflows.
Business Impact
This app does not protect against a specific type of attack that can expose the app to an attacker performing custom actions.
These custom actions could potentially give them access to sensitive information from the app or the device.
Recommended Fix
In OCodeB under the Nuild Rettings for the appB go to the XOther C FlagsX section and add in )>/ hu")mpt du tp)hvv.
Description Rtack smashing protection has not been implemented in components included in the application. When an application is compiled with stack smashing protectionB a known value or XcanaryX is placed on the stack directly before the local variables to protect the saved base pointerB saved instruction pointerB and function arguments. The value of the canary is verified upon the function return to see if it has been overwritten. The compiler uses a heuristic to intelligently apply stack protection to a functionB typically functions using character arrays. This is a very simple best practice that hardens your app with little to no downside. Memory corruption vulnerabilities can be very hard to track downB but can be extremely severe. One thing to note, it is possible that an included binary does not have these protections and it is possible that a third party would have to correct the problem. In a rare edge caseB Oamarin does include a library called vlMqh#hple)hmmg/t that is not compiled with RRP but may not be vulnerable because it is an empty file. Ysers should validate that it is in fact empty before hiding that specific result.
Steps To Reproduce This test checks if the individual components inside the compiled binary used stack canaries to prevent buffer overflows.
Business Impact This app does not protect against a specific type of attack that can expose the app to an attacker performing custom actions. These custom actions could potentially give them access to sensitive information from the app or the device.
Recommended Fix In OCodeB under the Nuild Rettings for the appB go to the XOther C FlagsX section and add in )>/ hu")mpt du tp)hvv.