libtool-checker.so not have a stack canary value added to the stack

[nfmobile]

Dear Support Team,

We are using the cordova-plugin-iroot that uses internally rootbeer as a dependency. when scanning the APK of our ionic application using the MOBSF security scanning tool we are getting the following fstack warning : This shared object does not have a stack canary value added to the stack. Stack canaries are used to detect and prevent exploits from overwriting return address. Use the option -fstack-protector-all to enable stack canaries. we have opened a ticket with cordova-plugin-iroot to upgrade to latest rootbeer 0.0.9 ( https://github.com/WuglyakBolgoink/cordova-plugin-iroot/issues/53 ) then tried again and foud that issue is still exist. then we have downloaded the so file directly from github ( https://github.com/scottyab/rootbeer/blob/master/rootbeerlib/src/main/jniLibs/x86_64/libtool-checker.so ) and checked it using this command line ./checksec --format=cli --file=libtool-checker.so and the no canaries warning appeared again. Please could you check why canaries are not added to /x86_64/libtool-checker.so file ? and please could you provide a feedback if these are related to below issues:

https://github.com/scottyab/rootbeer/issues/77 https://github.com/scottyab/rootbeer/pull/136

and did the latest tag https://github.com/scottyab/rootbeer/releases/tag/0.0.9 contains the fix.

Thanks in advance,

[scottyab]

Hey @nfmobile thanks for raising this. Just to make sure I understand what you're saying. Even though version 0.0.9 (current master) has #136 merged in the libtool-checker.so is still showing as not having the stack canaries value added?

~Also checksec is that the MOBSF security scanning tool? or something I can use to verify?~ I see checksec is this https://github.com/slimm609/checksec.sh

[nfmobile]

Hi @scottyab , yes even with latest version 0.0.9 (current master), the warning is still appearing. The MOBSF tool is using https://github.com/slimm609/checksec.sh , we have downloaded the so file from https://github.com/scottyab/rootbeer/blob/master/rootbeerlib/src/main/jniLibs/x86_64/libtool-checker.so and applied the command ./checksec --format=cli --file=libtool-checker.so and "no canaries found" still appeared on current master so file. This was the reply from MOBSF support team (https://mobsf.slack.com/archives/C0QMLNKMF/p1620653719191900) :

"Try running a tool like https://github.com/slimm609/checksec.sh on the .so files to verify the results from MobSF. If you still see it reporting the issues, that means the compiler flag was not used for the build."

[scottyab]

@nfmobile I've just cleaned and recompiled and pushed the updated binaries to master. You should see https://github.com/scottyab/rootbeer/blob/master/rootbeerlib/src/main/jniLibs/x86_64/libtool-checker.so was updated just now.

Please can you verify with the checksec.sh tool and let me know the results?.

If it passes your checks then I'll update a new release Rootbeer 0.1.0 with these updated binaries and updated changelog

[nfmobile]

@scottyab we have checked the recompiled so files with checksec.sh and canary are still not found. I believe we should recompile the so files and passing the option -fstack-protector-all to the compilation command to enable stack canaries. the following links might help : https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/compilation-c.html and https://security.stackexchange.com/questions/158609/how-is-the-stack-protection-enforced-in-a-binary

[scottyab]

hmm, thanks for the reply. If you see the Android make file the -fstack-protector-all flag is passed maybe it's something here that's not quite right. 🤔

Update: @stealthcopter has kindly offered to look into this, hopefully, we'll have an update next week.