search

slimm609 / checksec.sh

Checksec.sh
https://slimm609.github.io/checksec.sh/
Other
1.99k stars 299 forks source link

Incorrect detection of RELRO, STACK CANARY #221

Closed akiusmgm closed 1 year ago

akiusmgm commented 1 year ago

Issue tracker

It seems that RELRO and STACK CANARY are incorrectly detected in the main repository at this time.

Issue

RELRO, STACK CANARY output is different from past versions in OpenCV-android-sdk/sdk/native/libs/x86/libopencv_java4.so etc. on https://github.com/opencv/opencv/releases/tag/4.7.0

Command run to produce the error

user@LAPTOP-D4N6CHG6:/mnt/c/Users/auditor/Downloads$ ./checksec.sh-main/checksec.sh-main/checksec --file=./opencv-4.7.0-android-sdk/OpenCV-android-sdk/sdk/native/libs/x86/libopencv_java4.so
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Partial RELRO   No canary found   NX enabled    DSO             No RPATH   No RUNPATH   No Symbols        No    0               18              ./opencv-4.7.0-android-sdk/OpenCV-android-sdk/sdk/native/libs/x86/libopencv_java4.so
user@LAPTOP-D4N6CHG6:/mnt/c/Users/auditor/Downloads$ ./checksec.sh-master/checksec.sh-master/checksec --file=./opencv-4.7.0-android-sdk/OpenCV-android-sdk/sdk/native/libs/x86/libopencv_java4.so
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH   No Symbols        No    0               18              ./opencv-4.7.0-android-sdk/OpenCV-android-sdk/sdk/native/libs/x86/libopencv_java4.so
user@LAPTOP-D4N6CHG6:/mnt/c/Users/auditor/Downloads$ ./checksec.sh-2.6.0/checksec.sh-2.6.0/checksec --file=./opencv-4.7.0-android-sdk/OpenCV-android-sdk/sdk/native/libs/x86/libopencv_java4.so
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH   No Symbols        No    0               18              ./opencv-4.7.0-android-sdk/OpenCV-android-sdk/sdk/native/libs/x86/libopencv_java4.so
user@LAPTOP-D4N6CHG6:/mnt/c/Users/auditor/Downloads$ ./checksec.sh-1.11.1/checksec.sh-1.11.1/checksec --file ./opencv-4.7.0-android-sdk/OpenCV-android-sdk/sdk/native/libs/x86/libopencv_java4.so
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable  FILE
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH   No Symbols      Yes     0               18      ./opencv-4.7.0-android-sdk/OpenCV-android-sdk/sdk/native/libs/x86/libopencv_java4.so

OS version and Kernel version

user@LAPTOP-D4N6CHG6:/mnt/c/Users/auditor/Downloads$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.5 LTS"
C:\Users\auditor>wsl -v -l
WSL バージョン: 1.1.3.0
カーネル バージョン: 5.15.90.1
WSLg バージョン: 1.0.49
MSRDC バージョン: 1.2.3770
Direct3D バージョン: 1.608.2-61064218
DXCore バージョン: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windowsバージョン: 10.0.22621.1265
petervas commented 1 year ago

The current stack canary check tries to check that the symbol address for the stack protection is "0000000000000000" but for 32 bit binaries it is "00000000". This check is not stable and should be removed. The " UND " check seems sufficient to prevent the wrongly detected stack canary in #161.

The current full RELRO check only passes if "BIND_NOW and no .got.plt" or "no .got.plt" only is found. The example libopencv_java4.so though shows that full RELRO can be active with .got.plt present. 

Program Headers:
Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
[...]
GNU_RELRO      0x15bad50 0x015bbd50 0x015bbd50 0x362b0 0x362b0 RW  0x10

The program header shows that the memory from 0x015bbd50 to 0x015bbd50+0x362b0 (0x015F2000) will be set to read only.

Section Headers:
[Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
[...]
[22] .got              PROGBITS        015ef0d4 15ee0d4 0003d8 00  WA  0   0  4
[23] .got.plt          PROGBITS        015ef4ac 15ee4ac 002b4c 00  WA  0   0  4
[24] .data             PROGBITS        015f2000 15f1000 02bf28 00  WA  0   0  8

In the section headers we can see that .got.plt lies inside the range 0x015bbd50 - 0x015F2000. Apparently some compilers do not merge the .got.plt into .got when bind now is enabled but instead include .got.plt in the read only setting.

To fix full RELRO detection the old behavior should be restored for now to check if BIND_NOW is present or .got.plt is not present.

The modified binary that confuses full RELRO detection from #161 can only be detected by a similar calculation as above and might be out of scope for checksec.