False positive fortify source detection due to stack protector
ddast opened this issue · 0 comments
ddast commented
Issue
A binary with a GCC stack protector is classified as fortified. This is probably the case because fortified binaries are detected by searching for dynamic symbols containing _chk and the GCC stack protector uses the function __stack_chk_fail().
This issue should also occur when an arbitrary library function containing _chk in its name were used, however, __stack_chk_fail() is quite widespread.
Actually this was already discussed in issue #103 but this issue is now closed.
Relevant code:
FS_functions="$(${readelf} --dyn-syms "${1}" 2>/dev/null | awk '{ print $8 }' | sed -e 's/_*//' -e 's/@.*//' -e '/^$/d')"
FS_cnt_checked=$(fgrep -xf <(sort <<< "${FS_chk_func_libc}") <(sort <<< "${FS_functions}") | wc -l)
FS_cnt_unchecked=$(fgrep -xf <(sort <<< "${FS_func_libc}") <(sort <<< "${FS_functions}") | wc -l)
FS_cnt_total=$((FS_cnt_unchecked+FS_cnt_checked))
if [[ "${FS_functions}" =~ _chk ]]; then
echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes" ' '"fortify_source":"yes",'
else
echo_message "\033[31mNo\033[m" "No," ' fortify_source="no" ' '"fortify_source":"no",'
fiCommand run to produce the error
A binary with stack protector but without fortify source is detected as fortified:
$ echo 'int main() {}' | gcc -o no-fortify -fstack-protector-all -x c -
$ ./checksec --file=no-fortify
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 64 Symbols Yes 0 0 no-fortify
Without the stack protector, fortify source is not detected:
$ echo 'int main() {}' | gcc -o no-fortify -x c -
$ ./checksec --file=no-fortify
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 61 Symbols No 0 0no-fortify
Debug Report
***** Checksec debug *****
uid=1000(foobar) gid=1000(foobar) groups=1000(foobar)
Linux hostname 5.5.5-arch1-1 #1 SMP PREEMPT Thu, 20 Feb 2020 18:23:09 +0000 x86_64 GNU/Linux
checksec version: 2.1.0 -- 2019072901
OS=Arch Linux
VER=
-rwxr-xr-x 1 root root 39048 Nov 12 12:00 /usr/bin/cat
/usr/bin/cat: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b6d235f018542439461e6cbab954d42719e99979, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 4 Nov 12 13:22 /usr/bin/awk -> gawk
-rwxr-xr-x 2 root root 698440 Nov 12 13:22 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=98f83662d397fda5bf859dbb27ca63cf55bccf2e, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 30688 Nov 13 17:15 /usr/bin/sysctl
/usr/bin/sysctl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=fb0e25e54464aa91f41e0930d48b23f90d5dcc33, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 39016 Nov 12 12:00 /usr/bin/uname
/usr/bin/uname: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=140606f8522d04d3a4031bc4f08b797981689f88, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 43080 Nov 12 12:00 /usr/bin/mktemp
/usr/bin/mktemp: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3bd85a72d9894ca91747b349793aaf90d80e9498, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 716240 Nov 13 17:09 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=45abf8db64b26e70aba99e0a11c746f36a5c554d, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 153808 Jan 3 13:24 /usr/bin/grep
/usr/bin/grep: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b79dcd202e482ca4ba53ea05cc00264c5f86f776, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 79976 Nov 12 12:00 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=082b3e679fbfb4881bdf1452dbe06989cf0e4143, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 30792 Jan 24 17:12 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e52aa8589d5de1061864780e83ccdf56d5afbcf2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 311696 Nov 12 13:37 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9203977226fe721f450169d5b651a7abd74c66f5, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 47208 Nov 12 12:00 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=93fc3dbc2c1412ce5a5c775999fa4367c55152f7, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 133320 Nov 13 17:15 /usr/bin/ps
/usr/bin/ps: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6e1a047a74b6fe9916e8372d01282cc16b6809db, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 47176 Nov 12 12:00 /usr/bin/readlink
/usr/bin/readlink: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e426b0782cb624a1c564fcfd41e6c7a61e4d7d2c, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 38984 Nov 12 12:00 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=d008637bc8f546ea90cb680835ece6fb9529cfa1, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 43112 Nov 12 12:00 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9c39e1357424bec5f4929923bdffad0875e031a7, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 31280 Nov 13 18:08 /usr/bin/which
/usr/bin/which: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=190bf80e4b6a9755d2f14659901c512b413d0fe6, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 535880 Jun 30 2019 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=99363da8caea467c833f13747d2cac8d3e6340de, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 186192 Jan 8 09:11 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7ee49a65e21a107b4412dda5d8f8c2b292baee04, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 662008 Feb 2 10:02 /usr/bin/readelf
/usr/bin/readelf: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=17fe98628c62d0a09564be183b35fd1aea1067dd, for GNU/Linux 3.2.0, stripped
*** can not find command eu-readelf
OS version and Kernel version
Arch Linux
Linux Kernel 5.5.5
Debug output
$ ./checksec --file=no-fortify --debug
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
***function filecheck
***function filecheck->RELRO
Partial RELRO
***function filecheck->canary
Canary found
***function filecheck->nx
NX enabled
***function filecheck->pie
PIE enabled
***function filecheck->rpath
No RPATH
***function filecheck->runpath
No RUNPATH 64 Symbols ***function filecheck->fortify
Yes 0 0 no-fortify