slimm609/checksec

False negative on NX protection check

Tatsh opened this issue · 4 comments

Tatsh commented

Issue

checksec --kernel incorrectly reports NX protection as Disabled.

The issue here seems to be that grepping dmesg is unreliable if for example, netfilter is logging packets. One alternative would be to grep journald output on systemd machines.

if {
  (command_exists journalctl) && \
  [[ $(systemctl is-active systemd-journald) = 'active' ]] && \
  journalctl -b --grep '^NX \(Execute Disable\) protection: active$' >/dev/null
}; then
  echo_message "\033[32mEnabled\033[m\n" "Enabled," " protect_symlinks='yes'" ', "protect_symlinks":"yes"'
fi

Debug Report

***** Checksec debug *****
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
Linux limelight 5.8.0-gentoo-r1-limelight #3 SMP Tue Aug 4 06:49:29 EDT 2020 x86_64 Intel(R) Core(TM) i7-5930K CPU @ 3.50GHz GenuineIntel GNU/Linux
checksec version: 2.2.3 -- 2020070801
OS=Gentoo
VER=1
-rwxr-xr-x 1 root root 43656 Jun 10 20:54 /bin/cat
/bin/cat: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 4 Dec  3  2014 /usr/bin/awk -> gawk
-rwxr-xr-x 1 root root 646768 Jun 10 22:21 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 31200 Jun 10 20:10 /usr/sbin/sysctl
/usr/sbin/sysctl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 15 Jun 10 20:54 /usr/bin/uname -> ../../bin/uname
-rwxr-xr-x 1 root root 39496 Jun 10 20:54 /bin/uname
/bin/uname: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 16 Jun 10 20:54 /usr/bin/mktemp -> ../../bin/mktemp
-rwxr-xr-x 1 root root 47792 Jun 10 20:54 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 739536 Jun 10 19:46 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 224336 Jun 10 22:01 /bin/grep
/bin/grep: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 84840 Jun 10 20:54 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 31488 Jun 28 12:32 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 312976 Jun 10 21:02 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 14 Jun 10 20:54 /usr/bin/head -> ../../bin/head
-rwxr-xr-x 1 root root 47720 Jun 10 20:54 /bin/head
/bin/head: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 138216 Jun 10 20:10 /bin/ps
/bin/ps: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 18 Jun 10 20:54 /usr/bin/readlink -> ../../bin/readlink
-rwxr-xr-x 1 root root 51760 Jun 10 20:54 /bin/readlink
/bin/readlink: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 18 Jun 10 20:54 /usr/bin/basename -> ../../bin/basename
-rwxr-xr-x 1 root root 39440 Jun 10 20:54 /bin/basename
/bin/basename: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 47752 Jun 10 20:54 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 31632 Jun 10 19:01 /usr/bin/which
/usr/bin/which: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 505392 Dec  4  2019 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 244768 Aug  5 21:27 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 27 Aug  1 02:02 /usr/bin/readelf -> x86_64-pc-linux-gnu-readelf
-rwxr-xr-x 1 root root 671048 Aug  1 02:01 /usr/x86_64-pc-linux-gnu/binutils-bin/2.34/readelf
/usr/x86_64-pc-linux-gnu/binutils-bin/2.34/readelf: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 553192 Jun 20 02:33 /usr/bin/eu-readelf
/usr/bin/eu-readelf: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3a17388b4a26b677691d9ebfdae5ca9d4906032a, for GNU/Linux 3.2.0, stripped

Command run to produce the error

checksec --kernel

OS version and Kernel version

Gentoo Linux
Kernel 5.8.0

Debug output

* Kernel protection information:

***function kernelcheck
  Description - List the status of kernel protection mechanisms. Rather than
  inspect kernel mechanisms that may aid in the prevention of exploitation of
  userspace processes, this option lists the status of kernel configuration
  options that harden the kernel itself against attack.

  Kernel config:
/proc/config.gz

  Vanilla Kernel ASLR:                    Full
  NX protection:                          ***function root_privs
Disabled
  Protected symlinks:                     Enabled
  Protected hardlinks:                    Enabled
  Protected fifos:                        Enabled
  Protected regular:                      Enabled
  Ipv4 reverse path filtering:            Enabled
  Kernel heap randomization:              Enabled
  GCC stack protector support:            Enabled
  GCC stack protector strong:             Enabled
  GCC structleak plugin:                  Enabled
  GCC structleak by ref plugin:           Enabled
  SLAB freelist randomization:            Enabled
  Virtually-mapped kernel stack:          Enabled
  Restrict /dev/mem access:               Enabled
  Restrict I/O access to /dev/mem:        Enabled
  Enforce read-only kernel data:          Enabled
  Enforce read-only module data:          Enabled
  Exec Shield:                            Unsupported

  Hardened Usercopy:                      Enabled
  Harden str/mem functions:               Enabled
  Restrict /dev/kmem access:              Enabled

* X86 only:
  Address space layout randomization:     Enabled

* SELinux:                                No SELinux

  SELinux infomation available here:
    http://selinuxproject.org/

* grsecurity / PaX:                       No GRKERNSEC

  The grsecurity / PaX patchset is available here:
    http://grsecurity.net/

What's the output of dmesg | grep -i nx ?
Normally it should match something like [ 0.000000] NX (Execute Disable) protection: active

Tatsh commented
# dmesg | grep -i nx
#

My dmesg consists of messages from logging netfilter. The buffer doesn't go on forever, and the NX message is gone.

# dmesg | head
[58589.822408] (output) IN= OUT=eno1 SRC=192.168.1.101 DST=255.255.255.255 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=13604 PROTO=UDP SPT=42170 DPT=5050 LEN=51
[58594.839517] (output) IN= OUT=eno1 SRC=192.168.1.101 DST=255.255.255.255 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=14803 PROTO=UDP SPT=42170 DPT=5050 LEN=51

However, journald retains all messages until it has to rotate which by default is a very long time.

I already proposed moving to nxcheck function here which is better and more reliable. AFAIK grep support in journalctl isn't ubiquitous, for example ubuntu added it only in 20.04.

Tatsh commented

I have a feeling that nxcheck function could give a false positive since it's such a simple grep, even with -w passed. Maybe want to grep the flags : line first?

grep -E '^flags[^:]+' /proc/cpuinfo | grep -w nx