slimm609/checksec

NX detection is broken

Closed this issue · 3 comments

Costinteo commented

Issue tracker

Seem like NX detection is broken due to some variables naming in commit 3e5a022. Looks like some checks use ${s_readelf}, which is not defined. I don't think this should be replaced with simply readelf either, because it still fails the checks.

Issue

When I compile an executable with executable stack, checksec should see NX disabled. Vice versa, when I compile an executable with execution protection, checksec should output NX enabled.

Debug Report

***** Checksec debug *****

uid=1000(costinteo) gid=1000(costinteo) groups=1000(costinteo),4(adm),27(sudo),46(plugdev),119(lpadmin),133(libvirt),135(wireshark),140(docker)
Linux costinteo-pop 6.0.6-76060006-generic #202210290932~1669062050~22.04~d94609a SMP PREEMPT_DYNAMIC Mon N x86_64 x86_64 x86_64 GNU/Linux
checksec version: 2.6.0 -- 2022052701
OS=Pop!_OS
VER=22.04
-rwxr-xr-x 1 root root 35280 Feb  7  2022 /usr/bin/cat
/usr/bin/cat: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=44af8b317775373b1a7783fbd0d83c2fe7f21f6e, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 21 Mar 23  2021 /usr/bin/awk -> /etc/alternatives/awk
-rwxr-xr-x 1 root root 704984 Mar 23  2022 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=68184823b517ae17fe0f01ae55215229e82ab9ac, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 30960 Feb 25  2022 /usr/sbin/sysctl
/usr/sbin/sysctl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e027137e41016f79045ca84ab81f644665e8e125, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 113224 Mar 25  2022 /usr/bin/sed
/usr/bin/sed: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=46eb85e59ca47f4dbfc8b9fdaf2f96dc897dce95, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 35328 Feb  7  2022 /usr/bin/uname
/usr/bin/uname: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=ac2047db3625e971101d325bc88fcb3f0824d20b, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 24 Nov  2 15:58 /usr/bin/objdump -> x86_64-linux-gnu-objdump
-rwxr-xr-x 1 root root 377984 Nov  2 15:58 /usr/bin/x86_64-linux-gnu-objdump
/usr/bin/x86_64-linux-gnu-objdump: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=81b27905e0b15edcfe0517513eeb551d394076ad, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 39424 Feb  7  2022 /usr/bin/mktemp
/usr/bin/mktemp: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=5f36a297465a0889564cfc65b655fe82a646cc6d, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 1001272 Oct 27 20:06 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7ab9793eb29b07f6660a4fd35fa30ef1b5a5fdb8, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 182728 Mar 23  2022 /usr/bin/grep
/usr/bin/grep: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=8824f80502cbcaf10a4b421c2e336710f06d1562, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 80392 Feb  7  2022 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=24ce3441480630079e3e6b4aa0061d147cc1c1eb, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 27200 Mar 24  2022 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=99508a7c637ef8a247b0a49a716f0206b32100f4, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 282088 Mar 23  2022 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=de16ca2001be2a135694bec040511087405c1422, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 43520 Feb  7  2022 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=eabe68adde68af0a983faf862d5f8f9030791a08, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 141776 Feb 25  2022 /usr/bin/ps
/usr/bin/ps: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=5d9f1aee08560e9574488117d754d79277f4618a, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 39328 Feb  7  2022 /usr/bin/readlink
/usr/bin/readlink: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=599092d3073c0fbf6625418d9386c2efa960c5da, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 35328 Feb  7  2022 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9e0aeac7a9554b26ef6cd068ff5fde4fa9a776db, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 39424 Feb  7  2022 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=ff8a1bff71630db30401530b3394539159208970, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 23 Jun 17  2022 /usr/bin/which -> /etc/alternatives/which
-rwxr-xr-x 1 root root 946 Mar 23  2022 /usr/bin/which.debianutils
/usr/bin/which.debianutils: POSIX shell script, ASCII text executable
-rwxr-xr-x 1 root root 527376 Jan 24  2022 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=24331bbb245800d96fab9bab802ea011d60981dd, for GNU/Linux 3.2.0, stripped
-rwxr-xr-x 1 root root 260328 Oct 18 19:35 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=cc5572b3eea0af2d7907c41bf49d17c67dbe068f, for GNU/Linux 3.2.0, stripped
lrwxrwxrwx 1 root root 24 Nov  2 15:58 /usr/bin/readelf -> x86_64-linux-gnu-readelf
-rwxr-xr-x 1 root root 780736 Nov  2 15:58 /usr/bin/x86_64-linux-gnu-readelf
/usr/bin/x86_64-linux-gnu-readelf: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f5fdb2cee8ae266521fb21e24bf385e6e43c20ab, for GNU/Linux 3.2.0, stripped
*** can not find command eu-readelf

Command run to produce the error

#!/usr/bin/env bash
echo 'main(){return 42;}' > "nxdet.c"
gcc -o _nxdet nxdet.c -w
/usr/bin/checksec.sh --file=_nxdet | egrep -o "NX enabled" # should be enabled
if [ "$?" -eq 0 ]; then echo "Checksec is correct!"; else echo "Checksec is incorrect!"; fi
gcc -o _nxdet nxdet.c -z execstack -w
/usr/bin/checksec.sh --file=_nxdet | egrep -o "NX disabled" # should be disabled
if [ "$?" -eq 0 ]; then echo "Checksec is correct!"; else echo "Checksec is incorrect!"; fi

OS version and Kernel version

Linux 6.0.6-76060006-generic #202210290932166906205022.04~d94609a
OS=Pop!_OS
VER=22.04

Debug output

Seems like debug output doesn't print anything helpful. NX should be disabled here:

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   35 Symbols	  No	0		0		_nxdet
Fenrisfulsur commented

Hi, I would like to contribute to this issue, is it still open / possible ?

petervas commented

Pull request #212 should fix this issue.

debrouxl commented

Indeed, it looks fixed to me on current Debian sid amd64, with current checksec:

# echo 'main(){return 42;}' > "nxdet.c"
gcc -o _nxdet nxdet.c -w
./checksec --file=_nxdet | egrep -o "NX enabled" # should be enabled
if [ "$?" -eq 0 ]; then echo "Checksec is correct!"; else echo "Checksec is incorrect!"; fi
gcc -o _nxdet nxdet.c -z execstack -w
./checksec --file=_nxdet | egrep -o "NX disabled" # should be disabled
if [ "$?" -eq 0 ]; then echo "Checksec is correct!"; else echo "Checksec is incorrect!"; fi
NX enabled
Checksec is correct!
NX disabled
Checksec is correct!