Toggle between light and dark mode.
Your selection will not be saved. From GDPR with ❤.

checksec.sh

Version 1.4 now supports FORTIFY_SOURCE.

January 14, 2011

What's New?

  1. Support for FORTIFY_SOURCE (--fortify-file, --fortify-proc).
  2. Check if the readelf command is available.
  3. readelf support for 64-bit ELF files.
  4. Check if the requested files and directories do exist.
  5. --dir is now case-sensitive and correctly deals with trailing slashes.
  6. Check user permissions.

fortify-file Usage Example.

The following test program is vulnerable to a stack buffer overflow (see line 10):

#include <string.h>
#include <stdio.h>

int 
main (int argc, char* argv[])
{
    int  a = 1;
    char buf[12];

    strcpy (buf, argv[1]);
    printf ("%08x\n", a);

    return 0;
}

Compile the test program without stack canary support (-fno-stack-protector) and without FORTIFY_SOURCE:

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.10
DISTRIB_CODENAME=maverick
DISTRIB_DESCRIPTION="Ubuntu 10.10"
$ gcc -fno-stack-protector -o testcase testcase.c

Check the compiled executable with checksec.sh:

checksec.sh results.

The output of the script shows that, as expected, FORTIFY_SOURCE is not supported by the executable. Next, we overflow the stack buffer by providing an overly long command line argument to the test program:

$ ./testcase AAAABBBBCCCCDDDD
44444444

As can be seen from the output above, the stack variable a was successfully overwritten with our overly long command line argument (a was overwritten with the supplied D's or 0x44 in hexadecimal). Next, we compile the test program with FORTIFY_SOURCE support but without stack canaries and check the executable file with checksec.sh again.

ⓘ Note

Under Ubuntu FORTIFY_SOURCE is used when compiled with -O2 or higher. On other Linux distributions (e.g. Fedora or openSUSE) you need to add the compiler flag -D_FORTIFY_SOURCE=2.

Retest of the test program with checksec.sh.

The above output of checksec.sh shows, that the executable was successfully compiled with FORTIFY_SOURCE. Now lets try to overflow the buffer again.

$ ./testcase AAAABBBBCCCCDDDD
*** buffer overflow detected ***: ./testcase terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x50)[0x936970]
/lib/libc.so.6(+0xe486a)[0x93586a]
/lib/libc.so.6(__strcpy_chk+0x44)[0x934be4]
./testcase[0x8048447]
/lib/libc.so.6(__libc_start_main+0xe7)[0x867ce7]
./testcase[0x8048381]
======= Memory map: ========
007d4000-007f0000 r-xp 00000000 08:01 135323     /lib/ld-2.12.1.so
007f0000-007f1000 r--p 0001b000 08:01 135323     /lib/ld-2.12.1.so
007f1000-007f2000 rw-p 0001c000 08:01 135323     /lib/ld-2.12.1.so
0080f000-00829000 r-xp 00000000 08:01 131159     /lib/libgcc_s.so.1
00829000-0082a000 r--p 00019000 08:01 131159     /lib/libgcc_s.so.1
0082a000-0082b000 rw-p 0001a000 08:01 131159     /lib/libgcc_s.so.1
00851000-009a8000 r-xp 00000000 08:01 138119     /lib/libc-2.12.1.so
009a8000-009aa000 r--p 00157000 08:01 138119     /lib/libc-2.12.1.so
009aa000-009ab000 rw-p 00159000 08:01 138119     /lib/libc-2.12.1.so
009ab000-009ae000 rw-p 00000000 00:00 0
00ff9000-00ffa000 r-xp 00000000 00:00 0          [vdso]
08048000-08049000 r-xp 00000000 08:01 658356     /home/tk/testcase
08049000-0804a000 r--p 00000000 08:01 658356     /home/tk/testcase
0804a000-0804b000 rw-p 00001000 08:01 658356     /home/tk/testcase
09e50000-09e71000 rw-p 00000000 00:00 0          [heap]
b779f000-b77a0000 rw-p 00000000 00:00 0
b77ae000-b77b0000 rw-p 00000000 00:00 0
bfb00000-bfb21000 rw-p 00000000 00:00 0          [stack]
Aborted

This time, the attempt to trigger the buffer overflow was successfully mitigated by FORTIFY_SOURCE.

fortify-proc Usage Example.

With the new option --fortify-proc it is also possible to check running processes for FORTIFY_SOURCE support. The usage of this new option is illustrated in the following figure.

Check running processes for FORTIFY_SOURCE support.

Copyright © 2000-2020 Tobias Klein.
Imprint | Privacy Statement