ED 230: Hardening ELF Binaries (15 extra)

What You Need

A 64-bit Debian Linux machine, real or virtual

Purpose

To practice detecting and implementing memory protections for Linux binaries.

Creating a Vulnerable Program

This program asks for a password. The function test_pw uses simple bitwise manipulations to obfuscate the password comparison, so that the correct password is not literal in the source code.

In a Terminal window, execute this command:


nano pwd.c

Enter this code, as shown below.


#include <stdlib.h>
#include <stdio.h>

int test_pw() {
        char password[10];
        printf("Password address: %p\n", password);
        printf("Enter password: ");
        fgets(password, 50, stdin);
        return 1;
}

void win() {
        printf("You win!\n");
}

void main() {
        if (test_pw()) printf("Fail!\n");
        else win();
}

The test_pw function reserves room for 10 characters in pin[], but reads up to 50 characters from stdin, allowing a buffer overflow.

It also always returns 1, so the win() function is never executed.

Save the file with Ctrl+X, Y, Enter.

Compiling with Default gcc Options

Execute these commands to compile the code using the default gcc, and run it.


sudo apt-get update
sudo apt-get install gcc-multilib -y
gcc -o pwd pwd.c
./pwd
1

The program runs normally, wth the "Fail!" message, as shown below.

Using hardening-check

Execute these commands to check the file for security protections:


sudo apt-get install devscripts -y
hardening-check pwd

You see a list of defenses, and whether they are implemented, as shown below.

Using checksec

Execute these commands to check the file for security protections with a different tool:


sudo apt-get install checksec -y
checksec --file pwd

You see a list of defenses, and whether they are implemented, as shown below (I trimmed some fields on the right).

Documentation

Using documentation, such as the pages linked below, solve the puzzles below. Be warned, some of the information on the pages is inadequate or misleading.

gcc(1) - Linux manual page

man hardening-check

Flag ED 230.1: PIE (3 pts)
Find the gcc flag needed to disable Position Independent Executable support, outlined in red in the image below.
The flag is covered by a green rectangle in the image below.

Flag ED 230.2: Canary (3 pts)
Find the gcc flag needed to add a stack canary to the file, outlined in red in the image below.
The flag is covered by a green rectangle in the image below.

Flag ED 230.3: Symbols (3 pts)
Find the gcc flag needed to remove symbols, outlined in red in the image below.
The flag is covered by a green rectangle in the image below.

Flag ED 230.4: Fortify (3 pts)
Find the gcc flag needed to "Fortify Source functions", outlined in red in the image below.
The flag is covered by a green rectangle in the image below.

Flag ED 230.5: Binding (3 pts)
Find the gcc flag needed to implement "Immediate binding", outlined in red in the image below.
The flag is covered by a green rectangle in the image below.

Posted 4-11-2021
Images updated 3-8-23