From: Jelle van der Waa <jelle(a)vdwaa.nl>
Include a rule to check for vulnerable RUNPATH ELF binary entries, which
allow arbitrary code execution by loading shared libraries from an
attacker controller path.
---
Namcap/rules/__init__.py | 1 +
Namcap/rules/runpath.py | 71 ++++++++++++++++++++++++++++++++++++++++
namcap-tags | 1 +
namcap.1 | 3 ++
4 files changed, 76 insertions(+)
create mode 100644 Namcap/rules/runpath.py
diff --git a/Namcap/rules/__init__.py b/Namcap/rules/__init__.py
index 525dbc6..ee400e2 100644
--- a/Namcap/rules/__init__.py
+++ b/Namcap/rules/__init__.py
@@ -44,6 +44,7 @@ from . import (
permissions,
py_mtime,
rpath,
+ runpath,
scrollkeeper,
shebangdepends,
sodepends,
diff --git a/Namcap/rules/runpath.py b/Namcap/rules/runpath.py
new file mode 100644
index 0000000..053923e
--- /dev/null
+++ b/Namcap/rules/runpath.py
@@ -0,0 +1,71 @@
+# namcap rules - runpath
+#
+# Copyright (C) 2019 Jelle van der Waa <jelle(a)archlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+from Namcap.util import is_elf
+from Namcap.ruleclass import TarballRule
+
+from elftools.elf.elffile import ELFFile
+from elftools.elf.dynamic import DynamicSection
+
+allowed = ('/usr/lib', '/usr/lib32', '/lib', '$ORIGIN', '${ORIGIN}')
+allowed_toplevels = (s + '/' for s in allowed)
+warn = ['/usr/local/lib']
+
+
+def get_runpaths(fileobj):
+ elffile = ELFFile(fileobj)
+ for section in elffile.iter_sections():
+ if not isinstance(section, DynamicSection):
+ continue
+ for tag in section.iter_tags():
+ if tag.entry.d_tag != 'DT_RUNPATH':
+ continue
+ for path in tag.runpath.split(':'):
+ yield path
+
+
+class package(TarballRule):
+ name = "runpath"
+ description = "Verifies if RUNPATH is secure"
+
+ def analyze(self, pkgingo, tar):
+ for entry in tar:
+ if not entry.isfile():
+ continue
+
+ fileobj = tar.extractfile(entry)
+ if not is_elf(fileobj):
+ continue
+
+ for path in get_runpaths(fileobj):
+ path_ok = path in allowed
+ for allowed_toplevel in allowed_toplevels:
+ if path.startswith(allowed_toplevel):
+ path_ok = True
+
+ if not path_ok:
+ self.errors.append(("insecure-runpath %s %s",
+ (path, entry.name)))
+ break
+
+ if path in warn and entry.name not in insecure_rpaths:
+ self.warnings.append(("insecure-runpath %s %s",
+ (path, entry.name)))
+
+
+# vim: set ts=4 sw=4 noet:
diff --git a/namcap-tags b/namcap-tags
index 84cc3f7..1f7bc69 100644
--- a/namcap-tags
+++ b/namcap-tags
@@ -44,6 +44,7 @@ incorrect-owner %s (%s:%s) :: File (%s) is owned by %s:%s
invalid-filename :: File name %s contains non standard characters
info-dir-file-present %s :: Info directory file (%s) should not be present
insecure-rpath %s %s :: Insecure RPATH '%s' in file ('%s')
+insecure-runpath %s %s :: Insecure RUNPATH '%s' in file ('%s')
libtool-file-present %s :: File (%s) is a libtool file
library-no-package-associated %s :: Referenced library '%s' is an uninstalled dependency
link-level-dependence %s in %s :: Link-level dependence (%s) in file %s
diff --git a/namcap.1 b/namcap.1
index fcea8ed..9243087 100644
--- a/namcap.1
+++ b/namcap.1
@@ -108,6 +108,9 @@ Checks basic file and and directory permissions. It returns warnings about worl
.B rpath
Gives an error if a binary has RPATH set to something other than /usr/lib
.TP
+.B runpath
+Gives an error if a binary has RUNPATH set to something other than /usr/lib, /usr/lib32
+.TP
.B scrollkeeper
Verifies that there aren't any scrollkeeper directories
.TP
--
2.23.0