hacktricks/binary-exploitation/common-binary-protections-and-bypasses/relro.md

62 lines
4.6 KiB
Markdown
Raw Normal View History

2024-04-06 16:25:58 +00:00
# Relro
2024-07-18 16:04:36 +00:00
{% hint style="success" %}
2024-07-18 16:14:56 +00:00
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2024-04-06 16:25:58 +00:00
2024-07-18 16:04:36 +00:00
<details>
2024-04-06 16:25:58 +00:00
2024-07-18 16:04:36 +00:00
<summary>Support HackTricks</summary>
2024-04-06 16:25:58 +00:00
2024-07-18 16:04:36 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
2024-04-06 16:25:58 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
2024-07-18 16:04:36 +00:00
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2024-04-06 16:25:58 +00:00
</details>
2024-07-18 16:04:36 +00:00
{% endhint %}
2024-04-06 16:25:58 +00:00
## Relro
2024-08-04 17:03:17 +00:00
**RELRO** stands for **Relocation Read-Only**, and it's a security feature used in binaries to mitigate the risks associated with **GOT (Global Offset Table)** overwrites. There are two types of **RELRO** protections: (1) **Partial RELRO** and (2) **Full RELRO**. Both of them reorder the **GOT** and **BSS** from ELF files, but with different results and implications. Speciifically, they place the **GOT** section *before* the **BSS**. That is, **GOT** is at lower addresses than **BSS**, hence making it impossible to overwrite **GOT** entries by overflowing variables in the **BSS** (rembember writing into memory happens from lower toward higher addresses).
Let's break down the concept into its two distinct types for clarity.
2024-04-06 16:25:58 +00:00
### **Partial RELRO**
2024-08-04 17:03:17 +00:00
**Partial RELRO** takes a simpler approach to enhance security without significantly impacting the binary's performance. Partial RELRO makes **the non-PLT part of the GOT section (usually referred to as .got from readelf output) read only**. Bear in mind that other sections like the .got.plt are still writeable and, therefore, subject to attacks. This **doesn't prevent the GOT** to be abused **from arbitrary write** vulnerabilities.
2024-04-06 16:25:58 +00:00
2024-08-04 17:03:17 +00:00
Note: By default, GCC compiles binaries with Partial RELRO.
2024-04-06 16:25:58 +00:00
### **Full RELRO**
2024-08-04 17:03:17 +00:00
**Full RELRO** steps up the protection by **making the entire GOT (both .got and .got.plt) and .fini\_array** section completely **read-only.** Once the binary starts all the function addresses are resolved and loaded in the GOT, then, GOT is marked as read-only, effectively preventing any modifications to it during runtime.
2024-04-06 16:25:58 +00:00
2024-04-06 19:44:17 +00:00
However, the trade-off with Full RELRO is in terms of performance and startup time. Because it needs to resolve all dynamic symbols at startup before marking the GOT as read-only, **binaries with Full RELRO enabled may experience longer load times**. This additional startup overhead is why Full RELRO is not enabled by default in all binaries.
2024-04-06 16:25:58 +00:00
2024-04-06 19:44:17 +00:00
It's possible to see if Full RELRO is **enabled** in a binary with:
2024-04-06 16:25:58 +00:00
```bash
readelf -l /proc/ID_PROC/exe | grep BIND_NOW
```
## Bypass
If Full RELRO is enabled, the only way to bypass it is to find another way that doesn't need to write in the GOT table to get arbitrary execution.
2024-04-06 19:44:17 +00:00
Note that **LIBC's GOT is usually Partial RELRO**, so it can be modified with an arbitrary write. More information in [Targetting libc GOT entries](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#1---targetting-libc-got-entries)**.**
2024-07-18 16:04:36 +00:00
{% hint style="success" %}
2024-07-18 16:14:56 +00:00
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2024-04-06 16:25:58 +00:00
2024-07-18 16:04:36 +00:00
<details>
2024-04-06 16:25:58 +00:00
2024-07-18 16:04:36 +00:00
<summary>Support HackTricks</summary>
2024-04-06 16:25:58 +00:00
2024-07-18 16:04:36 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
2024-04-06 16:25:58 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
2024-07-18 16:04:36 +00:00
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2024-04-06 16:25:58 +00:00
</details>
2024-07-18 16:04:36 +00:00
{% endhint %}