Test if an executable segfaults when started with an empty argv. The script may be used as a vulnerability-scanner to find setuid executables having buggy code (but it will probably not find any direct security vulnerabilities).
ubuntu@laptop:~$ mkdir /tmp/build
ubuntu@laptop:~$ mkdir /tmp/install
ubuntu@laptop:~$ cd /tmp/build
ubuntu@laptop:/tmp/build$ cmake -DCMAKE_INSTALL_PREFIX=/tmp/install ~/empty-argv-segfault-check/ && make && make install
-- The CXX compiler identification is GNU 7.2.0
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: /tmp/build
Scanning dependencies of target empty-argv-segfault-check
[ 50%] Building CXX object CMakeFiles/empty-argv-segfault-check.dir/main.cc.o
[100%] Linking CXX executable empty-argv-segfault-check
[100%] Built target empty-argv-segfault-check
[100%] Built target empty-argv-segfault-check
Install the project...
-- Install configuration: ""
-- Installing: /tmp/install/bin/empty-argv-segfault-check
-- Installing: /tmp/install/bin/segfault_detect.sh
-- Installing: /tmp/install/bin/find-executables.sh
ubuntu@laptop:/tmp/build$
ubuntu@laptop:/tmp$ /tmp/install/bin/find-executables.sh > /tmp/all.txt
[sudo] password for ubuntu:
ubuntu@laptop:/tmp$
ubuntu@laptop:/tmp$ /tmp/install/bin/find-executables.sh setuid > /tmp/all-setuid.txt
[sudo] password for ubuntu:
ubuntu@laptop:/tmp$
Note, starting executables might have side effects. If you want to start all the executables found on the system you better do this on a separate test user account or even better on a virtual machine.
test@laptop:/tmp$ /tmp/install/bin/segfault_detect.sh /tmp/all.txt
The result is written to a temporary file in /tmp/
test@laptop:/tmp$ ls -ltr /tmp/result.*
/tmp/result.3otWy.txt
To list the executables that segfaulted:
test@laptop:/tmp$ cat /tmp/result.3otWy.txt
/usr/bin/prog1
/usr/bin/prog2
/usr/bin/prog3
When argc is 0, argv[0] is NULL. Probably, the most common cause of the segfault is the dereferencing of argv[0]. A lot of programs falsely assume that argv[0] contains the program name without verifying that argc is not equal to 0.
main(int argc, char *argv[]) {
if (argc != 2) {
fprintf(stderr, "Usage: %s filepath\n", argv[0]);
exit(1);
}Discussion: #2
Probably not, as the program will just end directly when the null pointer is dereferenced. The interesting case regarding security is finding segfaulting executables that have the setuid bit set. Such executables run under a different User ID than the one of the user who launched it.
At least empty-argv-segfault-check could be used to find setuid executables that are not of the highest code quality. They may contain other bugs.
Discussion: #3
This question has an answer at Stackoverflow: When can argv[0] have null?
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent