[test] exec-shield vs. paxtest 0.9.5 horrible results

[test] exec-shield vs. paxtest 0.9.5 horrible results

[Gabor MICSKO]

gmicsko03:/home/trey/devel/exploit/paxtest-0.9.5# uname -a
Linux gmicsko03 2.6.0 #1 Thu Dec 18 12:32:44 CET 2003 i686 GNU/Linux

gmicsko03:/home/trey/devel/exploit/paxtest-0.9.5# echo 2 >
/proc/sys/kernel/exec-shield

gmicsko03:/home/trey/devel/exploit/paxtest-0.9.5# cat
/proc/sys/kernel/exec-shield
2

gmicsko03:/home/trey/devel/exploit/paxtest-0.9.5# ./paxtest
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Executable anonymous mapping             : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 16 bits (guessed)
Heap randomisation test (ET_EXEC)        : 14 bits (guessed)
Heap randomisation test (ET_DYN)         : 13 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : 12 bits (guessed)
Shared library randomisation test        : 12 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 17 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 17 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Return to function
(memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Vulnerable
Executable shared library data           : Vulnerable
Writable text segments                   : Vulnerable
gmicsko03:/home/trey/devel/exploit/paxtest-0.9.5#


Any idea?

Re: [test] exec-shield vs. paxtest 0.9.5 horrible results

[Arjan van de Ven]

[-- Attachment #1: Type: text/plain, Size: 428 bytes --]

On Mon, 2003-12-22 at 11:54, Gabor MICSKO wrote:
> gmicsko03:/home/trey/devel/exploit/paxtest-0.9.5# uname -a
> Linux gmicsko03 2.6.0 #1 Thu Dec 18 12:32:44 CET 2003 i686 GNU/Linux

applications have the option to disable exec-shield themselves for them.
pax-test at one point did this deliberately (in order to simulate glibc
2.2 behavior according to the author); are you using a version of
paxtest that does this ?


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [test] exec-shield vs. paxtest 0.9.5 horrible results

[Ingo Molnar]

* Gabor MICSKO <gmicsko@szintezis.hu> wrote:

> Any idea?

yes. Undo the patch below. The paxtest author decided to add this
pointless mprotect(stackptr, PROT_EXEC) to make sure the test lists
exec-shield as 'vulnerable' while listing PaX as non-vulnerable. I sent
the fix but (not surprisingly) it was not added. Marketing via testsuite
eh?

	Ingo

--- paxtest-0.9.4/body.c
+++ paxtest-0.9.5/body.c
@@ -29,6 +29,7 @@
 	fflush( stdout );
 
 	if( fork() == 0 ) {
+		do_mprotect((unsigned long)argv & ~4095U, 4096, PROT_READ|PROT_WRITE|PROT_EXEC);
 		doit();
 	} else {
 		wait( &status );