Re: [patch] exec-shield-2.6.0-test6-G3

[Boszormenyi Zoltan <zboszor@freemail.hu>]

Hi, Ingo, Gabor,

I tried exec-shield-2.6.0-test6-G3 on 2.6.0-test7 patched with
http://www.kernel.org/pub/linux/kernel/v2.6/testing/cset/cset-20031009_0504.txt.gz
(up to cset-1.1320), it patched with some fuzz and offset differences.

I got the following exploit differences with libsafe and paxtest:

libsafe-2.0-16:
[zozo@catv-50624ad9 exploits]$ ./t6
This program tries to use scanf() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
If you see this statement, it means that the buffer
overflow never occurred.

Should I worry about it?

paxtest-0.9.1:
[zozo@catv-50624ad9 paxtest-0.9.1]$ ./paxtest
It may take a while for the tests to complete
Test results:
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 16 bits (guessed) *
Heap randomisation test (ET_EXEC)        : 13 bits (guessed) * these 3 are varying
Heap randomisation test (ET_DYN)         : 13 bits (guessed) *
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : 12 bits (guessed)
Shared library randomisation test        : No randomisation  *** this changed ***
Stack randomisation test (SEGMEXEC)      : 17 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 17 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (memcpy)              : Vulnerable
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Vulnerable

$ uname -a
Linux catv-50624ad9.szolcatv.broadband.hu 2.6.0-test7-exec-shield-nptl #2 SMP Thu Oct 9 10:39:04 CEST 2003 i686 i686 i386 GNU/Linux
$ cat /proc/sys/kernel/exec-shield
2
$ cat /proc/sys/kernel/exec-shield-randomize
1

The system is an almost up-to-date "fedora core".
$ rpm -q glibc gcc gcc32 binutils
glibc-2.3.2-98
gcc-3.3.1-6
gcc32-3.2.3-6
binutils-2.14.90.0.6-3

Gabor MICSKO írta:

> 
> Hi!
> 
> I`ve made a port of the Ingo's last exec-shield patch. This is my second
> patch, so please test this one carefully. 
> 
> Against vanilla 2.6.0-test6:
> http://www.hup.hu/old/stuff/kernel/exec-shield/exec-shield-2.6.0-test6-G3
> 
> 
> Comments, feedbacks welcome.

-- 
Best regards,
Zoltán Böszörményi

---------------------
What did Hussein say about his knife?
One in Bush worth two in the hand.