winter.txt update - testers needed

Robert Connolly cendres at videotron.ca
Tue Feb 3 12:19:53 PST 2004


We have non executable stack on first boot!
ftp://twocents.mooo.com/pub/hcc/winter.txt

#
# PaX options
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
# CONFIG_PAX_EMUSIGRT is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_PT_GNU_STACK=y
CONFIG_PAX_PT_GNU_HEAP=y
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_RANDEXEC=y

I rebooted and built paxtest without propolice:

PaXtest - Copyright(c) 2003 by Peter Busser <peter at adamantix.org>
Released under the GNU Public Licence version 2 or later

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect)              : Killed
Anonymous mapping randomisation test     : 16 bits (guessed)
Heap randomisation test (ET_EXEC)        : 25 bits (guessed)
Heap randomisation test (ET_DYN)         : 25 bits (guessed)
Main executable randomisation (ET_EXEC)  : 17 bits (guessed)
Main executable randomisation (ET_DYN)   : 17 bits (guessed)
Shared library randomisation test        : 16 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 24 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Killed

Notice the return to libc tests show vulnerabilities. This test was built with 
propolice:

PaXtest - Copyright(c) 2003 by Peter Busser <peter at adamantix.org>
Released under the GNU Public Licence version 2 or later

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect)              : Killed
Anonymous mapping randomisation test     : 16 bits (guessed)
Heap randomisation test (ET_EXEC)        : 25 bits (guessed)
Heap randomisation test (ET_DYN)         : 25 bits (guessed)
Main executable randomisation (ET_EXEC)  : 17 bits (guessed)
Main executable randomisation (ET_DYN)   : 17 bits (guessed)
Shared library randomisation test        : 16 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 24 bits (guessed)
Return to function (strcpy)              : Return to function (strcpy, 
RANDEXEC)    : re
ttofunc1x: stack smashing attack in function doit()
Killed
Return to function (memcpy)              : rettofunc2: stack smashing attack 
in function
 doit()
Killed
Return to function (memcpy, RANDEXEC)    : rettofunc2x: stack smashing attack 
in functio
n doit()
Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Killed

:)

>From what I'm told I may have been the first person to use gcc -fpie and ld 
-z,relro on an entire base system (except an issue with util-linux).




More information about the hlfs-dev mailing list