Paxtest ASLR and randomization problem.
Posted: Sun May 14, 2017 1:45 pm
I use paxtest-0.9.15 to Linux 4.1.6 with grsec,it shows "Main executable randomization (ET_EXEC) : No randomization",and almost all of the "randomization test" can be guessed,but I've enabled the ASLR in the grsec,it seen that ASLR did not work ?
I run the paxtest in the centos kernel 2.6.32-696.1.1.el6 without grsec,it shows:
And the second problem is whether I make mistake in the grsec config,it still vulnerable for the two,how can I fix it ?
The third problem is that "return address contains a NULL byte" mean secure or vulnerable ?
Thanks for your reply.
./paxtest kiddie
PaXtest - Copyright(c) 2003-2016 by Peter Busser <peter@adamantix.org> and Brad Spengler <spender@grsecurity.net>
Released under the GNU Public Licence version 2 or later
Writing output to /root/paxtest.log
It may take a while for the tests to complete
Test results:
./paxtest: line 69: ./gcc: No such file or directory
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomization test : 33 quality bits (guessed)
Heap randomization test (ET_EXEC) : 22 quality bits (guessed)
Heap randomization test (PIE) : 40 quality bits (guessed)
Main executable randomization (ET_EXEC) : No randomization
Main executable randomization (PIE) : 32 quality bits (guessed)
Shared library randomization test : 33 quality bits (guessed)
VDSO randomization test : 33 quality bits (guessed)
Stack randomization test (SEGMEXEC) : 40 quality bits (guessed)
Stack randomization test (PAGEEXEC) : 40 quality bits (guessed)
Arg/env randomization test (SEGMEXEC) : 44 quality bits (guessed)
Arg/env randomization test (PAGEEXEC) : 44 quality bits (guessed)
Offset to library randomisation (ET_EXEC): 33 quality bits (guessed)
Offset to library randomisation (ET_DYN) : 32 quality bits (guessed)
Randomization under memory exhaustion @~0: 33 bits (guessed)
Randomization under memory exhaustion @0 : 33 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Vulnerable
I run the paxtest in the centos kernel 2.6.32-696.1.1.el6 without grsec,it shows:
y Peter Busser <peter@adamantix.org> and Brad Spengler <spender@grsecurity.net>
Released under the GNU Public Licence version 2 or later
Writing output to /root/paxtest.log
It may take a while for the tests to complete
Test results:
./paxtest: line 69: ./gcc: No such file or directory
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomization test : 28 quality bits (guessed)
Heap randomization test (ET_EXEC) : 13 quality bits (guessed)
Heap randomization test (PIE) : 28 quality bits (guessed)
Main executable randomization (ET_EXEC) : No randomization
Main executable randomization (PIE) : 28 quality bits (guessed)
Shared library randomization test : 28 quality bits (guessed)
VDSO randomization test : 20 quality bits (guessed)
Stack randomization test (SEGMEXEC) : 30 quality bits (guessed)
Stack randomization test (PAGEEXEC) : 30 quality bits (guessed)
Arg/env randomization test (SEGMEXEC) : 22 quality bits (guessed)
Arg/env randomization test (PAGEEXEC) : 22 quality bits (guessed)
Offset to library randomisation (ET_EXEC): 28 quality bits (guessed)
Offset to library randomisation (ET_DYN) : No randomization
Randomization under memory exhaustion @~0: 28 bits (guessed)
Randomization under memory exhaustion @0 : 29 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Vulnerable
And the second problem is whether I make mistake in the grsec config,it still vulnerable for the two,how can I fix it ?
Return to function (memcpy) : Vulnerable
Return to function (memcpy, PIE) : Vulnerable
The third problem is that "return address contains a NULL byte" mean secure or vulnerable ?
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Thanks for your reply.