ptrace exploit still possible on 2.4.22 with grsecurity
Posted: Fri Nov 21, 2003 4:59 am
Hi,
i am new to gr-security....I have experience with LIDS and openwall and want to move to grsecurity because of greater flexibilty with acl's and the advantage of a package of rule based system and stack protection.
I build grsecurity with pax on a 2.4.22 kernel without LKM on a redhat 8.0 test system. Regarding acl's everything is fine but the problem comes with pax
I have three kernel's
1. unproteced 2.4.18
2. openwall proteceted 2.4.21
3. gr protected 2.4.22
the ptrace exploit gives me root shell on 1. and 3. so i somehow missed something in my pax configuration ?
[weeny@obelix weeny]$ id
uid=501(weeny) gid=501(weeny) groups=501(weeny)
[weeny@obelix weeny]$ ptrace
sh-2.05b# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-2.05b#
This is what my pax test gives me:
[root@obelix paxtest-0.9.5]# ./paxtest
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 16 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 25 bits (guessed)
Main executable randomisation (ET_EXEC) : 16 bits (guessed)
Main executable randomisation (ET_DYN) : 17 bits (guessed)
Shared library randomisation test : 16 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed
Because openwall can prevent the ptrace exploit i gues that pax could do the same as well !?
Maybe i made a mistake with my (missing some flags?) acl...on the documentation i found that pax is enabled by default.
Any advice?
regards,
weeny
i am new to gr-security....I have experience with LIDS and openwall and want to move to grsecurity because of greater flexibilty with acl's and the advantage of a package of rule based system and stack protection.
I build grsecurity with pax on a 2.4.22 kernel without LKM on a redhat 8.0 test system. Regarding acl's everything is fine but the problem comes with pax
I have three kernel's
1. unproteced 2.4.18
2. openwall proteceted 2.4.21
3. gr protected 2.4.22
the ptrace exploit gives me root shell on 1. and 3. so i somehow missed something in my pax configuration ?
[weeny@obelix weeny]$ id
uid=501(weeny) gid=501(weeny) groups=501(weeny)
[weeny@obelix weeny]$ ptrace
sh-2.05b# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-2.05b#
This is what my pax test gives me:
[root@obelix paxtest-0.9.5]# ./paxtest
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 16 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 25 bits (guessed)
Main executable randomisation (ET_EXEC) : 16 bits (guessed)
Main executable randomisation (ET_DYN) : 17 bits (guessed)
Shared library randomisation test : 16 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed
Because openwall can prevent the ptrace exploit i gues that pax could do the same as well !?
Maybe i made a mistake with my (missing some flags?) acl...on the documentation i found that pax is enabled by default.
Any advice?
regards,
weeny