grsecurity forums

Skip to content

ssh segmentation faults

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

ssh segmentation faults

Postby cpruefer » Fri Jul 06, 2007 3:53 am

hi @ grsec_forum...

i have a strange behaviour on ssh connections to our server (which is probably hacked)...

on systems without pax/grsecurity:

when a ssh connection times out...
i do a "kill -11 $ssh_pid" on the local connecting machine
local ssh process creates "segmentation fault"...
suspicious... someone tries to exploit my machine i think...

the strange thing is:
i have an apple ibook with gentoo linux hardened (kernel 2.6.18) +pax+ssp
the same behaviour as mentioned above !?!
ssh exits with segmentation fault and pax_log/grsec_log doesnt mention anything...
checked the pax flags on ssh client binary -> everything ok...

recompiled newest open_ssh client -> same thing...

how can i check that pax/ssp works correctly?
should i try to debug ssh with gdb to see where the attacker tries to crash ssh?

if i compile a system with "-O3" compiler flag, is there still a possibility to debug things?

hopefully someone can help...

greetz,
claus prüfer
cpruefer
 
Posts: 8
Joined: Fri Jul 06, 2007 3:05 am
Top

Re: ssh segmentation faults

Postby PaX Team » Sat Jul 07, 2007 7:08 pm

cpruefer wrote:when a ssh connection times out...
i do a "kill -11 $ssh_pid" on the local connecting machine
local ssh process creates "segmentation fault"...
suspicious... someone tries to exploit my machine i think...
well, if you send a SIGSEGV to a process, it'll die with a segfault... what else did you expect? ;-).
how can i check that pax/ssp works correctly?
should i try to debug ssh with gdb to see where the attacker tries to crash ssh?

if i compile a system with "-O3" compiler flag, is there still a possibility to debug things?
add -ggdb to CFLAGS and you'll get enough debug info for gdb (and obviously FEATURES=nostrip or splitdebug) then try to catch the segfaults and see what you can find out (x/8i $pc, bt, info reg, etc).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Postby cpruefer » Mon Jul 09, 2007 1:01 am

well, if you send a SIGSEGV to a process, it'll die with a segfault... what else did you expect?

well, i was somehow sure that signal "11" was SIGINT... :-?
add -ggdb to CFLAGS and you'll get enough debug info for gdb (and obviously FEATURES=nostrip or splitdebug) then try to catch the segfaults and see what you can find out (x/8i $pc, bt, info reg, etc).

think problem has been solved -> nevertheless i will try debugging... thanx for your effort...
cpruefer
 
Posts: 8
Joined: Fri Jul 06, 2007 3:05 am
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group