grsecurity forums

[c4ri0c4]

Parte 1

Hi Guys

I have environment with Grsecurity in Kernel version 2.6.27.14, but I don't run cgi create in
Kylix. I have the follow problems:

- Same version of aplication don't accpet flags of pax.
- All version don't work and also can't use shared library
- Or when static version return sigkill

I try many form, but I didn't run the specific application, but others cgi (C, Perl) run without problem.

Look the message error of paxctl:
paxctl -C CGI2.cgi
file CGI2.cgi is not a valid ELF executable (invalid SHT_ entry:0)

Look the message error of readelf:


readelf -l CGI2.cgi
readelf: Error: Out of memory allocating 0x61437261 bytes for string table

Elf file type is EXEC (Executable file)
Entry point 0x80541f8
There are 5 program headers, starting at offset 52

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x000a0 0x000a0 R E 0x4
INTERP 0x0000d4 0x080480d4 0x080480d4 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x232104 0x236104 R E 0x1000
LOAD 0x232104 0x0827f104 0x0827f104 0x3ca78 0x3f10c RWE 0x1000
readelf: Error: no .dynamic section in the dynamic segment DYNAMIC 0x26eaf4 0x082bbaf4 0x082bbaf4 0x00088 0x00088 RW 0x4



Another version, I have sucess when try insert flags but I have problem still because my webserver return error 500.

# paxctl -C CGI2
file CGI2 got a new PT_PAX_FLAGS program header

# paxctl -v CGI2
PaX control v0.5 Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-- [CGI2]
RANDEXEC is disabled
EMUTRAMP is disabled
readelf -l CGI2

Elf file type is EXEC (Executable file)
Entry point 0x80541f8
There are 6 program headers, starting at offset 52

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08047034 0x08047034 0x000c0 0x000c0 R E 0x4
INTERP 0x0010d4 0x080480d4 0x080480d4 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08047000 0x08047000 0x233104 0x237104 R E 0x1000
LOAD 0x233104 0x0827f104 0x0827f104 0x3ca78 0x3f10c RWE 0x1000
DYNAMIC 0x26faf4 0x082bbaf4 0x082bbaf4 0x00088 0x00088 RW 0x4
LOOS+5041580 0x000000 0x00000000 0x00000000 0x00000 0x00000 0x4

Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .dynsym .dynstr .hash .rel.plt .plt .text borland.ressym borland.resstr borland.reshash borland.resdata borland.resspare
03 .data .rodata .got .dynamic .bss
04 .dynamic
05


Please,I didn't know how to resolve this problem, I tried several ways and actions without success, this error only happens with CGI Kylix.

What I can do?

[PaX Team]

due to this:

Code: Select all

  LOAD           0x233104 0x0827f104 0x0827f104 0x3ca78 0x3f10c RWE 0x1000

you'll have to disable MPROTECT on the binary.

[c4ri0c4]

Dear guy

I tried thi is:
# paxctl -C cgi_teste1
# paxctl -v cgi_teste1
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [cgi_teste1]
RANDEXEC is disabled
EMUTRAMP is disabled


After:

# paxctl -m cgi_teste1
# paxctl -v cgi_teste1
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

# ./cgi_teste1
Segmentation fault

- PaX flags: -----m-x-e-- [cgi_teste1]
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled


Another test:

paxctl -C outrox1
file outrox1 got a new PT_PAX_FLAGS program header

# paxctl -v outrox1
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-- [outrox1]
RANDEXEC is disabled
EMUTRAMP is disabled

# paxctl -v outrox1
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [outrox1]
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled

# ./outrox1
Segmentation fault

What I still can try?

Sandro Melo

[c4ri0c4]

Please

I have another question about "fingerprint" of head of binary. Where I learn about the value of head, I would like to learn identify when mprotect is disbable or enable only see for header of binary and other methods, like you! Where I learn about it? I would like identify on structure of elf when and what flags active or disable. How this is possible?

thank you!

Sandro

[PaX Team]

# ./cgi_teste1
Segmentation fault

- PaX flags: -----m-x-e-- [cgi_teste1]
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled

well, you can keep disabling more PaX features and see what if anything helps. if nothing does then borland binaries cannot be helped, i'm afraid.

[PaX Team]

I have another question about "fingerprint" of head of binary. Where I learn about the value of head, I would like to learn identify when mprotect is disbable or enable only see for header of binary and other methods, like you! Where I learn about it? I would like identify on structure of elf when and what flags active or disable. How this is possible?

you have to read the PaX documentation and understand each feature and what in particular they restrict. say, MPROTECT prevents runtime code generation, then you'll immediately know to disable it on binaries that do need to generate code at runtime. having a RWE PT_LOAD segment also amounts to runtime code generation, hence my suggestion. then you may have text relocations or RWE GNU_STACK markings with a bad glibc, etc. the general rule of thumb is to look out for application behaviour that runs afoul of a given protection feature. just what such a behaviour is cannot be described in general, you'll need to analyze each case. if you get error messages you can often search this board to find hints about what is going on.

[c4ri0c4]

Ok guy

Thank very much for your help and congratulation for great support!

Case The Project will need mirror or another recourse type of help, tell me.

bye.

Sandro

[Oscon]

Dear guy

# ./outrox1
Segmentation fault

What I still can try?

Sandro Melo

Do you use TPE ?

Tip 1.: disable TPE, and try with paxctl -msp, etc...does it work ?

Tip2.: Does it work with only chpax without any paxctl conversion ?

If chpax works, but paxctl+TPE doesn't work then can you try

Code: Select all

 strace -e trace=shmat -f ./binary 2> /tmp/shmat_strace.out

?

does it work or "permission denied" ?