Exec-shield vs. paxtest & libsafe

Handler javaslatára teszteltem az exec-shield patchet (lásd előző cikk) két tesztprogrammal. A tesztprogramok a libsafe-2.0-16 és a paxtest-0.9.1 voltak. Az eredmények érdekesek. Lássuk a teszteket:

===========================================

sunshine:/home/trey/exec/libsafe-2.0-16/exploits# echo "2" > /proc/sys/kernel/exec-shield

sunshine:/home/trey/exec/libsafe-2.0-16/exploits# cat /proc/sys/kernel/exec-shield

2

===========================================

libsafe-2.0-16 (exec-shield teljes védelem):

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./canary-exploit

This program tries to use printf("%n") to overwrite the

return address on the stack.

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

sh-2.05b$ exit

exit

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./exploit-non-exec-stack

This program demonstrates how a (stack) buffer overflow

can attack linux kernels with *non-executable* stacks.

This is variation on return-int-libc attack.

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

sh-2.05b$ exit

exit

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t1

This program tries to use strcpy() to overflow the buffer.

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

Szegmens hiba

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t1w

This program tries to use strcpy() to overflow the buffer.

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

Szegmens hiba

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t3

This program will exec() a new program. The new program will

overflow the buffer using strcpy().

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

Szegmens hiba

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t3w

This program will exec() a new program. The new program will

overflow the buffer using strcpy().

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

Szegmens hiba

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t4

This program will fork() child process, and the child

will overflow the buffer using strcpy().

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

parent process terminating

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t4w

This program will fork() child process, and the child

will overflow the buffer using strcpy().

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

parent process terminating

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t5

This program tries to use strcat() to overflow the buffer.

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

Szegmens hiba

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t6

This program tries to use scanf() to overflow the buffer.

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

Szegmens hiba

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

===========================================

sunshine:/home/trey/exec/libsafe-2.0-16/exploits# echo "0" > /proc/sys/kernel/exec-shield

sunshine:/home/trey/exec/libsafe-2.0-16/exploits# cat /proc/sys/kernel/exec-shield

0

===========================================

libsafe-2.0-16 (exec-shield kikapcsolva):

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./canary-exploit

This program tries to use printf("%n") to overwrite the

return address on the stack.

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

sh-2.05b$ exit

exit

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./exploit-non-exec-stack

This program demonstrates how a (stack) buffer overflow

can attack linux kernels with *non-executable* stacks.

This is variation on return-int-libc attack.

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

sh-2.05b$ exit

exit

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t1

This program tries to use strcpy() to overflow the buffer.

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

sh-2.05b$ exit

exit

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t1w

This program tries to use strcpy() to overflow the buffer.

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

sh-2.05b$ exit

exit

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t3

This program will exec() a new program. The new program will

overflow the buffer using strcpy().

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

sh-2.05b$ exit

exit

You have new mail in /var/mail/trey

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t3w

This program will exec() a new program. The new program will

overflow the buffer using strcpy().

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

sh-2.05b$ exit

exit

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t4

This program will fork() child process, and the child

will overflow the buffer using strcpy().

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

sh-2.05b$ exit

exit

parent process terminating

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t5

This program tries to use strcat() to overflow the buffer.

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

sh-2.05b$ exit

exit

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

---------------------------------------------------------------------

trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t6

This program tries to use scanf() to overflow the buffer.

If you get a /bin/sh prompt, then the exploit has worked.

Press any key to continue...

sh-2.05b$ exit

exit

trey@sunshine:~/exec/libsafe-2.0-16/exploits$

---------------------------------------------------------------------

Eredmény: bekapcsolt exec-shiled-del 10-ből 8 esetben nem adtak shell-t az exploitok, "csak" segfaultoltak. Kikapcsolt exec-shield-del 10 alkalomból 10-szer adtak shellt.

*************************************************

===========================================

sunshine:/home/trey/exec/paxtest-0.9.1# echo "2" > /proc/sys/kernel/exec-shield

sunshine:/home/trey/exec/paxtest-0.9.1# cat /proc/sys/kernel/exec-shield

2

===========================================

paxtest-0.9.1 (exec-shield bekapcsolva):

trey@sunshine:~/exec/paxtest-0.9.1$ ./paxtest

It may take a while for the tests to complete

Test results:

Executable anonymous mapping : Killed

Executable bss : Vulnerable

Executable data : Vulnerable

Executable heap : Killed

Executable stack : Killed

Executable anonymous mapping (mprotect) : Killed

Executable bss (mprotect) : Vulnerable

Executable data (mprotect) : Vulnerable

Executable heap (mprotect) : Vulnerable

Executable shared library bss (mprotect) : Vulnerable

Executable shared library data (mprotect): Vulnerable

Executable stack (mprotect) : Vulnerable

Anonymous mapping randomisation test : 8 bits (guessed)

Heap randomisation test (ET_EXEC) : 13 bits (guessed)

Heap randomisation test (ET_DYN) : 13 bits (guessed)

Main executable randomisation (ET_EXEC) : No randomisation

Main executable randomisation (ET_DYN) : 12 bits (guessed)

Shared library randomisation test : 12 bits (guessed)

Stack randomisation test (SEGMEXEC) : 17 bits (guessed)

Stack randomisation test (PAGEEXEC) : 17 bits (guessed)

Return to function (strcpy) : Vulnerable

Return to function (memcpy) : Vulnerable

Executable shared library bss : Vulnerable

Executable shared library data : Vulnerable

Writable text segments : Vulnerable

===========================================

sunshine:/home/trey/exec/paxtest-0.9.1# echo "0" > /proc/sys/kernel/exec-shield

sunshine:/home/trey/exec/paxtest-0.9.1# cat /proc/sys/kernel/exec-shield

0

===========================================

paxtest-0.9.1 (exec-shield kikapcsolva):

trey@sunshine:~/exec/paxtest-0.9.1$ ./paxtest

It may take a while for the tests to complete

Test results:

Executable anonymous mapping : Vulnerable

Executable bss : Vulnerable

Executable data : Vulnerable

Executable heap : Vulnerable

Executable stack : Vulnerable

Executable anonymous mapping (mprotect) : Vulnerable

Executable bss (mprotect) : Vulnerable

Executable data (mprotect) : Vulnerable

Executable heap (mprotect) : Vulnerable

Executable shared library bss (mprotect) : Vulnerable

Executable shared library data (mprotect): Vulnerable

Executable stack (mprotect) : Vulnerable

Anonymous mapping randomisation test : No randomisation

Heap randomisation test (ET_EXEC) : No randomisation

Heap randomisation test (ET_DYN) : No randomisation

Main executable randomisation (ET_EXEC) : No randomisation

Main executable randomisation (ET_DYN) : No randomisation

Shared library randomisation test : No randomisation

Stack randomisation test (SEGMEXEC) : No randomisation

Stack randomisation test (PAGEEXEC) : No randomisation

Return to function (strcpy) : Vulnerable

Return to function (memcpy) : Vulnerable

Executable shared library bss : Vulnerable

Executable shared library data : Vulnerable

Writable text segments : Vulnerable

Eredmény: a bekapcsolt exec-shield 4 exploitot "killelt" ki, míg kikapcsolt állapotban az összes teszt sebezhetőséget mutatott.

A tesztek azt igazolják, hogy van értelme patchelni a kernelt az exec-shield-del, hiszen negatív következménye nincs (vagy még nem jött elő), viszont néhány exploittal szemben hatékony lehet.