Page 1 of 1

Paxtest ASLR and randomization problem.

PostPosted: Sun May 14, 2017 1:45 pm
by ShenXianMountain
I use paxtest-0.9.15 to Linux 4.1.6 with grsec,it shows "Main executable randomization (ET_EXEC) : No randomization",and almost all of the "randomization test" can be guessed,but I've enabled the ASLR in the grsec,it seen that ASLR did not work ?

./paxtest kiddie
PaXtest - Copyright(c) 2003-2016 by Peter Busser <peter@adamantix.org> and Brad Spengler <spender@grsecurity.net>
Released under the GNU Public Licence version 2 or later

Writing output to /root/paxtest.log
It may take a while for the tests to complete
Test results:
./paxtest: line 69: ./gcc: No such file or directory

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomization test : 33 quality bits (guessed)
Heap randomization test (ET_EXEC) : 22 quality bits (guessed)
Heap randomization test (PIE) : 40 quality bits (guessed)
Main executable randomization (ET_EXEC) : No randomization
Main executable randomization (PIE) : 32 quality bits (guessed)
Shared library randomization test : 33 quality bits (guessed)
VDSO randomization test : 33 quality bits (guessed)
Stack randomization test (SEGMEXEC) : 40 quality bits (guessed)
Stack randomization test (PAGEEXEC) : 40 quality bits (guessed)
Arg/env randomization test (SEGMEXEC) : 44 quality bits (guessed)
Arg/env randomization test (PAGEEXEC) : 44 quality bits (guessed)
Offset to library randomisation (ET_EXEC): 33 quality bits (guessed)
Offset to library randomisation (ET_DYN) : 32 quality bits (guessed)
Randomization under memory exhaustion @~0: 33 bits (guessed)
Randomization under memory exhaustion @0 : 33 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Vulnerable



I run the paxtest in the centos kernel 2.6.32-696.1.1.el6 without grsec,it shows:
y Peter Busser <peter@adamantix.org> and Brad Spengler <spender@grsecurity.net>
Released under the GNU Public Licence version 2 or later

Writing output to /root/paxtest.log
It may take a while for the tests to complete
Test results:
./paxtest: line 69: ./gcc: No such file or directory

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomization test : 28 quality bits (guessed)
Heap randomization test (ET_EXEC) : 13 quality bits (guessed)
Heap randomization test (PIE) : 28 quality bits (guessed)
Main executable randomization (ET_EXEC) : No randomization
Main executable randomization (PIE) : 28 quality bits (guessed)
Shared library randomization test : 28 quality bits (guessed)
VDSO randomization test : 20 quality bits (guessed)
Stack randomization test (SEGMEXEC) : 30 quality bits (guessed)
Stack randomization test (PAGEEXEC) : 30 quality bits (guessed)
Arg/env randomization test (SEGMEXEC) : 22 quality bits (guessed)
Arg/env randomization test (PAGEEXEC) : 22 quality bits (guessed)
Offset to library randomisation (ET_EXEC): 28 quality bits (guessed)
Offset to library randomisation (ET_DYN) : No randomization
Randomization under memory exhaustion @~0: 28 bits (guessed)
Randomization under memory exhaustion @0 : 29 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Vulnerable


And the second problem is whether I make mistake in the grsec config,it still vulnerable for the two,how can I fix it ?

Return to function (memcpy) : Vulnerable
Return to function (memcpy, PIE) : Vulnerable


The third problem is that "return address contains a NULL byte" mean secure or vulnerable ?
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.




Thanks for your reply.

Re: Paxtest ASLR and randomization problem.

PostPosted: Sun May 14, 2017 2:08 pm
by ShenXianMountain
I also post my checksec result with grsec,it shows ASLR was enabled.

sh checksec -k
* Kernel protection information:
Kernel config:
/boot/config-4.1.6-1.el6.grsec.test.x86_64

Warning: The config on disk may not represent running kernel config!

Vanilla Kernel ASLR: Full
Protected symlinks: Disabled
Protected hardlinks: Disabled
Ipv4 reverse path filtering: Enabled
Ipv6 reverse path filtering: Disabled
Kernel heap randomization: Enabled
GCC stack protector support: Enabled
Restrict /dev/mem access: Enabled
Restrict /dev/kmem access: Enabled

* X86 only:
Address space layout randomization: Enabled

* SELinux: Disabled

SELinux infomation available here:
http://selinuxproject.org/

* grsecurity / PaX: Custom GRKERNSEC

Non-executable kernel pages: Disabled
Non-executable pages: Enabled
Paging Based Non-executable pages: Enabled
Restrict MPROTECT: Enabled
Address Space Layout Randomization: Enabled
Randomize Kernel Stack: Enabled
Randomize User Stack: Enabled
Randomize MMAP Stack: Enabled
Sanitize freed memory: Enabled
Sanitize Kernel Stack: Enabled
Prevent userspace pointer deref: Disabled
Prevent kobject refcount overflow: Enabled
Bounds check heap object copies: Enabled
JIT Hardening: Disabled
Thread Stack Random Gaps: Enabled
Disable writing to kmem/mem/port: Enabled
Disable privileged I/O: Enabled
Harden module auto-loading: Enabled
Chroot Protection: Disabled
Deter ptrace process snooping: Enabled
Larger Entropy Pools: Disabled
TCP/UDP Blackhole: Disabled
Deter Exploit Bruteforcing: Enabled
Hide kernel symbols: Enabled
Pax softmode: Disabled
Grsec sysctl options:
grsecurity.audit_chdir: Disabled
grsecurity.audit_gid: Enabled
grsecurity.audit_group: Enabled
grsecurity.audit_mount: Disabled
grsecurity.audit_ptrace: Disabled
grsecurity.chroot_caps: Disabled
grsecurity.chroot_deny_bad_rename: Disabled
grsecurity.chroot_deny_chmod: Disabled
grsecurity.chroot_deny_chroot: Disabled
grsecurity.chroot_deny_fchdir: Disabled
grsecurity.chroot_deny_mknod: Disabled
grsecurity.chroot_deny_mount: Disabled
grsecurity.chroot_deny_pivot: Disabled
grsecurity.chroot_deny_shmat: Disabled
grsecurity.chroot_deny_sysctl: Disabled
grsecurity.chroot_deny_unix: Disabled
grsecurity.chroot_enforce_chdir: Disabled
grsecurity.chroot_execlog: Disabled
grsecurity.chroot_findtask: Disabled
grsecurity.chroot_restrict_nice: Disabled
grsecurity.consistent_setxid: Enabled
grsecurity.deny_new_usb: Disabled
grsecurity.deter_bruteforce: Enabled
grsecurity.disable_priv_io: Disabled
grsecurity.dmesg: Enabled
grsecurity.enforce_symlinksifowner: Enabled
grsecurity.exec_logging: Disabled
grsecurity.fifo_restrictions: Enabled
grsecurity.forkfail_logging: Enabled
grsecurity.grsec_lock: Disabled
grsecurity.harden_ipc: Enabled
grsecurity.harden_ptrace: Enabled
grsecurity.ip_blackhole: Disabled
grsecurity.lastack_retries: Disabled
grsecurity.linking_restrictions: Enabled
grsecurity.ptrace_readexec: Enabled
grsecurity.resource_logging: Enabled
grsecurity.romount_protect: Disabled
grsecurity.rwxmap_logging: Enabled
grsecurity.signal_logging: Enabled
grsecurity.socket_all: Disabled
grsecurity.socket_all_gid: Disabled
grsecurity.socket_client: Disabled
grsecurity.socket_client_gid: Disabled
grsecurity.socket_server: Disabled
grsecurity.socket_server_gid: Disabled
grsecurity.symlinkown_gid: Enabled
grsecurity.timechange_logging: Enabled
grsecurity.harden_tty: Disabled
grsecurity.tpe: Enabled
grsecurity.tpe_gid: Enabled
grsecurity.tpe_invert: Disabled
grsecurity.tpe_restrict_all: Disabled


the centos kernel without grsec:
sh checksec -k
* Kernel protection information:

Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.

Kernel config:
/boot/config-2.6.32-696.1.1.el6.x86_64

Warning: The config on disk may not represent running kernel config!

Vanilla Kernel ASLR: Full
Protected symlinks: Disabled
Protected hardlinks: Disabled
Ipv4 reverse path filtering: Disabled
Ipv6 reverse path filtering: Disabled
Kernel heap randomization: Enabled
GCC stack protector support: Enabled
Enforce read-only kernel data: Enabled
Disabled
Restrict /dev/mem access: Enabled
Restrict /dev/kmem access: Enabled

* X86 only:
Address space layout randomization: Disabled

* SELinux: Disabled

SELinux infomation available here:
http://selinuxproject.org/

* grsecurity / PaX: No GRKERNSEC

The grsecurity / PaX patchset is available here:
http://grsecurity.net/

Re: Paxtest ASLR and randomization problem.

PostPosted: Sun May 14, 2017 2:22 pm
by spender
Those results are expected. ET_EXEC was only randomizable via the old/removed RANDEXEC feature as a holdover until PIE binaries became widespread. The "guessed" part has to do with the fact that the entropy counts are an estimate (generally could be a bit or so higher).

-Brad