Dailydave mailing list archives
Re: re: PaX PoC-exploit.
From: pageexec () freemail hu
Date: Wed, 05 May 2004 00:50:13 +0200
how's that different from e.g., RES_CRASH 1 1s?It's not, but that's a grsec feature, which is only available when using ACLs. Since there are some other projects that uses PaX I think it would be useful to integrate that functionality to the main PaX patch.
it's always been my policy to not interfere with such 'higher level' controls, different MAC/whatever systems (may want to) do it differently. for the same reason there's no info leak prevention in PaX directly. in any case the code is open, everyone can extend it ;-).
1. ability to create an (executable) file 2. ability to execute the above created (or arbitrary) executable file
[...]
True, but as I pointed out in my previous mail I could just as well have executed something else by either using a symlink or by using the offset to /bin/sh in glibc instead of the static string in the ELF-header. Thus, the conditions you listed above are _not_ necessary for this PoC. :)
did you miss the 'or arbitrary' part? ;-) obviously your ability to execute <interpreter du jour> counts as such (and a MAC system will control that ability).
ACLs would be able to prevent this, yes, unless the program that is exploited needs to be able to execute the program I want to execute under normal operations.
true but it has hardly anything to do with a weakness in PaX/grsec or any MAC system for that matter - if the app in question needs to do dangerous things then least privilege can do only so much... that's why a 0-day in sshd is worth so much more than in bind (again, modulo kernel bugs ;-).
if you meant the circumvention of a noexec mount, then it's not possible either, mainline linux kernels (already in 2.4 and 2.6 and soon in 2.2 as well) prevent it in the trivial case, and PaX prevents it for good (reminds me, someone should write a PoC for that and post it to lkml ;-).With "some of the systems" I was referring to simple measures like mounting noexec, glad to hear the mainline kernels takes care of this nowadays. :)
as i said, only for the trivial case (/lib/ld-linux.so.2 /mnt/nonexec/app), you can still construct a special ELF without executable PT_LOAD segments that would overlap the stack and do a ret2libc to mprotect then execute itself - that was the PoC i was referring to (and that's what won't work under PaX). _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- PaX PoC-exploit. Joel Eriksson (May 02)
- Re: PaX PoC-exploit. Evgeny Demidov (May 02)
- Re: PaX PoC-exploit. Joel Eriksson (May 02)
- <Possible follow-ups>
- re: PaX PoC-exploit. pageexec (May 02)
- Re: re: PaX PoC-exploit. Joel Eriksson (May 02)
- Re: re: PaX PoC-exploit. pageexec (May 03)
- Re: re: PaX PoC-exploit. Joel Eriksson (May 04)
- Message not available
- Re: re: PaX PoC-exploit. pageexec (May 04)
- Re: re: PaX PoC-exploit. Sinan Eren (May 06)
- Re: re: PaX PoC-exploit. Nahual (May 06)
- Re: re: PaX PoC-exploit. Nenad Stojanovski (May 06)
- Re: re: PaX PoC-exploit. Joel Eriksson (May 06)
- Re: re: PaX PoC-exploit. ned (May 06)
- Re: re: PaX PoC-exploit. Joel Eriksson (May 07)
- Re: re: PaX PoC-exploit. Joel Eriksson (May 02)
- Re: re: PaX PoC-exploit. Sinan Eren (May 07)
- Re: re: PaX PoC-exploit. Joel Eriksson (May 07)
- Re: PaX PoC-exploit. Evgeny Demidov (May 02)