[grsec] http://www.securityfocus.com/bid/27704/exploit

[bodik]

Hi,

I've just one question. I've deployed PaX and a little from grsecurity
(no RSBAC features) on two different computers. Kernel configuration
differs only in:

--- config-2.6.19.2bgr3     2008-02-11 14:55:42.000000000 +0100
+++ config-2.6.19.2eryx-gr      2008-02-11 13:38:05.000000000 +0100
@@ -13,8 +13,8 @@
 # CONFIG_PAX_SOFTMODE is not set
 CONFIG_PAX_EI_PAX=y
 CONFIG_PAX_PT_PAX_FLAGS=y
-# CONFIG_PAX_NO_ACL_FLAGS is not set
-CONFIG_PAX_HAVE_ACL_FLAGS=y
+CONFIG_PAX_NO_ACL_FLAGS=y
+# CONFIG_PAX_HAVE_ACL_FLAGS is not set
 # CONFIG_PAX_HOOK_ACL_FLAGS is not set

 #
@@ -25,7 +25,7 @@
 CONFIG_PAX_SEGMEXEC=y
 CONFIG_PAX_EMUTRAMP=y
 CONFIG_PAX_MPROTECT=y
-# CONFIG_PAX_NOELFRELOCS is not set
+CONFIG_PAX_NOELFRELOCS=y
 CONFIG_PAX_KERNEXEC=y

 #
@@ -58,7 +58,7 @@
 # CONFIG_GRKERNSEC_IO is not set
 CONFIG_GRKERNSEC_PROC_MEMMAP=y
 CONFIG_GRKERNSEC_BRUTE=y
-# CONFIG_GRKERNSEC_MODSTOP is not set
+CONFIG_GRKERNSEC_MODSTOP=y
 CONFIG_GRKERNSEC_HIDESYM=y

 #
@@ -72,8 +72,8 @@
 # Filesystem Protections
 #
 CONFIG_GRKERNSEC_PROC=y
-CONFIG_GRKERNSEC_PROC_USER=y
-CONFIG_GRKERNSEC_PROC_ADD=y
+# CONFIG_GRKERNSEC_PROC_USER is not set
+# CONFIG_GRKERNSEC_PROC_USERGROUP is not set
 CONFIG_GRKERNSEC_LINK=y
 CONFIG_GRKERNSEC_FIFO=y
 CONFIG_GRKERNSEC_CHROOT=y
@@ -100,7 +100,7 @@
 CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
 # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
 CONFIG_GRKERNSEC_AUDIT_MOUNT=y
-# CONFIG_GRKERNSEC_AUDIT_IPC is not set
+CONFIG_GRKERNSEC_AUDIT_IPC=y
 CONFIG_GRKERNSEC_SIGNAL=y
 CONFIG_GRKERNSEC_FORKFAIL=y
 CONFIG_GRKERNSEC_TIME=y
@@ -130,6 +130,6 @@
 # Logging Options
 #
 CONFIG_GRKERNSEC_FLOODTIME=10
-CONFIG_GRKERNSEC_FLOODBURST=4
+CONFIG_GRKERNSEC_FLOODBURST=5
 # CONFIG_KEYS is not set
 # CONFIG_SECURITY is not set


1)
http://www.securityfocus.com/data/vulnerabilities/exploits/27704-2.c

on both computers exploits ends with:
 /proc/kallsyms: No such file or directory

that's cool, thanx boys, BUT:


2)
http://www.securityfocus.com/data/vulnerabilities/exploits/27704.c

	A)config-2.6.19.2eryx-gr (linux terminal server)
	segfaults due to PaX .. super, attack is stopped and reported,
 	computer continues working as normal.


	B) config-2.6.19.2bgr3 (my workstation)
	hangs exploit process, hangs computer and renders station
        useless with many PaX and kernel messages on screen, and
	many wired usb errors like. I have to reboot then ;( ...

Feb 11 14:48:13 bodik kernel: evbug.c: Event. Dev:
usb-0000:00:1d.0-2/input0, Type: 1, Code: 28, Value: 1


both of them are Debian/stable:
 gcc                 4.1.1-15
 libc6               2.3.6.ds1-13etch4


so there are only 2 changes in kernel configuration which can change
things I think:

 CONFIG_PAX_*_ACL_FLAGS (none on eryx vs. direct on bgr2)
 CONFIG_PAX_NOELFRELOCS (Y on eryx vs. NO on bgr2)

ok, i admit, i really dont know what "MAC system integration" really
means. and ELF relocations results in more chpaxed binaries, which i
don't like much.

I also try to set CONFIG_PAX_NO_ACL_FLAGS=y and CONFIG_PAX_NOELFRELOCS=y
on bgr2, but it doesn't change anything, workstation is still hanging up
and server is still running ;( no matter what configuration I use ... ;(

can anyone tell me why there two configuration behaves as they do ? please.

bodik