Red Hat Bugzilla – Bug 996365
/proc/sys/kernel/exec-shield not found in Fedora 19 and no stop a "Stack Smashing"
Last modified: 2013-09-06 13:20:23 EDT
Description of problem:
Exec-Shield not found in Fedora 19, using sysctl -a |grep -i exec I can't see exec shield. SELinux enabled and a default installation of Fedora 19, can't stop a Stack Smashing.
If I compile this code:
int main(int ac, char **av)
And run it with more than 10 chars, I obtain a segfault.
Theoretically exec-shield and SELinux and PAE kernel, stop it, but not.
Using a custom vanilla kernel + grsec I can stop this, and the execution stop with "killed", while in a Fedora 19 stock PAE kernel, no.
The box have a NX capable CPU with pae instruction.
Version-Release number of selected component (if applicable):
Fedora 19 xfce up to date.
Steps to Reproduce:
1.Install Fedora 19 with PAE kernel in a capable CPU
2.Compile the code mentioned and run it ./foo xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
3.A segfault is generated and a possible shellcode insertion. While PaX + grsecurity patch prevent it and kill it.
Fedora 19 is vulnerable to exploits that uses a bad programation in any software.
Add support to Fedora for stop Stack Smashing
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm ida dtherm tpr_shadow vnmi flexpriority
Fedora makes use of NX bit automatically when it is available.
$ dmesg | grep protection
Sep 2 13:56:48 hostname kernel: [ 0.000000] NX (Execute Disable) protection: active
Additionally, see https://bugzilla.redhat.com/show_bug.cgi?id=163735
On Fedora 19,
$ cat /proc/sys/kernel/randomize_va_space
(this is the "strongest" possible ASLR setting)
I think that this code is *not* exploitable on modern Fedora systems without *disabling* lot of the protections we have enabled by *default*.
That being said, we are always working on enabling new hardening features.
Also, the exec-shield sysrq isn't present because we no longer carry the out-of-tree execshield patch. That patch isn't needed on systems that support NX.
Overwriting the stack, as your testcase does, generates a SEGFAULT as expected. If you want stack smashing protection, you should compile with -fstack-protector. Most code in Fedora is compiled with that.